SINGAPORE, 5 AUGUST 2008CEOs and senior IT executives have been reminded that information technology risk management is a top-down process and that company boards should take responsibility.
The warning came in a recent address by Tony Chew, Director of Technology Risk Supervision, with the Monetary Authority of Singapore (MAS), to the Security & Governance Chapter of the Singapore Infocomm Technology Federation (SiTF).
In his address Securing Confidence in the Financial System Chew said that risk management systems are only ever as good as the people and processes which support them.
Potentially, the most senior technical people who work for you may be the ones who pose the highest security risks of sabotaging or compromising your computer systems, Chew said. Personnel with elevated system access entitlements should be closely supervised, with all their systems activities logged as they have the inside knowledge and the resources to circumvent systems controls and security procedures.
Boardroom risk reform
Given the lessons from the sub-prime debacle and the credit crisis, reform of risk management systems should begin in the boardroom. Internet banking security is also ultimately a top down responsibility; the responsibility of the board.
Chew was taking the opportunity to outline the new MAS guidelines on internet banking and technology risk management.
The MAS revised and updated the guidelines extensively in June this year, including calling for banks to undergo regular source code review subject to their own risk assessment of critical systems modules and applications. Source code review is a methodical examination of the source code of an application, with the objective of finding security defects that are due to coding errors, insecure coding practices or malicious attempts.
More perceptive and discerning banks
In extending the guidelines, the MAS stated that: As banks rely increasingly on information technology and the internet to operate their business and interact with the markets, their awareness and recognition of the magnitude and intensification of technology risks should correspondingly be more perceptive and discerning, both for individual banks, and the financial industry as a whole....In this networked and market-driven environment, it is critical that banks have flexible, adaptable and responsive operating processes as well as sound and robust risk management systems."
The board of directors and management of a bank are responsible for managing its risks, including technology risks which are becoming more complex, dynamic and pervasive, the MAS said. The risk management process requires the board and management to review and appraise the cost-benefit issues on what and how much to invest in controls and security measures relating to computer systems, networks, data centres, operations and backup facilities.
Many tech risks
The MAS says technology risks relate to any adverse outcome, damage, loss, disruption, violation, irregularity or failure arising from the use of or reliance on computer hardware, software, electronic devices, online networks and telecommunications systems.
Sign up for Computerworld eNewsletters.