The Monetary Authority of Singapore has published a set of technology risk management guidelines for local financial institutions.
The document is the result of a period of consultation in which questions posed such as, “how does the MAS define a ‘critical’ system?” may have been the catalyst to a final document that reads in the style of a ‘how to’ guide but falls short of detailed parameters or interpretation.
The document makes common sense recommendations, saying that careful selection of staff, vendors and contractors is crucial to minimise technology risks due to system failure; or that humans are significant sources of threats through deliberate acts or omissions which could inflict harm to the organisation’s information systems.
It also notes that, if an IT incident causes an unexpected disruption to the delivery of IT services, a firm should manage such incidents to avoid a prolonged disruption.
To prevent staff attempting to fix glitches themselves and causing even bigger problems, MAS says.
“During a system outage, the financial institution should refrain from adopting impromptu and untested recovery measures over pre-determined recovery actions that have been rehearsed and approved by management.”
The guidelines are not legally binding, although the degree of observance with their spirit is an area of consideration in the risk assessment of the firm by MAS.
The MAS says that because technology is important, the board of directors and senior management should have oversight of technology risks, that they should also be involved in key IT decisions and they are responsible for effective internal controls and risk management practices.
By not enforcing compulsory practices for top executives, the report recognises that boards of directors in finance are seldom fully conversant in the complex science of information technology, and therefore have no choice but to rely heavily on their in-house experts.