Singapore MAS Tech Risk Guideline (TRM) – Incident Reporting-SLA

Last post discussed the complication when running multiple bank applications on the same computing platform and need to decided when to report “a relevant incident” within one hour upon discovery.

This part will discuss on how this requirement going to affect Services Level Agreements in Singapore banking IT operations. Before this MAS notice come into effect, IT operations usually design system uptime or availability requirements according to business needs. System supporting real-time financial transactions has the higher uptime requirements. Even market data feed and AML systems which are not auxiliary to financial transactions requires high availability. Infrastructure system and monitoring services are usually regarded as secondary when availability is concerned. Failure of network monitoring system will not directly impact user or cause direct financial loss.

The MAS requirement on incident reporting within one hour upon discovery will change the importance of infrastructure system and monitoring services. Although it is possible for a bank to discover data breach or system malfunction weeks after the actual event happened, it is not what this MAS notice is designed for. The one hour upon discovery requirement is based on the bank has sound and robust monitoring infrastructure. Monitoring systems will need to run with similar availability requirement as the core financial system that requires monitoring services. Real log aggregation system like ArchSight and Splunk are important tool to discover network attacks and system malfunctions.  If a bank relies on these systems to detect attacks and provide real-time intelligence, their uptime will directly impact the bank’s capability to fulfill one hour reporting upon discovery requirement. For example, when ArchSight is used to monitor 200 servers and it is down due to an error when an SQL injection attack happened. The DB server log will still record the event happened at the correct time. When the ArchSight error is fixed, it will start processing server logs and the SQL injection attack will be identified. The time discovering this attack will be much later than the server log recorded. Could the bank claim the discovery is at the later time when the ArchSight is recovered from error ? Or MAS will deem the discovery happened when DB server recorded the attack?

The actual response and judgement will need to consider specific details of each case. However, the SLA of monitoring systems will need to improve in order to show the bank is committed to meeting MAS notice.

 

 

 

 

This entry was posted in Information security strategy, Singapore and tagged , , on by .

About antonyma

Engineering trained, Antony has the qualifications of CISA, Oracle DBA and BS7799 ISMS assessor. He also received a LLM in Intellectual Property & Information Technology Law from The University of Hong Kong. Founder of travel tech statup Powerdata2go.com Antony was th Chairman of Professional Information Security Association (PISA) from 2009 to 2010. He also joined ISC2 workshop on developing a new cloud security certification. Current positions include: 1. Chairman of Cloud Security Alliance (Hong Kong & Macau Chapter) 2. Convenor of HK OGCIO Working Group on Cloud Security and Privacy 3. Hong Kong delegate to ISO SC 27 committee, which drafts security standards like ISO27001. email : antony.linkedin@gmail.com Specialties Retail Banking System & Process, IT Security, Copyright Law, Audit & Control, Technology Risk Management, Cloud Security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s