Issued on: 1 June 2023 Appendix 8 Format of Confirmation
Name of Financial Institution…. ………..……………………………………………………
As Chairman of the board of directors / designated board- level committee / CISO /
designated senior management officer * of [name of Financial Institution], I confirm that –
- cloud service / e-banking / Internet insurance / Internet takaful * is consistent
with the bank’s / insurer’s / takaful operator’s * strategic and business plans; - the board of directors / senior management * understand and are ready to assume the roles and responsibilities stated in Bank Negara Malaysia’s policy document on Risk Management in Technology and are also apprised of all relevant provisions in the FSA, IFSA and DFIA and other relevant legislation,
guidelines and codes of conduct; - risk management process related to cloud service / e-banking / Internet
insurance / Internet takaful * is subject to appropriate oversight by the board of directors and senior management; - appropriate security measures to address cloud service / e-banking / Internet
insurance / Internet takaful * security concerns are in place; - customer support services and educat ion related to cloud service / e-banking /
Internet insurance / Internet takaful * are in place; - performance monitoring of cloud service / e-banking / Internet insurance /
Internet takaful * products, services, delivery channels and processes has been establ ished; - cloud service / e-banking / Internet insurance / Internet takaful * is included in
the contingency and business resumption plans; - there are adequate resources to support the offering of cloud service / e-banking
/ Internet insurance / Internet takaful * business; and - the systems, procedures, security measures, etc. relevant to sound operations
of cloud service / e-banking / Internet insurance / Internet takaful * will constantly
be reviewed to keep up with the latest changes. Signature : ………………………………
Name : …………………………………..
Date : ………………………..…………..
- (delete whichever is not applicable) Risk Management in Technology 50 of 67
Issued on: 1 June 2023 Appendix 9 Supervisory Expectations on External Party Assurance
Part A: Financial Institutions are required to provide an external assurance
- The assurance shall be conducted by an independent external service provider
(ESP) engaged by the financial institution. - The independent ESP must understand the proposed services, the data flows, system architecture, connectivity as well as its dependencies.
- The independent ESP shall review the comprehensiveness of the risk
assessment performed by the financial institution and validate the adequacy of the control measures implemented or to be implemented. - The Risk Assessment Report (as per Part D in Appendix 7) shall state among
others, the scope of review, risk assessment methodology, summary of findings and remedial actions (if any). - The Risk Assessment Report shall confirm there is no exception noted based on the prescribed risk areas (Negative attestation).
- The financial institution shall provide the Risk Assessment Report accompanied by the relevant documents.
Part B: Minimum controls to be assessed by the independent External Service Provider, where applicable - The independent ESP assessment of security requirements shall include the following key areas:
(a) access control;
(b) physical and environmental security;
(c) operations security;
(d) communication security;
(e) information security incident management; and
(f) information security aspects of business continuity management. - For online transactions and services, a financial institution has implemented the
following:
(a) adequate measures to authenticate customer identity and ensure legitimate transaction authorisation by the customer, including—
(i) measures to prevent session takeover or man- in-the-middle attacks;
(ii) internal controls must be in place to prevent compromise of relevant internal systems /application /database;
(iii) where appropriate, apply multi -level authentication, out of band
protocol and real -time verification;
(iv) secure session handling functions and authentication databases; and
(v) ensure strong password and cryptographic implementation
(recognised algorithm with reasonable key strength) ;
(b) adequate measures for transaction authentication that promotes non-repudiation and establishes accountability —
(i) mechanism exists to ensure proof of origin, content as well as the integrity of the message;
(ii) chosen channel to deliver transaction is secure; Risk Management in Technology 51 of 67
Issued on: 1 June 2023 (iii) mechanism exists to alert the user on certain type of transactions for
further authentication; and
(iv) establish mutual authentication or appropriate use of digital certific ation;
(c) segregation of duties and access control privilege for systems, databases and applications —
(i) implement dual control where applicable;
(ii) controls exist to detect and prevent unauthorised access to relevant resources/devices;
(iii) authorisation database should be tamper -resistant; and
(iv) periodic review of privileged users ;
(d) adequate measures to protect data integrity of transactions and information:
(i) implementation of end -to-end encryption for external communication;
(ii) implementation of multi -layer network security and devices;
(iii) absence of single point of failures in network architecture;
(iv) conduct network security assessment/penetration test to identify vulnerabilities;
(v) establish audit trail capabilities;
(vi) preserve the confidentiality of inf ormation;
(vii) use of stronger authentication for higher risk transactions; and
(viii) timely notification to customers that is sufficiently descriptive of the
nature of the transaction; and
(e) adequate measures to mitigate associated risks of using electronic mobile devices to perform online transactions, which shall include the following:
(i) application is running on secure mobile Operating System versions;
(ii) application is not running on compromised devices;
(iii) conduct penetration test to identify and rectify potential vulnerability;
(iv) secure end- to-end communication between the device and host;
(v) sensitive information is not stored on mobile devices;
(vi) user is notified of successful transactions;
(vii) user is notified of suspicious transactions;
(viii) continuous monitoring and takedown of fake applications in
application distribution platforms;
(ix) controls over the uploading of application to application distribution platforms;
(x) a unique code is generated per transaction; and
(xi) timely expiry of the transaction code.
Gilagolf 