Gilagolf

June 28, 2023 · 6:36 am

BNM RMIT 2023 Part 6

11 Cybersecurity Management
Cyber Risk Management

17 Such as Quick Response (QR) code, Bar Code, Near Field Communication (NFC), Radio Frequency
Identification (RFID), Wearables.
18 For example, in respect of QR payments, financial institutions shall implement safeguards within its
respective mobile applications to detect and mitigate risks relating to QR code that may contain malware
or links to phishing websites. Risk Management in Technology 26 of 67

Issued on: 1 June 2023 S 11.1 A financial institution must ensure that there is an enterprise -wide focus on
effective cyber risk management to reflect the collective responsibility of
business and technology lines for managing cyber risks.

S 11.2 A financial institution must develop a CRF which clearly articulates the
institution’s governance for managing cyber risks, its cyber resilience
objectives and its risk tolerance, with due regard to the evolving cyber threat environment. Objectives of the CRF shall include ensuring op erational
resilience against extreme but plausible cyber -attacks. The framework must be
able to support the effective identification, protection, detection, response, and recovery (IPDRR) of systems and data hosted on- premise or by third party
service prov iders from internal and external cyber -attacks.

S 11.3 The CRF must consist of, at a minimum, the following elements:
(a) development of an institutional understanding of the overall cyber risk context in relation to the financial institution’s business and operations, its exposure to cyber risks and current cybersecurity posture;
(b) identification, classification and prioritisation of critical systems,
information, assets and interconnectivity (with internal and external
parties) to obtain a complete and accurate view of the financial institution’s information assets, critical systems, interdependencies and cyber risk profile;
(c) identification of cybersecurity threats and countermeasures including
measures to contain reputational damage that can undermine confidence in the financial institution;
(d) layered (defense- in-depth) security controls to protect its data,
infrastructure and assets against evolving threats;
(e) timely detection of cybersecurity incidents through continuous
surveillance and monitoring;
(f) detailed incident handling policies and procedures and a crisis response management playbook to support the swift recovery from cyber -incidents
and contain any damage resulting from a cybersecurity breach; and
(g) policies and procedures for timely and secure information sharing and collaboration with other financial institutions and participants in financial market infrastructure to strengthen cyber resilience.

S 11.4 In addition to the requirements in paragraph 11.3, a large financial institution
is required to—
(a) implement a centralised automated tracking system to manage its
technology asset inventory; and
(b) establish a dedicated in- house cyber risk management function to manage
cyber risks or emerging cyber threats. The cyber risk management
function s hall be responsible for the following:
(i) perform detailed analysis on cyber threats, provide risk assessments on potential cyber -attacks and ensure timely review and escalation
of all high- risk cyber threats to senior management and the board;
and
(ii) proactivel y identify potential vulnerabilities including those arising
from infrastructure hosted with third party service providers through Risk Management in Technology 27 of 67

Issued on: 1 June 2023 the simulation of sophisticated “Red Team” attacks on its current
security controls.

Cybersecurity Operations

S 11.5 A financial institution must establish clear responsibilities for cybersecurity
operations which shall include implementing appropriate mitigating measures in the financial institution’s conduct of business that correspond to the following phases of the c yber-attack lifecycle:
(a) reconnaissance;
(b) weaponisation;
(c) delivery;
(d) exploitation;
(e) installation;
(f) command and control; and
(g) exfiltration.

G 11.6 Where relevant, a financial institution should adopt the control measures on
cybersecurity as specified in Appendix 5 to enhance its resilience to cyber –
attacks.

S 11.7 A financial institution must deploy effective tools to support the continuous and
proactive monitoring and timely detection of anomalous activities in its
technology infrastructure. The scope of m onitoring must cover all critical
systems including the supporting infrastructure.

S 11.8 A financial institution must ensure that its cybersecurity operations
continuously prevent and detect any potential compromise of its security controls or weakening of its security posture. For large financial institutions,
this must include performing a quarterly vulnerability assessment of external and internal network components that support all critical systems.

S 11.9 A financial institution must conduct annual intelligence -led penetration tests on
its internal and external network infrastructure as well as critical systems including web, mobile and all external -facing applications. The penetration
testing shall reflect extreme but plausible cyber -attack scenarios based on
emerging and evolving threat scenarios. A financial institution must engage suitably accredited penetration testers and service providers to perform this function.

S 11.10 In addition to the requirement in paragraph 11.9, a large financial institution
must undertake independent compromise assessments on the technology infrastructure of its critical systems at least annually and ensure the results of such assessments are escalated to senior management and the board in a timely manner.

S 11.11 A financial institution must establish standard operating procedures (SOP) for
vulnerability assessment and penetration testing (VAPT) activities. The SOP
must outline the relevant control measures including ensuring the external Risk Management in Technology 28 of 67

Issued on: 1 June 2023 penetration testers are ac companied on -premises at all times, validating the
event logs and ensuring data purging.

S 11.12 A financial institution must ensure the outcome of the penetration testing
exercise is properly documented and escalated in a timely manner to senior
management t o identify and monitor the implementation of relevant remedial
actions.

Distributed Denial of Service (DDoS)

S 11.13 A financial institution must ensure its technology systems and infrastructure,
including critical systems outsourced to or hosted by third party service
providers, are adequately protected against all types of DDoS attacks
(including volumetric, protocol and application layer attacks) through the
following measures:
(a) subscribing to DDoS mitigation services, which include automatic ‘clean
pipe’ services to filter and divert any potential malicious traffic away from the network bandwidth;
(b) regularly assessing the capability of the provider to expand network bandwidth on- demand including upstream provider capability, adequacy
of the provider’ s incident response plan and its responsiveness to an
attack; and
(c) implementing mechanisms to mitigate against Domain Name Server (DNS) based layer attacks.

Data Loss Prevention (DLP)

S 11.14 A financial institution must establish a clear DLP strategy and processes in
order to ensure that proprietary and customer and counterparty information is
identified, classified and secured. At a minimum, a financial institution must –
(a) ensure that data owners are accountable and responsible for identifying and appropriately classifying data;
(b) undertake a data discovery process prior to the development of a data classification scheme and data inventory; and
(c) ensure that data accessible by third parties is clearly identified and policies must be implemented to safeguard and control third party access.
This includes adequate contractual agreements to protect the interests of
the financial institution and its customers.

S 11.15 A financial institution must design internal control procedures and implement
appropriate technology in all applications and access points to enforce DLP
policies and trigger any policy violations. The technology deployed must cover
the following:
(a) data in- use – data being processed by IT resources;
(b) data in- motion – data being transmitted on the network; and
(c) data at -rest – data stored in storage mediums such as servers, backup
media and databases.
Risk Management in Technology 29 of 67

Issued on: 1 June 2023 S 11.16 A financial institution must implement appropriate policies for the removal of
data on technology equipment, mobile devices or storage media to prevent
unauthorised access to data.

Security Operations Centre (SOC)

S 11.17 A financial institution must ensure its SOC, whether managed in -house or by
third party service providers, has adequate capabilities for proactive
monit oring of its technology security posture. This shall enable the financial
institution to detect anomalous user or network activities, flag potential
breaches and establish the appropriate response supported by skilled
resources based on the level of complexity of the alerts. The outcome of the
SOC activities shall also inform the financial institution’s reviews of its
cybersecurity posture and strategy.

S 11.18 The SOC must be able to perform the following functions:
(a) log collection and the implementation of an event correlation engine with
parameter -driven use cases such as Security Information and Event
Management (SIEM);
(b) incident coordination and response;
(c) vulnerability management;
(d) threat hunting;
(e) remediation functi ons including the ability to perform forensic artifact
handling, malware and implant analysis; and
(f) provision of situational awareness to detect adversaries and threats including threat intelligence analysis and operations and monitoring
indicators of compromise (IOC). This includes advanced behavioural analysis to detect signature- less and file -less malware and to identify
anomalies that may pose security threats including at endpoints and network layers.

S 11.19 A financial institution must ensure that the SOC provides a regular threat
assessment report, which shall include, at a minimum, the following:
(a) trends and statistics of cyber events and incidents categorised by type of attacks, target and source IP addresses , location of data centres and
criticality of applications; and
(b) intelligence on emerging and potential threats including tactics,
techniques and procedures (TTP).
For large financial institutions, such reports shall be provided on a monthly basis.

S 11.20 A financial institution must subscribe to reputable threat intelligence services
to identify emerging cyber threats, uncover new cyber -attack techniques and
support the implementation of countermeasures.

S 11.21 A financial institution must ensure the following :
(a) the SOC is located in a physically secure environment with proper access controls;
(b) the SOC operates on a 24×7 basis with disaster recovery capability to
ensure continuous availability; and Risk Management in Technology 30 of 67

Issued on: 1 June 2023 (c) the SOC has a holistic and end -to-end view of the financial institution’s
infrastructure including internal and external facing perimeters.

Cyber Response and Recovery

S 11.22 A financial institution must establish comprehensive cyber crisis management
policies and procedures that incorporate cyber -attack scenarios and
responses in the organisation’s overall crisis management plan, escalation
processes, business continuity and disaster recovery planning. This includes developing a clear communication plan for engaging shareholders, regulatory authorities, customers and employees in the event of a cyber -incident.

S 11.23 A financial institution must establish and implement a comprehensive Cyber
Incident Response Plan (CIRP). The CIRP must address the following:
(a) Preparedness
Establish a clear governance process, reporting structure and roles and
responsibilities of the Cyber Emergency Response Team (CERT) as well as invocation and escalation procedures in the event of an incident;

(b) Detection and analysis
Ensure effective and expedient processes for identifying points of
compromise, assessing the extent of damage and preserving sufficient evidence for forensics purposes;

(c) Containment, eradication and recovery
Identify and implement remedial actions to prevent or minimise damage to the fi nancial institution, remove the known threats and resume business
activities; and

(d) Post -incident activity
Conduct post -incident review incorporating lessons learned and develop
long- term risk mitigations.

S 11.24 A financial institution must ensure that relevant CERT members are
conversant with the incident response plan and handling procedures and
remain contactable at all times. A key contact person or an alternate must be appointed to liaise with the Bank during an incident.

S 11.25 A financial institution must conduct an annual cyber drill exercise to test the
effectiveness of its CIRP, based on various current and emerging threat scenarios (e.g. social engineering), with the involvement of key stakeholders including members of the board, senior management and relevant third party service providers. The test scenarios must include scenarios designed to test:
(a) the effectiveness of escalation, communication and decision- making
processes that correspond to different impact levels of a cyber -incident;
and
(b) the readiness and effectiveness of CERT and relevant third party service providers in supporting the recovery process.
Risk Management in Technology 31 of 67

Issued on: 1 June 2023 S 11.26 A financial institution must immediately notify the Bank of any cyber -incidents
affecting the institution. Upon completion of the investigation, the financial
institution is also required to submit a report on the incident through ORION19.

G 11.27 Financial institutions are strongly encouraged to collaborate and cooperate
closely with relevant stakeholders and competent authorities in combating
cyber threats and sharing threat intelligence and mitigation measures.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:35 am

BNM RMIT 2023 Part 5

Patch and End- of-Life System Management

S 10.61 A financial institution must ensure that critical systems are not running on
outdated systems with known security vulnerabilities or end- of-life (EOL)
technology systems. In this regard, a financial institution must clearly assign responsibilities to identified functions:
(a) to continuously monitor and implement latest patch releases in a timely manner; and
(b) identify critical technology systems that are approaching EOL for further remedial action.

S 10.62 A large financial institution must establish dedicated resources to perform the
functions under paragraph 10.61 .

S 10.63 A financial institution must establish a patch and EOL management framework
which addresses among others the following requirements:
(a) identification and risk assessment of all technology assets for potential vulnerabilities arising from undeployed patches or EOL systems;
(b) conduct of compatibility testing for critical patches;
(c) specification of turnaround time for deploying patches according to the severity of the patches; and
(d) adherence to the workflow for end- to-end patch deployment processes
including approval, monitoring and tracking of activities.
Security of Digital Services

S 10.64 A financial institution must implement robust technology security controls in
providing digital services which assure the following:
(a) confidentiality and integrity of customer and counterparty information and
transactions;
(b) reliability of services delivered via channels and devices with minimum disruption to services;
(c) proper authentication of users or devices and authorisation of
transactions;
(d) sufficient audit trail and monitoring of anomalous transactions;
(e) ability to identify and revert to the recovery point prior to incident or service disruption; and
(f) strong physical control and logical control measures.
Risk Management in Technology 23 of 67

Issued on: 1 June 2023 S 10.65 A financial institution must implement controls to authenticate and monitor all
financial transactions. These controls, at a minimum, must be effective in
mitigating man- in-the-middle attacks, transaction fraud, phishing and
compromise of application systems and information.

S 10.66 A financial institution must implement additional controls to authenticate
devices and users, authorise transactions and support non- repudiation and
accountability for high- risk transactions or transactions above RM10,000.
These m easures must include, at a minimum, the following:
(a) ensure transactions are performed over secured channels such as the latest version of Transport Layer Security (TLS);
(b) both client and host application systems must encrypt all confidential information prior to transmission over the network;
(c) adopt MFA for transactions;
(d) if OTP is used as a second factor, it must be dynamic and time- bound;
(e) request users to verify details of the transaction prior to execution;
(f) ensure secure user and session handling management;
(g) be able to capture the location of origin and destination of each
transaction;
(h) implement strong mutual authentication between the users’ end- point
devices and financial institutions’ servers, such as the use of the latest version of Extend ed Validation SSL certificate (EV SSL); and
(i) provide timely notification to customers that is sufficiently descriptive of the nature of the transaction.

S 10.67 A financial institution must ensure the MFA solution used to authenticate
financial transactions are adequately secure, which includes the following:
(a) binding of the MFA solution to the customer’s account;
(b) activation of MFA must be subject to verification by the financial institution; and
(c) timely notification to customers of any activation of and changes to the
MFA solution via the customers’ verified communication channel.

S 10.68 A financial institution must deploy MFA technology and channels that are more
secure than unencrypted short messaging service (SMS).

S 10.69 A financial institution shall deploy MFA solutions with stronger security controls
for open third party fund transfer and open payment transactions with a value of RM10,000 and above.

S 10.70 A financial institution must ensure that the security controls of MFA solutions
includes adherence to the following requirements:
(a) the MFA solution is resistant to interception or manipulation by a ny third
party throughout the authentication process ;
(b) payer/sender must be made aware and prompted to confirm details of the
identified beneficiary and amount of the transaction;
(c) authentication code must be initiated and generated locally by the
payer/sender using MFA;
(d) authentication code generated by payer/sender must be specific to the
confirmed identified beneficiary and amount; Risk Management in Technology 24 of 67

Issued on: 1 June 2023 (e) secure underlying technology must be established to ensure the
authentication code accepted by the financial institution corresponds to
the confirmed transaction details; and
(f) notification must be provided to the payer/sender of the transaction.

S 10.71 Where a financial institution deploys OTP as part of its stronger or enhanced
MFA solutions, the following features must be implemented:
(a) binding of the transaction details to the OTP generated by the device (e.g.
beneficiary account number, amount of tr ansaction);
(b) generation of the OTP from the customer’s device and not from the bank’s
server; and
(c) requiring the customer to manually enter the generated OTP into the
application.

S 10.72 For financial transactions below RM10,000, a financial institution may decide
on proportionate controls and authentication methods for transactions
assessed by the financial institution to be of low risk. In undertaking the assessment, the financial instit ution must establish a set of criteria or factors
that reflect the nature, size and characteristics of a financial transaction. Such criteria or factors must be consistent with the financial institution’s risk appetite and tolerance. The financial institut
ion must periodically review the risk
assessment criteria to ensure its continued relevance, having regard to the latest developments in cybersecurity risks and authentication technologies as well as fraud trends and incidents.

S 10.73 Where a financial in stitution decides not to adopt MFA for financial transactions
that are assessed to be of low risk, the financial institution must nevertheless implement adequate safeguards for such transactions which shall include at a minimum the following measures:
(a) set appropriate limits on a per -transaction basis, and on a cumulative
basis;
(b) provide a convenient means for customers to reduce the limits described in paragraph (a) or to opt for MFA;
(c) provide a convenient means for its customers to temporarily suspend their account in the event of suspected fraud; and
(d) provide its customers with adequate notice of the safeguards set out in paragraphs (a) to (c).

S 10.74 A financial institution must ensure sufficient and relevant digital service logs
are retained for investigations and forensic purposes for at least three years.

S 10.75 A financial institution must ensure that critical online payments and banking16
services have high availability with reasonable response time to customer
actions.

S 10.76 A financial institution must ensure that the use of more advanced technology
to authenticate and deliver digital services such as biometrics, tokenisation

16 For example, Internet and mobile banking services. Risk Management in Technology 25 of 67

Issued on: 1 June 2023 and contactless communication17 comply with internationally recognised
standards where available. The technology must be resilient against cyber
threats18 including malware, phishing or data leakage.

S 10.77 A financial institution must undertake a comprehensive risk assessment of the
advanced technologies and the algorithms deployed in its digital services. Algorithms must be regularly reviewed and validated to ensure they remain appropriate and accurate. Where third party software is used, a financial institution may rely on relevant independent reports provided such reliance is consistent wit h the financial institution’s risk appetite and tolerance, and the
nature of digital services provided by the financial institution which leverage on the technologies and algorithms.

S 10.78 A financial institution must ensure authentication processes using biometric
technology are secure, highly resistant to spoofing and have a minimal false acceptance rate to ensure confidentiality, integrity and non- repudiation of
transactions.

S 10.79 A financial institution must perform continuous surveillan ce to assess the
vulnerability of the operating system and the relevant technology platform used for its digital delivery channels to security breaches and implement appropriate
corresponding safeguards. At a minimum, a financial institution must
implement sufficient logical and physical safeguards for the following
channels:
(a) self-service terminal (SST);
(b) non-cash SST;
(c) Internet banking; and
(d) mobile application and devices.
In view of the evolving threat landscape, these safeguards must be
continuously reviewed and updated to protect against fraud and to secure the confidentiality and integrity of customer
and counterparty information and
transactions.

G 10.80 In fulfilling paragraph 10.79, a financial institution should adopt the controls
specified in the following Appendices for the respective digital delivery
channel:
(a) Appendix 2: Control Measures on Self -Service Terminals (SST);
(b) Appendix 3: Control Measures on Internet Banking; and
(c) Append ix 4: Control Measures on Mobile Application and Devices.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 6:34 am

BNM RMIT 2023 Part 4

Network Resilience

S 10.33 A financial institution must design a reliable, scalable and secure enterprise
network that is able to support its business activities, including future growth plans.

S 10.34 A financial institution must ensure the network services for its critical systems
are reliable and have no SPOF in order to protect the critical systems against potential network faults and cyber threats

S 10.35 A financial institution must establish real -time network bandwidth monitoring
processes and corresponding network service resilience metrics to flag any over utilisation of bandwidth and system disruptions due to bandwidth
congestion and network faults. This includes traffic analysis to detect trends and anomalies.

S 10.36 A financial institution must ensure network services supporting critical systems
are designed and implemented to ensure the confidentiality, integrity and availability of data.

S 10.37 A financial institution must establish and maintain a network design blue print
identifying all of its internal and external network interfaces and connectivity. The blueprint must highlight both physical and logical connectivity between network components and network segmentations.

S 10.38 A financial institution must ensure sufficient and relevant network device logs
are retained for investigations and forensic purposes for at least three years.

13 Measures implemented may include component redundancy, service diversity and alternate network
paths. Risk Management in Technology 18 of 67

Issued on: 1 June 2023 S 10.39 A financial institution must implement appropriate safeguards to minimise the
risk of a system compromise in one entity affecti ng other entities within the
group. Safeguards implemented may include establishing logical network
segmentation for the financial institution from other entities within the group.

S 10.40 A financial institution is required to appoint a technically competent external
service provider to carry out regular network resilience and risk assessments
(NRA) and set proportionate controls aligned with its risk appetite. The
assessment must be conduc ted at least once in three years or whenever there
is a material change in the network design. The assessment must consider all major risks and determine the current level of resilience. This shall include an assessment of the financial institution’s adher ence to the requirements in
paragraphs 10.33 to 10.39. The designated board-
level committee must
deliberate the outcome of the assessment.
Third Party Service Provider Management

S 10.41 The board and senior management of the financial institution must exercise
effective oversight and address associated risks when engaging third party service providers
14 for critical technology functions and systems. Engagement
of third party service providers, including engagements for independent
asses sments, does not in any way reduce or eliminate the principal
accountabilities and responsibilities of financial institutions for the security and reliability of technology functions and systems.

S 10.42 A financial institution must conduct proper due diligen ce on the third party
service provider’s competency, system infrastructure and financial viability as relevant prior to engaging its services. In addition, an assessment shall be made of the third party service provider’s capabilities in managing the following specific risks ̶
(a) data leakage such as unauthorised disclosure of customer and
counterparty information;
(b) service disruption including capacity performance;
(c) processing errors;
(d) physical security breaches;
(e) cyber threats;
(f) over-reliance on key personnel;
(g) mishandling of confidential information pertaining to the financial
institution or its customers in the course of transmission, processing or storage of such information; and

(h) concentration risk.

S 10.43 A financial institution must establish service -level agreements (SLA) when
engaging third party service providers. At a minimum, the SLA shall contain the following:
(a) access rights for the regulator and any party appointed by the financial
institution to examine any ac tivity or entity of the financial institution. This

14 Financial institutions must adhere to the requirements in the Policy Document on Outsourcing for
engagements with third party service providers that meet the definition of outsourcing arrangement as
specified in the policy document. Risk Management in Technology 19 of 67

Issued on: 1 June 2023 shall include access to any record, file or data of the financial institution,
including management information and the minutes of all consultative and
decision- making processes;
(b) requirements for the serv ice provider to provide sufficient prior notice to
financial institutions of any sub- contracting which is substantial;
(c) a written undertaking by the service provider on compliance with secrecy provisions under relevant legislation. The SLA shall further clearly provide for the service provider to be bound by confidentiality provisions stipulated under the contract even after the engagement has ended;
(d)
arrangements for disaster recovery and backup capability, where
applicable;
(e) critical system availability; and
(f) arrangements to secure business continuity in the event of exit or
termination of the service provider.

S 10.44 A financial institution must ensure its ability to regularly review the SLA with its
third party service providers to take into account the latest security and technological developments in relation to the services provided.

S 10.45 A financial institution must ensure its third party service providers comply with
all relevant regulatory requirements prescribed in this policy document15.

S 10.46 A financial institution must ensure data residing in third party service providers
are recoverable in a timely manner. The financial institution shall ensure clearly defined arrangements with the third party service provider are in place to facilitate the fi nancial institution’s immediate notification and timely updates to
the Bank and other relevant regulatory bodies in the event of a cyber -incident.

S 10.47 A financial institution must ensure the storage of its data is at least logically
segregated from the ot her clients of the third party service provider. There shall
be proper controls over and periodic review of the access provided to
authorised users.

S 10.48 A financial institution must ensure any critical system hosted by third party
service providers have strong recovery and resumption capability and
provisions to facilitate an orderly exit in the event of failure or unsatisfactory
performance by the third party service provider.

Cloud Services

S 10.49 A financial institution must fully understand the inherent risk of adopting cloud
services. In this regard, a financial institution is required to conduct a
comprehensive risk assessment prior to cloud adoption which considers the inherent architecture of cloud services that leverages on th e sharing of
resources and services across multiple tenants over the Internet. The
assessment must specifically address risks associated with the following:
(a) sophistication of the deployment model;

15 This includes specif ic requirements for system development and acquisition, data centre operations,
network resilience, technology security and cybersecurity, wherever applicable. Risk Management in Technology 20 of 67

Issued on: 1 June 2023 (b) migration of existing systems to cloud infrastructure;
(c) location of cloud infrastructure including potential geo- political risks and
legal risks that may impede compliance with any legal or regulatory
requirements ;
(d) multi- tenancy or data co- mingling;
(e) vendor lock -in and application portability or interoperability;
(f) ability to customise security configurations of the cloud infrastructure to
ensure a high level of data and technology system protection;
(g) exposure to cyber -attacks via cloud service providers;
(h) termination of a cloud service provider inclu ding the ability to secure the
financial institution’s data following the termination;
(i) demarcation of responsibilities, limitations and liability of the cloud
service provider; and
(j) ability to meet regulatory requirements and international standards on cloud computing on a continuing basis.

G 10.50 For critical systems hosted on public cloud, a financial institution should
consider common key risks and control measures as specified in Appendix 10.
A financial institution that relies on alternative risk management practices
that depart from the measures outlined in Appendix 10 should be prepared to explain and demonstrate to the Bank that these alternative practices are at
least as effective as, or superior to, the measures in Appendix 10.

S 10.51 A financial institution must implement appropriate safeguards on customer
and counterparty information and proprietary data when using cloud services
to protect against unauthorised disclosure and access. This shall include
retaining ownership, control an d management of all data pertaining to
customer and counterparty information, proprietary data and services hosted
on the cloud, including the relevant cryptographic keys management .

Access Control

S 10.52 A financial institution must implement an appropriate access controls policy
for the identification, authentication and authorisation of users (internal and external users such as third party service providers). This must address both logical and physical technology access controls which are comme nsurate with the level of risk of unauthorised access to its technology
systems.

G 10.53 In observing paragraph 10.52, a financial institution should consider the
following principles in its access control policy:
(a) adopt a “deny all” access control policy for users by default unless explicitly authorised;
(b) employ “least privilege” access rights or on a ‘need- to-have’ basis
where only the minimum sufficient permissions are granted to legitimate users to perform their roles;
(c) employ time- bound access rights which restrict access to a specific
period including access rights granted to service providers; Risk Management in Technology 21 of 67

Issued on: 1 June 2023 (d) employ segregation of incompatible functions where no single person is
responsible for an entire operation that may provide the ability to
independently modify, circumvent, and disable system security features.
This may include a combination of functions such as:
(i) system development and technology operations;
(ii) security administration and system administration; and
(iii) network operation and network security;
(e) employ dual control functions which require two or more persons to execute an activity;
(f) adopt stronger authentication for critical activities including for remote access;
(g) limit and control the use of the same user ID for multiple concurrent sessi ons;
(h) limit and control the sharing of user ID and passwords across multiple users; and
(i) control the use of generic user ID naming conventions in favour of more personally identifiable IDs.

S 10.54 A financial institution must employ robust authentication processes to ensure
the authenticity of identities in use. Authentication mechanisms shall be commensurate with the criticality of the functions and adopt at least one or more of these three basic authentication factors, namely, something the user knows (e.g. password, PIN), something the user possesses (e.g. smart card, security device) and something the user is (e.g. biometric characteristics, such as a fingerprint or retinal pattern).

S 10.55 A financial institution shall periodically review and adapt its password
practices to enhance resilience against evolving attacks. This includes the effective and secure generation of passwords. There must be appropriate controls in place to check the strength of the passwords created.

G 10.56 Authentication methods that depend on more than one factor typically are
more difficult to compromise than a single factor system. In view of this,
financial institutions are encouraged to properly design and implement
(especially in high- risk or ‘single s ign-on’ systems) multi -factor authentication
(MFA) that are more reliable and provide stronger fraud deterrents.

G 10.57 A financial institution is encouraged to adopt dedicated user domains for
selected critical functions, separate from the broader enterpris e-wide user
authentication system.

S 10.58 A financial institution must establish a user access matrix to outline access
rights, user roles or profiles, and the authorising and approving authorities. The access matrix must be periodically reviewed and updated.

S 10.59 A financial institution must ensure —
(a) access controls to enterprise- wide systems are effectively managed and
monitored; and Risk Management in Technology 22 of 67

Issued on: 1 June 2023 (b) user activities in critical systems are logged for audit and investigations.
Activity logs must be maintained for at least three years and regularly
reviewed in a timely manner.

S 10.60 In fulfilling the requirement under paragraph 10.59, large financial institutions
are required to—
(a) deploy an identity access management system to effectively manage and monitor user access to enterprise- wide systems; and
(b) deploy automated audit tools to flag any anomalies.

Leave a comment

Filed under Malaysian Golf Courses

June 28, 2023 · 1:29 am

BNM RMIT 2023 Part 3

System Development and Acquisition

G 10.4 A financial institution should establish an enterprise architecture framework
(EAF) that provides a holistic view of technology throughout the financial institution. The EAF is an overall technical design and high- level plan that
describes the financial institution’s technology infrastructure, systems’ inter –
connectivity and security controls. The EAF facilitates the conceptual design and maintenance of the network infrastructure, related technology controls and policies, and serves as a foundation on which financial institutions plan and
structure system development and acquisition strategies to meet business goals.

S 10.5 A financial institution must establish clear risk management policies and
practices for the key phases of the system development life cycle (SDLC) encompassing system design, development, testing, deployment, change management, maintenance and decommission
ing. Such policies and
practices must also embed security and relevant enterprise architecture
considerations into the SDLC to ensure confidentiality, integrity and availability Risk Management in Technology 13 of 67

Issued on: 1 June 2023 of data8. The policies and practices must be reviewed at least once every thr ee
years to ensure that they remain relevant to the financial institution’s
environment.

G 10.6 A financial institution is encouraged to deploy automated tools for software
development, testing, software deployment, change management, code
scanning and software version control to support more secure systems
development.

S 10.7 A financial institution shall consider the need for diversity9 in technology to
enhance resilience by ensuring critical systems infrastructure are not
excessively exposed to similar technology risks.

S 10.8 A financial institution must establish a sound methodology for rigorous system
testing prior to deployment. The t esting shall ensure that the system meets
user requirements and performs robustly. Where sensitive test data is used,
the financial institution must ensure proper authorisation procedures and adequate measures to prevent their unauthorised disclosure are i n place.

G 10.9 The scope of system testing referred to in paragraph 10.8 should include unit
testing, integration testing, user acceptance testing, application security
testing, stress and regression testing, and exception and negative testing, where applicable.

S 10.10 A financial institution must ensure any changes to the source code of critical
systems are subject to adequate source code reviews to ensure code is secure and was developed in line with recognised coding practices prior to introducing any system changes.

S 10.11 In relation to critical systems that are developed and maintained by vendors, a
financial institution must ensure the source code continues to be readily accessible and secured from unauthorised access.

S 10.12 A financial institution shall physically segregate the production environment
from the development and testing environment for critical systems. Where a financial institution is relying on a cloud environment, the financial institution shall ensure that these environm ents are not running on the same virtual host.

S 10.13 A financial institution must establish appropriate procedures to independently
review and approve system changes. The financial institution must also
establish and test contingency plans in the event of unsuccessful
implementation of material changes to minimise any business disruption.

S 10.14 Where a financial institution’s IT systems are managed by third party service
providers, the financial institution shall ensure, including through contractua l
obligations, that the third party service providers provide sufficient notice to the

8 The security considerations shall include ensuring appropriate segregation of duties throughout the
SDLC.
9 Diversity in technology may include the use of different technology architecture designs and
applications, technology platforms and network infrastructure. Risk Management in Technology 14 of 67

Issued on: 1 June 2023 financial institution before any changes are undertaken that may impact the IT
systems.

S 10.15 When decommissioning critical systems, a financial institution must ensure
minimal adverse impact on customers and business operations. This includes
establishing and testing contingency plans in the event of unsuccessful system
decommissioning.

Cryptography

S 10.16 A financial institution must establish a robust and resilient cryptography policy
to promote the adoption of strong cryptographic controls for protection of important data and information. This policy, at a minimum, shall address requirements for:
(a) the adoption of industry standards for encryption algorithms , message
authentication, hash functions, digital signatures and random number generation;
(b) the adoption of robust and secure processes in managing cryptographic key lifecycles which include generation, distribution, renewal, usage, storage, recovery, revoc ation and destruction;
(c) the periodic review, at least every three years, of existing cryptographic
standards and algorithms in critical systems, external linked or
transactional customer -facing applications to prevent exploitation of
weakened algorithms or protocols; and
(d) the development and testing of compromise- recovery plans in the event
of a cryptographic key compromise. This must set out the escalation process, procedures for keys regeneration, interim measures, changes to business -as-usual protocols and containment strategies or options to
minimise the impact of a compromise.

S 10.17 A financial institution shall ensure clear senior -level roles and responsibilities
are assigned for the effective implementation of the cryptographic policy.

S 10.18 A financial institution must conduct due diligence and evaluate the
cryptographic controls associated with the technology used in order to protect
the confidentiality, integrity, authentication, authorisation and non- repudiation
of information. Where a financial institution does not generate its own
encryption keys, the financial institution shall undertake appropriate measures to ensure robust controls and processes are in place to manage encryption keys. Where this involves a reliance on third party assessments
10, the financial
institution shall consider whether such reliance is consistent with the financial institution’s risk appetite and tolerance. A financial institution must also give
due regard to the system resources required to support the cryptographic controls and the risk of reduced network traffic visibility of data that has been encrypted.

10 For example, where the financial institution is not able to perform its own validation on embedded
cryptographic controls due to the proprietary nature of the software or confidentiality constraints. Risk Management in Technology 15 of 67

Issued on: 1 June 2023 S 10.19 A financial institution must ensure cryptographic controls are based on the
effective implementation of suitable cryptographic protocols. The protocols
shall include secret and public cryptographic key protocols, both of which shall
reflect a high degree of protection to the applicable secret or private
cryptographic keys. The selection of such protocols must be based on
recognised international standards and tested accordingly. Commensurate with the level of risk, secret cryptographic key and private- cryptographic key
storage and encryption/decryption computation must be undertaken in a
protected environment, supported by a hardware security module (HSM) or trusted execution environment (TEE).

S 10.20 A financial institution shall store public cryptographic keys in a certificate issued
by a certificate authority as appropriate to the level of risk. Such certificates associated with customers shall be issued by recognised certificate authorities. The financial institution must ensure that the implementation of authentication
and signature protocols using such certificates are subject to strong protection to ensure that the use of private cryptographic keys corresponding to the user certificates are legally binding and irrefutab
le. The initial issuance and
subsequent renewal of such certificates must be consistent with industry best
practices and applicable legal/regulatory specifications.

Data Centre Resilience
Data Centre Infrastructure

S 10.21 A financial institution must specify the resilience and availability objectives of
its data centres which are aligned with its business needs. The network infrastructure must be designed to be resilient, secure and scalable. Potential data centre failures or disruptions must not significantly degrade the delivery of its financial services or impede its internal operations.

S 10.22 A financial institution must ensure production data centres are concurrently
maintainable. This includes ensuring that production data centres have
redundant capacity components and distribution paths serving the computer equipment.

S 10.23 In addition to the requirement in paragraph 10.22, large financial institutions
are also required to ensure recovery data centres are concurrently maintainable.

S 10.24 A financial institution shall host critical systems in a dedicated space intended
for production data centre usage. The dedicated space must be physically secured from unauthorised access and is not located in a disaster -prone area.
A financial institution must also ensure there is no single point of failure (SPOF) in the design and connectivity for critical components of the production data
centres, including hardware components, electrical utility, thermal
manag ement and data centre infrastructure. A financial institution must also
ensure adequate maintenance, and holistic and continuous monitoring of these critical components with timely alerts on faults and indicators of potential
issues. Risk Management in Technology 16 of 67

Issued on: 1 June 2023
S 10.25 A financial institution is required to appoint a technically competent external
service provider to carry out a production data centre resilience and risk
assessment (DCRA) and set proportionate controls aligned with the financial institution’s risk appetite. The assessment must consider all major risks and determine the current level of resilience of the production data centre. A
financial institution must ensure the assessment is conducted at least once every three years or whenever there is a material change in the data centre infrastructure, whichever is earlier. The assessment shall, at a minimum, include a consideration of whether the requirements in paragraphs 10.22 to 10.24 have been adhered to. For data centres managed by third party service providers, a financial institution may rely on independent third party assurance reports provided such reliance is consistent with the financial institution’s risk appetite and tolerance, and the independent assurance has considered similar risks and meets the ex pectations in this paragraph for conducting the DCRA.
The designated board -level committee must deliberate the outcome of the
assessment.

Data Centre Operations

S 10.26 A financial institution must ensure its capacity needs are well -planned and
managed with due regard to business growth plans. This includes ensuring adequate system storage, central processing unit (CPU) power, memory and network bandwidth. A financial institution shall involve both the technology stakeholders and the relevant bus
iness stakeholders within the financial
institution in its development and implementation of capacity management plans.

S 10.27 A financial institution must establish real -time monitoring mechanisms to track
capacity utilisation and performance of key processes and services11. These
monitoring mechanisms shall be capable of providing timely and actionable alerts to administrators.

S 10.28 A financial institution must segregate incompatible activities in the data centre
operations environment to prevent any unauthorised activity12. In the case
where vendors’ or programmers’ access to the production environment is
necessary, these activities must be properly authorised and monitored.

S 10.29 A financial institution must establish adequate control procedures for its data
centre operations, including the deployment of relevant automated tools for
batch processing management to ensure timely and accurate batch
processes. These control procedures shall also include procedures for
implementing changes in the production system, error handling as well as
management of other exceptional conditions.

S 10.30 A financial institution is required to undertake an independent risk assessment
of its end -to-end b ackup storage and delivery management to ensure that

11 For example, batch runs and backup processes for the financial institution’s application systems and
infrastructure.
12 For example, system development activities must be segregated from data centre operations. Risk Management in Technology 17 of 67

Issued on: 1 June 2023 existing controls are adequate in protecting sensitive data at all times. A
financial institution must also maintain a sufficient number of backup copies of
critical data, the updated version of the oper ating system software, production
programs, system utilities, all master and transaction files and event logs for recovery purposes. Backup media must be stored in an environmentally secure and access -controlled backup site.

G 10.31 In regard to paragraph 10.30, a financial institution should also adopt the
controls as specified in Appendix 1 or their equivalent to secure the storage and transportation of sensitive data in removable media.

S 10.32 Where there is a reasonable expectation for immediate delivery of service to
customers or dealings with counterparties, a financial institution must ensure that the relevant critical systems are designed for high availability with a cumulative unplanned downtime affecting the interface with customers or counterparties of not more than 4 hours on a rolling 12 months basis and a
maximum tolerable downtime of 120 minutes per incident.

Leave a comment

Filed under Malaysian Golf Courses

June 27, 2023 · 6:18 pm

BNM RMIT 2023 Part 2

PART B POLICY REQUIREMENTS

8 Governance

Responsibilities of the Board of Directors

S 8.1 The board must establish and approve the technology risk appetite which is

aligned with the financial institution’s risk appetite statement. In doing so, the

board must approve the corresponding risk tolerances for technology -related

events and ensure key performance indicators and forward- looking risk

indicator s are in place to monitor the financial institution’s technology risk

against its approved risk tolerance. The board must ensure senior

management provides regular updates on the status of these indicators

together with sufficiently detailed information on key technology risks and

critical technology operations to facilitate strategic decision- making.

S 8.2 The board must ensure and oversee the adequacy of the financial institution’s

IT and cybersecurity strategic plans covering a period of no less than three years. These plans shall address the financial institution’s requirements on infrastructure, control measures to mitigate IT and cyber risk and financial and non-financial resources, which are commensurate with the complexity of the

financial institu tion’s operations and changes in the risk profile as well as the

business environment. These plans shall be periodically reviewed, at least once every three years.

S 8.3 The board shall be responsible to oversee the effective implementation of a

sound and robust technology risk management framework (TRMF) and cyber resilience framework (CRF), as required to be developed under paragraphs 9.1 and 11.2, for the financial institution to ensure the continuity of operations and delivery of financial services. The TRMF is a framework to safeguard the financial institution’s information infrastructure, systems and data, whilst the CRF is a framework for ensuring the financial institution’s cyber resilience. The board must ensure that the financial institution’s TRMF and CRF remain relevant on an ongoing basis. The board must also periodically review and affirm the TRMF and CRF, at least once every three years to guide the financial institution’s management of technology risks.

S 8.4 The board must designate a board -level committee2 which shall be

responsible for supporting the board in providing oversight over technology –

related matters. Among other things, the committee shall review the

technology -related frameworks including the requirements spelt out in

paragraphs 8.1 through 8.3, for the board’s approval, and ensure that risk

assessments undertaken in relation to material technology applications

submitted to the Bank are robust and comprehensive.

2 The board of a financial institution may either designate an existing board committee or establish a

separate committee for this purpose. Where such a committee is separate from the Board Risk

Committee (BRC), there must be appropriate interface between this committee and the BRC on technology risk -related matters to ensure effective oversight of all risks at the enterprise level. Risk Management in Technology 9 of 67

Issued on: 1 June 2023 G 8.5 To promote effective technology discussions at the boar d level, the

composition of the board and the designated board- level committee should

include at least a member with technology experience and competencies.

S 8.6 Given the rapidly evolving cyber threat landscape, the board shall allocate

sufficient time to discuss cyber risks and related issues, including the strategic

and reputational risks associated with a cyber -incident. This shall be supported

by input from external experts as appropriate. The board must also ensure its

continuous eng agement in cybersecurity preparedness, education and

training.

S 8.7 The board audit committee (BAC) is responsible for ensuring the effectiveness

of the internal technology audit function. This includes ensuring the adequate competence of the audit staff to perform technology audits. The BAC shall

review and ensure appropriate audit scope, procedures and frequency of technology audits. The BAC must also ensure effective oversight over the prompt closure of corrective actions to address technology control g aps.

Responsibilities of the senior management

S 8.8 A financial institution’s senior management must translate the board -approved

TRMF and CRF into specific policies and procedures that are consistent with the approved risk appetite and risk tolerance and supported by effective reporting and escalation procedures.

S 8.9 The senior management must establish a cross -functional committee to

provide guidance on the financial institution’s technology plans and operations. The m embers of the committe e must include senior management from both

technology functions and major business units. The committee’s

responsibilities shall include the following:

(a) oversee the formulation and effective implementation of the strategic technology plan and associated technology policies and procedures;

(b) provide timely updates to the board on key technology matters

3; and

(c) approve any deviation from technology -related policies after having

carefully considered a robust assessment of related risks. Material

deviations shall be reported to the board.

S 8.10 Senior management must ensure the adequate allocation of resources to

maintain robust technology systems and appropriately skilled and competent staff to support the effective management of technology risk.

S 8.11 For large financial institutions, senior management must embed appropriate

oversight arrangements within the technology function to support the

enterprise- wide oversight of technology risk. These arrangements must

provide for designated staff responsible for the identification, assessment and

3 Key technology matters include updates on critical systems’ performance, significant IT and cyber –

incidents, management of technology obsolescence risk, status of patch deployment activities for critical

technology infrastructure, proposals for and progress of strategic technology projects, performance of critical technology outsourcing activities and utilisation of the technology budget. Risk Management in Technology 10 of 67

Issued on: 1 June 2023 mitigation of technology risks who do not engage in day -to-day technology

operations.

S 8.12 For the purpose of paragraph 8.11 and all other requirements applicable to

large financial institutions under this policy document, each financial institution

shall conduct a self -assessment on whether it is a large financial institution in

accordance with the definition in paragraph 5.2. The self -assessment shall

take into account –

(a) the complexity of the financial institution’s operations, having particular regard to the interconnectedness of its operations with other financial institutions, customers and counterparties that are driven by technology;

(b) the number and size of the financial institution’s significant business lines together with its market share

4 (e.g. in terms of assets, liabilities, revenue

and premiums);

(c) the number of subsidiaries, branches and agents; and

(d) other business considerations that could give rise to technology risk.

S 8.13 Notwithstanding the self -assessment in paragraph 8.12, the Bank may

designate a financial institution as a large financial institution and such

financial institutions shall comply with all requirements in this policy document

applicable to a large financia l institution.

9 Technology Risk Management

S 9.1 A financial institution must ensure that the TRMF is an integral part of the

financial institution’s enterprise risk management framework (ERM).

S 9.2 The TRMF must include the following:

(a) clear definition of technology risk;

(b) clear responsibilities assigned for the management of technology risk at different levels and across functions, with appropriate governance and reporting arrangements;

(c) the identification of technology risks to which the financial institution is

exposed, including risks from the adoption of new or emerging

technology;

(d) risk classification of all information assets/systems based on its criticality;

(e) risk measurement and assessment approaches and methodologies;

(f) risk controls and mitigations; and

(g) continuous monitoring to timely detect and address any material risks.

S 9.3 A financial institution must establish an independent enterprise -wide

technology risk management function which is responsible for —

4 Size is an indicator of the potential systemic impact that any failure or breach of the financial institution’s

IT systems may have on the broader financial system. When determining the significance of its size, the

financial institution shall c onsider the extent to which the broader market segment may be unable to

access relevant financial services in the event of a disruption to its systems. It should also consider the

extent to which the operations of other institutions may be disrupted due to a reliance on services

provided by the financial institution that may not be immediately substitutable. Risk Management in Technology 11 of 67

Issued on: 1 June 2023 (a) implementing the TRMF and CRF;

(b) advising on critical technology projects and ensuring critical issues that

may have an impact on the financial institution’s risk tolerance are

adequately deliberated or escalated in a timely manner; and

(c) providing independent views to the board and senior management on

third party assessments5, where necessary.

S 9.4 A financial institution must designate a Chief Information Security Officer

(CISO), by whatever name called, to be responsible for the technology risk

management function of the financial institution. The financial institution must ensure that the CISO has sufficient authority, independence and resources

The CISO shall —

(a) be independent from day -to-day technology operations;

(b) keep apprised of current and emerging technology risks which could

potentially affect the financial institution’s risk profile; and

(c) be appropriately certified.

S 9.5 The CISO is responsible for ensuring the financial institution’s information

assets and technologies are adequately protected, which includes —

(a) formulating appropriate policies for the effective implementation of TRMF and CRF;

(b) enforcing compliance with the se policies, frameworks and other

technology -related regulatory requirements; and

(c) advising senior management on technology risk and security matters, including developments in the financial institution’s technology security

risk profile in relation to its business and operations.

10 Technology Operations Management

Technology Project Management

S 10.1 A financial institution must establish appropriate governance requirements

commensurate with the risk and complexity7 of technology projects

undertaken. This shall include project oversight roles and responsibilities,

authority and reporting structures, and risk assessments throughout the

project life cycle.

S 10.2 The risk assessments shall identify and address the key risks arising from the

implementation of technology projects. These include the risks that could

5 Relevant third party assessments may include the Data Centre Risk Assessment (DCRA), Network

Resilience and Risk Assessment (NRA) and independent assurance for introduction of new or enhanced

digital services.

6 A financial institution’s CISO may take guidance from the expertise of a group- level CISO, in or outside

of Malaysia, and may also hold other roles and responsibilities. Such designated CISO shall be

accountable for and serve as the point of contact with the Bank on the financial institution’s technology –

related matters, including managing entity -specific risks, supporting prompt incident response and

reporting to the financial institution’s board.

7 For example, large- scale integration projects or those involving critical systems should be subject to

more stringent project governance requirements such as more frequent reporting to the board and senior management, more experienced project managers and sponsors, more frequent milestone reviews and

independent quality assurance at major project approval stages. Risk Management in Technology 12 of 67

Issued on: 1 June 2023 threaten successful project implementation and the risks that a project failure

will lead to a broader impact on the financial institution’s operational

capabilities. At a minimum, due regard shall be given to the following area s:

(a) the adequacy and competency of resources including those of the vendor

to effectively implement the project. This shall also tak e into consideration

the number, size and duration of significant technology projects already

undertaken concurrently by the financial institution;

(b) the complexity of systems to be implemented such as the use of unproven

or unfamiliar technology and the cor responding risks of integrating the

new technology into existing systems, managing multiple vendor –

proprietary technologies, large- scale data migration or cleansing efforts

and extensive system customisation ;

(c) the adequacy and configuration of security cont rols throughout the project

life cycle to mitigate cybersecurity breaches or exposure of confidential

data;

(d) the comprehensiveness of the user requirement specifications to mitigate

risks from extensive changes in project scope or deficiencies in meeting

business needs;

(e) the robustness of system and user testing strategies to reduce risks of undiscovered system faults and functionality errors;

(f) the appropriateness of system deployment and fallback strategies to

mitigate risks from prolonged system stability issues; and

(g) the adequacy of disaster recovery operational readiness following the

implementation of new or enhanced systems .

S 10.3 The board and senior management must receive and review timely reports on

the management of these risks on an ongoing basis throughout the

implementation of significant projects.

Leave a comment

Filed under RMIT

June 27, 2023 · 6:00 pm

BNM RMIT 2023 Part 1

Risk Management in Technology (RMiT)

Applicable to:

1. Licensed banks , including licensed digital banks

2. Licensed investment banks

3. Licensed Islamic banks , including licensed Islamic digital banks

4. Licensed insurers including professional reinsurers

5. Licensed takaful operators including professional retakaful operators

6. Prescribed development financial institutions

7. Approved issuer s of electronic money

8. Operator of a designated payment system

Issued on: 01 June 2023 BNM/RH/ PD 028- 98

Risk Management in Technology 2 of 67

Issued on: 1 June 2023 TABLE OF CONTENTS

1 Introduction ………………………………………………………………………………………….. 3

2 Applicability …………………………………………………………………………………………. 3

3 Legal provision …………………………………………………………………………………….. 3

4 Effective date ……………………………………………………………………………………….. 4

5 Interpretation ……………………………………………………………………………………….. 4

6 Related legal instruments and policy documents ……………………………………. 6

7 Policy documents and circulars superseded ………………………………………….. 6

PART B POLICY REQUIREMENTS ……………………………………………………………………… 8

8 Governance ………………………………………………………………………………………….. 8

9 Technology Risk Management …………………………………………………………….. 10

10 Technology Operations Management …………………………………………………… 11

11 Cybersecurity Management …………………………………………………………………. 25

12 Technology Audit ……………………………………………………………………………….. 31

13 Internal Awareness and Tra ining ………………………………………………………….. 31

PART C REGULATORY PROCESS …………………………………………………………………… 32

14 Notification for Technology- Related Applications …………………………………. 32

15 Consultation and Notification related to Cloud Services ………………………… 34

16 Assessment and Gap Analysis …………………………………………………………….. 35

APPENDICES ……………………………………………………………………………………………….. 36

Appendix 1 Storage and Transportation of Sensitive Data in Removable Media ………. 36

Appendix 2 Control Measures on Self -service Terminals (SST) …………………………. 37

Appendix 3 Control Measures on Internet Banking …………………………………………. 40

Appendix 4 Control Measures on Mobile Application and Devices ………………………. 41

Appendix 5 Control Measures on Cybersecurity …………………………………………….. 42

Appendix 6 Positive List for Enhancements to Electronic Banking, Internet

Insurance and Internet Takaful Services ……………………………………….. 43

Appendix 7 Risk Assessment Report …………………………………………………………… 47

Appendix 8 Format of Confirmation ………………………………………………………………….. 49

Appendix 9 Supervisory Expectations on External Party Assurance ……………………. 50

Appendix 10 Key Risks and Control Measures for Cloud Services ………………… ….…52 Risk Management in Technology 3 of 67

Issued on: 1 June 2023 PART A OVERVIEW

1 Introduction

1.1 Technology risk refers to risks emanating from the use of information

technology (IT) and the Internet. These risks arise from failures or breaches of IT systems, applications, platforms or infrastructure, which could result in financial loss, disruptions in financial services or operations, or reputational harm to a financial institution.

1.2 With the more prevalent use of technology in the provision of financial services, there is a need for financial institutions to strengthen their technology resilience against operational disruptions to maintain confidence in the financial system. The growing sophistication of cyber threats also calls for the increased vigilance and capability of financial institutions to respond to emerging threats. Critically, this should ensure the continuous availability of essential financial services to customers and adequate protection of customer data.

1.3 This policy document sets out the Bank’s requirements with regard to financial institutions’ management of technology risk. In complying with these requirements, a financial institution shall have regard to the size and complexity of its operations. Accordingly, larger and more complex financial institutions are expect ed to demonstrate risk management practices and

controls that are commensurate with the increased technology risk exposure of the institution. In addition, all financial institutions shall observe minimum prescribed standards in this policy document to prevent the exploitation of

weak links in interconnected networks and systems that may cause detriment

to other financial institutions and the wider financial system. The control measures set out in Appendices 1 to 5 and Appendix 10 serve as a guide for sound practices in defined areas. Financial institutions should be prepared to

explain alternative risk management practices that depart from the control measures outlined in the Appendices and demonstrate their effectiveness in addressing the financial institution’s technology risk exposure.

2 Applicability

2.1 This policy document is applicable to all financial institutions as defined in

paragraph 5.2.

3 Legal provision

3.1 The requirements in this policy document are specified pursuant to—

(a) Sections 47(1) and 143(2) of the Financial Services Act 2013 (FSA);

(b) Sections 57(1) and 155(2) of the Islamic Financial Services Act 2013 (IFSA); and

(c) Sections 41(1) and 116(1) of the Development Financial Institutions Act 2002 (DFIA). Risk Management in Technology 4 of 67

Issued on: 1 June 2023 3.2 The guidance in this policy document are issued pursuant to section 266 of the

FSA, section 277 of the IFSA and section 126 of the DFIA.

4 Effective date

4.1 This policy document comes into effect on 1 June 2023 except for paragraph

10.50, paragraph 15 and Appendix 10 which come into effect on the

corresponding dates in respect of the relevant financial institutions other than a

licensed digital bank or licensed Islamic digital bank as set out below:

(a) 1 June 2024 in respect of financial institutions which have already

adopted public cloud for critical systems prior to the issuance date of this

policy document . However, i f any of the terms of the financial institution’s

existing contracts with the cloud service provider s are not in accordance

with the provisions of Appendix 10, the financial institution s may make

the necessary amendments or mod ifications during the next renew al of

the relevant contracts with the cloud service providers i.e., after the

effective date of the relevant provisions in this policy document in respect

of the financial institution; and

(b) 1 June 2024 in respect of financial institutions which have not adopted

public cloud for critical systems prior to the issuance date of this policy

document .

4.2 This policy document comes into effect on 1 June 2023 in respect of a

licensed digital bank or licensed Islamic digital bank.

5 Interpretation

5.1 The terms and expressions used in this policy document shall have the same meanings assigned to them in the FSA, IFSA or DFIA, as the case may be, unless otherwise defined in this policy document.

5.2 For purposes of this policy document –

“S” denotes a standard, an obligation, a requirement, specification, direction,

condition and any interpretative, supplemental and transitional provisions that must be complied with. Non- compliance may result in enforcement action;

“G” denotes guidance whic h may consist of statements or information

intended to promote common understanding and advice or recommendations

that are encouraged to be adopted;

“board” refers to the board of directors of a financial institution, including any

committee carrying out any of the responsibilities of the board under this policy

document;

“critical system” refers to any application system that supports the provision

of critical banking, insurance or payment services, where failure of the system has the potential to significantly impair the financial institution’s provision of financial services to customers or counterparties, business operations, Risk Management in Technology 5 of 67

Issued on: 1 June 2023 financial position, reputation, or compliance with applicable laws and

regulatory requirements; “customer and counterparty information” refers to any information relating

to the affairs or, in particular, the account, of any customer or counterparty of a financial institution in whatever form;

“cyber resilience” refers to the ability of people, processes, IT systems, applicatio ns, platforms or infrastructures to withstand adverse cyber events;

“cyber risk” refers to threats or vulnerabilities emanating from the connectivity of internal technology infrastructure to external networks or the Internet;

“digital services” refers to the provision of payment, banking, Islamic

banking, insurance or takaful services delivered to customers via electronic channels and devices including Internet and mobile devices, self -service and

point -of-sale terminals;

“financial institution” refers to –

(a) a licensed person under the FSA and the IFSA (excluding branches of a foreign professional reinsurer and a professional retakaful operator);

(b) a prescribed institution under the DFIA;

(c) an eligible issuer of e- money as defined in the policy document on

Interoperable Credit Transfer Framework

1; and

(d) an operator of a designated payment system;

“large financial institution” refers to –

(a) a financial institution with one or more business lines that are significant in terms of market share in the relevant industry; or

(b) a financial institution with a large network of offices within or outside Malaysia through operations of branches and subsidiaries;

“material technology projects” refers to projects which involve critical systems, the delivery of essen tial services to customers or counterparties, or

compliance with regulatory requirements;

“OTP or one -time password” refers to an alphanumeric or numeric code

represented by a minimum of 6 characters or digits which is valid only for

single use;

“public cloud” refers to a fully virtualised environment in which a service

provider makes resources such as platforms, applications or storage available to the public over the Internet via a logically separated multi -tenant

architecture;

1 For ease of reference, an “eligible issuer of e- money” is defined as an approved issuer of electronic

money with substantial market presence based on the criteria set out in Appendix 1 of the policy

document on Interoperable Credit Transfer Framework. Risk Management in Technology 6 of 67

Issued on: 1 June 2023 “production data centre” refers to any facility which hosts active critical

production application systems irrespective of location;

“recovery data centre” refers to a facility that a financial institution plans to

activate to recover and restore its IT applications and operations upon failure of its production data centre irrespective of location;

“senior management” refers to the Chief Executive Officer ( CEO) and senior

officers;

“third party service provider” refers to an internal group affiliate or external entity providing technology -related functions or services that involve the

transmission, processing, storage or handling of confidential informatio n

pertaining to the financial institution or its customers. This includes cloud computing software, platform and infrastructure service providers ;

“cloud service provider” refers to a third party service provider who provides

cloud services to financial institutions.

6 Related legal instruments and policy documents

6.1 This policy document must be read together with any relevant legal instruments,

policy documents , guidelines etc. issued by the Bank, including any

amendments and reissuances thereafter, in particular —

(a) Policy Document on Risk Governance issued on 1 March 2013 ;

(b) Policy Document on Compliance issued on 10 Ma y 2016 ;

(c) Policy Document on Outsourcing issued on 23 October 2019 ;

(d) Policy Document on Operational Risk issued on 10 May 2016;

(e) Policy Document on Operational Risk Reporting Requirement –

Operational Risk Integrated Online Network (ORION) issued on 25

February 2021;

(f) Policy Document on Introduction of New Products issued on 7 March

2014;

(g) Policy Document on Interoperable Credit Transfer Framework issued on

23 December 2019 ;

(h) Policy Document on Business Continuity Management issued on 19

December 2022 ;

(i) Provisions under paragraphs 21, 22 and 26 of the Guidelines on the

Provision of Electronic Banking (e- banking) Services by Financial

Institutions issued on 30 March 2010 ;

(j) Guidelines on Data Management and MIS Framework issued on 23

October 20 08; and

(k) Guidelines on Data Management and MIS Framework for Development

Financial Institutions issued on 5 November 2012.

7 Policy documents and circulars superseded

7.1 This policy document supersedes the following circulars, guidelines and policy documents: Risk Management in Technology 7 of 67

Issued on: 1 June 2023 (a) Guidelines on Management of IT Environment (GPIS 1) issued in May

2004;

(b) Circular on Prior Notification by Licensed Institutions for External System Interfaces issued on 22 November 2010;

(c) Preparedness against Distributed Denial of Service Attack issued on 17 October 2011;

(d) Managing Inherent Risk of Internet Banking Kiosks issued on 5 December 2011;

(e) Circular on Managing Risks of Malware Attacks on Automated Teller Machine (ATM) issued on 3 October 2014;

(f) Managing Cyber Risk Circular issued on 31 July 2015;

(g) Managing Cyber Risks on Remote Desktop Protocol Circular issued on 20 July 2016;

(h) Revocation of Prior Notification by Licensed Institutions for External System Interfaces issued on 1 June 2017;

(i) Guidelines on the Provision of Electronic Banking (e- banking) Services

by Financial Institutions, except for the provisions under paragraphs 21, 22 and 26 issued on 18 Nov 2019 ;

(j) Circular on Internet Takaful issued on 1 0 Jan 2019;

(k) Letter to CEO dated 31 October 2017 entitled “Immediate Measures for Managing identification of Counterfeit Malaysian Currency Notes at Deposit -Accepting Self Service Terminals (SST)”;

(l) Letter to CEO dated 7 November 2017 entitled “Guidelines on the

Provision of Electronic Banking (e- banking) Services by Financial

Institutions (“Guidelines”) – Specification Pursuant to the Financial

Services Act 2013 (“FSA”), Islamic Financial Services Act 2013 (“IFSA”) and Development Fina ncial Institutions Act 2002 (“DFIA”)”;

(m) Letter to CEO dated 10 November 2017 entitled “Storage and Transportation of Sensitive Data in Removable Media”;

(n) Letter to CEO dated 17 May 2018 entitled “Guidelines on Internet Insurance (Consolidated) (“Guidelines”) and Circular on Internet Takaful

(“the Circular’) – Specification Pursuant to the Financial Services Act

2013 (“FSA”) and Islamic Financial Services Act 2013 (“IFSA”)”;

(o) Letter to CEO dated 11 December 2018 entitled “Leveraging on cloud services and uplif tment of mobile banking condition”;

(p) Guidelines on Internet Insurance ( Consolidated) issued on 10 January

2019;

(q) Letter to CEO dated 18 November 2019 entitled “Guidelines on the Provision of Electronic Banking (e- banking ) Services by Financial

Institutions, Guidelines on Internet Insurance (Consolidated), Circular on Internet Takaful – Specification Pursuant to the Financial Services Act

2013 (“FSA”), Islamic Financial Services Act 2013 (“IFSA”) and the Development Financial Institutions Act 2002 (“DFIA”)”; and

(r) Policy Document on Risk Management in Technology (RMiT) issued on 1 January 2020 except for paragraphs 10.49, 10.50, 10.51 and 10.52

which shall remain applicable until 31 May 2024 in respect of financial

institutions described in paragraph 4.1(a) and (b) . Risk Management in Technology 8 of 67

Leave a comment

Filed under Malaysian Golf Courses, RMIT

August 10, 2010 · 12:37 pm

Example

CHAPTER 1: THE SENATORS
“Grow.”
Heat pulsed from Her body, seeping into the ground beneath Her. Everything around
Her was warm—the dry summer air, the harsh rays of the sun—but nothing
compared to the light within Her. She was always warm. She couldn’t escape it.
“Be alive. Be well.” She breathed in. “Grow.”
As Her light poured into the dirt, She sifted Her íngers through the grass, taking in its
response—vitality. A soupy blackness lingered deep underground, waiting to snake its
way to the surface.
“Settle down now. Back to where you came from.”
A pounding sounded at the door far behind Her. “Leila?” Delphi called out.
Leila sighed. “I’m busy.”
“Everyone’s waiting for You. Have You forgotten Your meeting?”
“I’m blessing the realm,” She shouted.
“Then bless it quickly.”
She groaned. “Give Me a moment.”
One last pulse of light, and She propped Herself upright. A sea of color stretched
ahead—an elaborate garden ílled with manicured trees, mosaicked pots, and îowers
of all kinds. Wiping the grass from Her naked body, She hopped to Her feet and
headed up the steps, past the white pillars and black velvet curtains, and into Her
bedchamber.
A stately bed with crimson throws, tall walls lined in gold molding, speckled tiles along
the îoor. Hers was the most lavish chamber in the palace, certainly the only one with
a private garden. She threw open Her wardrobe and pulled on a lavender dress, its
braided straps settling on Her shoulders, the neckline hanging low between Her
breasts, then tied a pair of tanned leather sandals onto Her feet. Sticking Her leg out
from one of the slits in Her dress, She buckled a blade to Her thigh—the ínal piece of
Her ensemble, one She never went without.
Leila closed the mirrored doors of Her wardrobe and studied Her reîection, combing
Her locks into place. Two other faces reîected back at Her—a woman with strawberry
blonde hair and icy eyes, another with hair like ink and a sable gaze.
Leila cracked a smile. “Hello, Mothers.”
She bounded through the chamber door, met with a pair of blue-green eyes.
“Good morning!”
Pippa threw her arms around Her, knocking Her oì balance. Leila pulled back, patting
down the îyaways of Pippa’s blonde hair and giving her pale cheeks a pinch. Delphi
stood at her side, her long black braids hanging over the front of her shoulders. God,
she looked so much like her mother, especially those sable eyes.
“Took You long enough,” she scoìed.
Taking Pippa’s hand, Leila nodded at the corridor ahead. “Walk and talk?”
The three sisters made their way through the palace. Marble busts lined the walls,
stained glass windows cast rainbows along the îoor, and vaulted ceilings loomed high
overhead, rendering them mere specks amid the majesty. The palace was as grand as
it was vast, its enormity eclipsed only by the fortress surrounding it; gardens and
vineyards peppered the royal dwellings, encircled by a tall stone wall. Beyond it lay
Thessen, the realm Leila was to govern and rule.
The realm She had never seen.
The girls headed into the heart of the palace. Servants bowed, but Leila paid them
little mind, occupied with more pressing thoughts.
Delphi squeezed Her arm. “You know what You’re going to say?”
“Every word,” Leila whispered.
“Really sell it. Lay it on nice and thick.”
Leila snorted. “I know what I’m doing.”
“You can’t fault my worry. Weakness has never been Your strong suit.”
“I’m not going with weakness. I’m going with anger.”
Delphi’s eyes lit up. “Oh. Much better. That’s completely in character, they’ll never
suspect a thing.”
Another woman wafted their way, and every male gaze in sight followed. Cosima—
Leila’s third and ínal sister, arguably the most enchanting. Pippa had delicate
features and wide-set eyes, while Delphi was a vision of regality with rich brown skin
and elegant curves. But Cosima commanded attention in every room she entered—
her skin was like porcelain, her eyes apple-green, and her hair came down in íery red
waves, landing just shy of her full, enviable breasts. A dazzling smile sprang to her
lips, and Leila could’ve sworn the room became brighter.
“Good morning, doves.” Cosima nestled alongside them. “What are we whispering
about?”
“The meeting,” Delphi said. “She’s on Her way.”
“Ah, yes. How exciting.”
The atrium opened up ahead—the largest, most lavish room in the palace, but today
it was a cluttered mess. Baskets of ribbons were strewn across the massive dining
table, and servants zigzagged through the space, wrapping garlands around the
marble columns and hanging stars from the chandeliers.
“For Your birthday tomorrow,” Cosima said.
Her voice hardly registered. Leila stopped in Her tracks, eyes locked on the opposite
end of the room where a man stood reading over a scroll. “Who is that?”
Delphi followed the path of Her gaze and shrugged. “Some guard.”
He was surely more god than guard, miles tall with sculpted arms. Shaggy, goldenblond hair danced across his brow, catching the light of the sun like a halo. It was rare
to see young men in the palace, especially men who were this striking.
“I’ve never seen him before,” Leila said. “I mean… I’m certain I’ve never seen him
before.”
“Oh, that’s Asher.” Cosima leaned in closer, speaking in hushed tones. “He’s new—
recruited from the border, just took his vow yesterday. You know how your father is:
more soldiers, more guards.” Cosima eyed the man over. “Divine, isn’t he?”
Asher. He gnawed at his bottom lip, focused on whatever he was reading, and a
tremor ran through Leila. God, if I could be that lip.
Cosima chuckled. “You little minx, look at You! You’re îushed!”
Leila scowled. “I most certainly am not.”
“Oh stop it, no one can blame You. The man’s a work of art.” She eyed him up and
down. “He’s lovely too. Would You like to meet him?”
“What?” Leila snapped. “No. Deínitely not.”
“We haven’t the time,” Delphi said.
“Nonsense.” Cosima grabbed Leila’s wrist. “Asher, dove, look who I’ve found!”
Leila’s eyes widened. “Cosima—”
Cosima ignored Her, dragging Her down the corridor. “Asher, have you had the
pleasure of meeting Leila?”
Asher glanced between the two women. “No, I don’t believe so.”
Leila’s throat caught. Tan skin, broad shoulders, and honey-brown eyes gazing
straight into Hers. Say something. She mustered a smile. “Hello.”
An inínite silence followed. Cosima let out a laugh. “Well, don’t be rude, shake his
hand.”
She shoved Leila, sending Her staggering over the polished tiles, straight into a
stretch of sunlight.
Oh, shit.
The glaring heat beat down on Her, and in turn every exposed inch of Her îesh was
radiant.
Glowing.
“Oh my God.” Asher stumbled backward. “You’re…”
The words never came. His eyes rolled into the back of his skull, and he collapsed to
the îoor with a hard smack.
Gasps sounded across the atrium, and Leila cringed. Not again.
“Oh dear, I hadn’t anticipated that,” Cosima murmured.
Servants circled, gaping at the glowing woman and the man sprawled at Her feet.
How many times must this happen before it stops being humiliating?
“Should we get a healer?” A servant said. “I can summon Diccus—”
“No, it’s all right.” Leila squatted beside the fallen guard. “I’ll take care of it.”
Delphi sighed. “Your meeting…”
“I’ll take care of it.” Leila looked her hard in the eye. “This is My duty.”
She turned to Asher, pulling his eyelid open only for it to snap shut. Out like a snuìed
torch. Tilting his head, She combed through his golden mane—no blood, no cracked
skull. Blips of pain stung Her íngertips, traveling from his battered head to Her hand.
Concussed. An easy íx. She planted Her palm on his forehead.
“Rouse his senses,” She whispered. “Ease the ache. Bring him back.”
Her hand went from warm to hot, burning in a way She was accustomed to. Light
îooded from Her touch, îowing through him in waves, and the traces of his pain
began to fade.
Asher stirred, and Leila dropped Her palm, revealing a bright white handprint
beaming from his forehead.
“What is…?” He winced. “What happened?” His eyes îuttered open, settling on the
woman hovering over him.
Still Leila. Still glowing.
“Oh my God,” he said. “You’re… You’re—”
“The Savior.” Cosima jutted her head into his line of sight. “The holy gift of Thessen.
She’s blessed you with Her divine light. Isn’t that marvelous?”
Asher stared up at Leila in shock, then scrambled along the îoor, kneeling before Her.
“Apologies, Your Holiness—”
She stood. “It’s Leila.”
“I didn’t mean to…” He wrinkled his nose. “Did I faint?”
“Yes, you did. It’s quite common, actually—”
“How unseemly. Please forgive my weakness, I meant no oìense.”
“You don’t have to—”
“It’s an honor to serve You, Your Holiness,” he said. “I took an oath to devote my life to
Your safety and to the safety of Your palace. My body is Your shield.”
My body is Your shield. She could think of better uses for it. “That’s nice,” She
muttered.
Asher rose to his feet, staring at Her with a look of awe. Of disconnect. “Apologies for
my lack of decorum. I am humbled to have met You, Your Holiness.”
A frown fought its way across Her face. “Please, call Me Leila.”
“Of course, Your Holiness. Good day, Your Holiness.”
He shuðed oì, ignorant to the bright white eyesore on his forehead.
“He’s nice,” Pippa said. “We should keep him.”
Cosima chuckled. “Well, You created quite a scene, didn’t You?”
“Yes, She did.” Delphi scowled. “Who could’ve possibly predicted such a thing?”
Cosima ignored her, sighing. “Leila, if I’ve told You once, I’ve told You a thousand
times: If You want a man’s aìection, You mustn’t be so intimidating.”
“I wasn’t seeking his aìection,” Leila spat. “I was simply introducing myself.”
“You’re sure? You seemed rather taken. At least until, You know…” Cosima’s gaze
traveled to the spot where Asher fell. “Boom.”
“You’re wrong.”
“Well, You would know best.” Smiling, Cosima cupped Leila’s cheeks. “You look
beautiful, by the way. My sweet sister. Such a gift, You are.”
She îitted oì, leaving Leila glowing on the outside, muted within. A gift. Many made
such claims—that Leila was divine, that Her light was a gift from God—but in
moments like these, being The Savior was more burden than blessing.
Leila wasn’t the only Savior to have graced the realm. The írst was born centuries ago
during a time of plague, a beacon of hope with striking eyes and ivory skin that
glowed the moment it caught the sun. The light of Her body was strong enough to
leave a person faint, but its true power manifested in the realm around Her. Desert
lands îourished, crops sprouting from the arid sands, and the people were healed,
free of disease and suìering. With this girl’s birth came a cleansing, and the people
gave to Her the title She had earned: Her Holiness, Ruler of Thessen.
Their Savior.
As the realm grew in prosperity, so did the royal line. The Savior birthed a daughter of
equal power, who birthed adaughter as well, and each girl was welcomed with a
beautiful fortress, loyal servants, and a court of sisters elected to grow alongside Her.
The bloodline thrived, a succession of rulers with celestial îesh, piercing eyes, and an
array of magical gifts, namely Their divine, healing light.
Like the Saviors before Her, Leila made the palace Her home, was bathed in riches,
was appointed three sisters, Her faithful court. Still, Her reign was unique. She was
the írst to remain hidden within Her fortress. She was the írst to be a mystery to Her
people.
She was the írst birthed from a corpse.
Delphi poked into Leila’s line of vision, nodding at the path Cosima had taken. “She
did that on purpose, You know.”
Leila shook the debacle from Her mind. “We have more important concerns.”
The women continued through the palace, stopping just shy of a large black door.
Delphi turned toward Her. “You’re sure You’re prepared?”
“I am.”
“Me too!” Pippa said.
Leila sighed. “Little duckling, I know you want to come along, but this meeting is just
for The Savior. You understand, yes?”
Pippa pouted. “All right.”
Delphi grabbed Leila’s hands, squeezing them. “For Your realm.”
Leila nodded. “For Mother.”
She opened the door and headed inside.
Stark white walls, pitch-black îoor, a domed ceiling—everything about the Senate
room was severe. A map of the realm covered one of the walls, and a large, round
table loomed ahead, encircled by nine men.
I hate you.
“Leila.” The man seated across from Her scowled. “How kind of You to ínally join us.”
Her eyes bore through him—the red drape across his bare chest, the glower on his
face.
Brontes. She hated him most of all.
Leila made Her way to the table, not once breaking his gaze. Their hair was the same
deep brown, just shy of black, but Leila’s was long and sleek, while Brontes’s was
îecked with grey. Brontes was large and brawny with bronze skin, while Leila had
always been small and slender, Her skin ghostly in the shade, aglow in the sun. Then
there were the eyes; Leila’s were amber-gold in the shadows, but in the light they
were wild îames. Brontes’s didn’t look anything like that, and he only had the one, his
left socket hidden behind a thick black patch.
My nose is diìerent. I have that freckle above my cheek. Never mind She had his full
lips, that Her cheekbones sat high just as his did. Leila always looked for diìerences.
Anything that told Her She was nothing like him.
She tore Her gaze from Brontes, eyeing the other men. Phanes. Erebus. Qar. The
palace Senators, eight in total—and several empty seats.
“No Toma, I see?” She said. “Are we to start without him?”
“He’s been missing for three days,” Brontes muttered.
“Is that right? Another man gone? Well, we’re better oì for it. I never cared much for
him anyway.” She took Her seat. “Shall we begin?”
Brontes grumbled under his breath, “Who calls this meeting?”
“I do,” Leila said.
“Second,” Kastor added.
“First order of business: your retirement.” Leila clasped Her hands together.
“Tomorrow’s My twentieth birthday. I’m of age. I haven’t a need for you any longer.”
The men glanced at one another, silent. Simon cleared his throat. “Your Holiness, with
all due respect, we’ve discussed this at length many times over. The position we hold
is binding.”
“And I’ve told you at length that come My twentieth birthday, I will be severing
whatever it is that binds us together,” Leila said.
“Your Holiness, the law states we are to serve You indeínitely.”
“The law you yourselves have written. How convenient.”
Another man, his tawny skin weathered with age, oìered a smile. “Your Holiness,
allow me to speak on behalf of the others when I say we understand Your opposition.
You are a grown woman, and what a woman You’ve become.” He glanced at Brontes,
bowing his head. “But Your father, our righteous Sovereign, nominated us for a
reason. The burden You carry is heavy. It is our duty to lighten it, for no purpose other
than to beneít our One True Savior.”
Gelanor—the Vault Keeper, easily the most well-spoken Senator of the bunch. The
king of discourse. The master of bullshit.
“Your mother, God rest Her soul, was to teach You the art of governing,” Gelanor said.
“And as She is not here with us—a very sad turn of events indeed—we have taken it
upon ourselves to aid Your hand.”
Leila’s lips pursed. Bullshit.
“So alas, in Your mother’s departure, You have inherited this merry lot.” He opened
his arms wide. “Consider us Your surrogates.”
Leila let out a laugh. “My surrogates? Is that right? Tell Me, are you going to whip out
your tit and have Me suck it dry, Mother?”
“Leila, You vulgar shit, still Your tongue,” Brontes snapped.
“I will not sit tolerantly while you lie to My face under the guise of duty. Tomorrow, I
am of age. I demand My crown.”
“For God’s sake, You have a crown,” he scoìed. “You have a whole collection.”
“It is My purpose to govern. It is My birthright to lead—”
“You’re not governing Thessen. Not now, not ever.”
“Why?”
“Because You’re incapable,” he spat. “This outburst of Yours has proven that.”
Leila glared at Her father, wishing Her eyes would tear through him.
“Who motions to keep the law as it stands?” he said.
“I do.”
“Second.”
Brontes cast Leila a glower. “The law remains.”
She looked away, unable to stomach his gaze any longer. “Well then, it seems you all
can continue to handle Thessen’s aìairs, and I will continue to do absolutely nothing.
How free I feel, with My burdens lifted. They seem nonexistent, in fact.”
An old, round Senator with plump, pink cheeks and unkempt white hair cut in. “Oh,
that’s not true, Your Holiness. Your duties are vast.” He íddled nervously with his
sapphire drape. “Why, You bless the realm each day. Such a taxing process, I’m sure.
The realm is eternally grateful.”
Wembleton. The Master of Ceremonies. Another ass.
“Second order of business: the Sovereign’s Tournament.” Leila crossed Her arms.
“That won’t be happening.”
Brontes groaned. “For the love of God…”
Wembleton’s face dropped. “Your Holiness, it’s tradition.”
“Isn’t tradition ours to break?” Leila said. “After all, we’re not following the tradition of
having The Savior lead Her realm. We’re not following the tradition of allowing The
Savior to leave Her fortress—”
Gelanor gasped. “Your mother was murdered in the streets of Thessen. Surely You
must know we keep You here for Your own safety.”
Leila resisted the urge to roll Her eyes. “With all these traditions abandoned, what’s
one more? Why not break tradition and nullify My tournament?”
“My tournament,” Brontes said. “It’s called the Sovereign’s Tournament, is it not?”
“Yes, to índ My husband.” Leila shrugged. “Something I’m not particularly interested
in.”
Wembleton shook his head. “Your Holiness, You say that now, but when You meet
these men, I assure You—”
“Perhaps I’m not interested in men at all. Maybe I like women. Developed a taste for
cunt and tits.”
“Enough!” Brontes slammed his íst against the table. “You are out of line!”
“The Sovereign’s Tournament is a disgrace to Thessen. A bloodbath passed as
spectacle, turns men into animals and The Savior into a prize. I will not have it—”
“You will if I say so.”
“I am The Savior. My word—”
“Means nothing,” Brontes hissed. “Haven’t You learned, precious daughter? You hold
no power. So be as insuìerable as You’d like, but know it accomplishes nothing, same
as always.”
The room fell silent, all eyes on Leila.
“Tomorrow is Your birthday. The next day is the pool, and the day that follows will
mark the start of the Sovereign’s Tournament as planned.” Brontes leaned forward.
“And You will shut Your mouth and take it, do You understand me?”
I hate you. The words took shape in Her throat, begging for release.
“See? Isn’t that so much better than Your ranting?” Brontes glanced around the table.
“Who motions to end today’s meeting?”
“I do.”
“Second.”
“Today’s Senate meeting is terminated.” Brontes îashed one last look of disdain
Leila’s way. “And what a waste of time it was.”
The room ílled with mutterings, some about Leila’s candor, though most of it was
riddled with those three heinous words: the Sovereign’s Tournament. Thirty days of
violence, all in the search of Leila’s Champion. My husband.
“Your Holiness?”
A lean man with wrinkled copper skin, black-and-white hair balding at the crown, and
a hooked nose hovered beside Her. “A word alone? To solidify terms for the
tournament.”
Romulus. Frowning, She mumbled under Her breath, “Fine.”
The others íled from the room. Romulus trudged to the door, shutting it before
turning Her way. “And what exactly was the point of all that?”
“I have My reasons,” She muttered.
“They think You’re weak now. Helpless, even.”
“Then it seems My meeting served its purpose.”
He faltered. “You have a plan.”
Leila didn’t bother responding, studying the ends of Her hair. “What of the
tournament?”
“It is as You suspected. Brontes moves against You.”
“Against Me how?”
“You know how. He’s already taken Your power. But he wants the glory, always has.
The people only worship him if You’re gone.”
A weight dropped in Her gut. “He’s made the call. I am to die.”
“The Sovereign’s Tournament will mark Your assassination.”
She sat calm and stoic, but rage bellowed within Her, screaming for action.
“The Senate?”
“All complicit,” he said. “The guards, the soldiers—they know nothing of his plan, but
they are loyal to Your father. They will aid him, knowingly or not.”
“By what means?”
“Pardon?”
“The assassination. What is his strategy? How am I to be killed?”
Romulus wavered. “I don’t know.”
“You lie to Me.”
“He scatters the information. No one man knows everything, it’s how he retains his
control.”
Leila bit down on Her lip. “Give Me a name.”
“Your Holiness—”
“A name.”
Romulus tensed. “Gelanor.”
“The Vault Keeper.”
“He’s met with Brontes several times recently. There’s been discussion of a large
transfer of funds. He’ll know the most of anyone.”
“And that slow trickle?”
“Still nothing,” Romulus said. “No one knows where the coin is going.”
Leila sat still, sorting through the mess in Her mind. “The tournament is to have a
Proctor, yes? Someone who oversees the competitors?” Romulus nodded, and Her
eyes narrowed. “You will be that Proctor. Make it so.”
“I doubt I’ll be his choice—”
“Make it so.”
Romulus’s nostrils îared. “Yes, Your Holiness.”
Leila rose from Her seat, making Her way to the door. “Well then, I suppose I have to
pay Gelanor a visit.”
“A brief request that I imagine will fall on deaf ears,” Romulus called out behind Her.
“Consider mercy for these men.”
“Mercy? For the men who plan My assassination?”
“They’re foolish. Inîuenced by greed. And they greatly fear Your father.”
“You’re right. They are foolish. They fear the wrong person.” Her hands curled into
ísts. “No mercy. If they want blood, I will give it to them.”
She threw open the door and was met with two faces—one wearing a wild grin, the
other íerce and focused. Leila glanced between Pippa and Delphi, gesturing at the
corridor ahead. “Walk and talk.”
The two hurried alongside Her, Pippa taking Her hand while Delphi leaned over Her
shoulder. “How’d it go?”
“As expected,” Leila said.
“What now?”
Leila looked her in the eye. “Gelanor.”
“Gelanor.” Pippa giggled. “He’s fat.”
“Pippa, it’s not polite to tease people for their shapes and sizes.” Leila turned to
Delphi. “I’m going now.”
“You think he’ll be there already?” Delphi said.
“Doesn’t matter. I’ll wait.”
“It’s that urgent?”
Leila’s shoulders stiìened. “It’s what we thought.”
Delphi wavered, swallowing the lump in her throat. “To his chamber then.”
“Meet Me there.”
Delphi nodded. “I’ll wait outside. Clear the area.”
The women parted ways. Leila ventured through one corridor, another, studying the
passing staì out of the corner of Her eye. Quickening Her pace, She headed into an
adjacent hallway—empty—and Her destination materialized in Her thoughts.
Gelanor’s chamber.
The corridor burst into rays of light, leaving Her weightless. Soon the light faded,
revealing brown walls, an umber rug—and Gelanor.
He sat on his bed with his back to Her, tugging feverishly at his cock. Cringing, She
cleared Her throat.
Gelanor looked over his shoulder, then jumped. “Mother of—”
“You can ínish, if you’d like.”
The old man fumbled to put his bits away. “Your Holiness…”
“Apologies for the interruption. I honestly didn’t expect to índ you here so soon.
Figured you’d be occupied with more important matters.” She watched him pull up his
pants. “But apparently not.”
“What are You doing here?” he stammered. “How did… How did You get in?”
“The same way I’ve gotten in each time before.”
“Before?”
“I’ve been through this chamber many times.”
Gelanor’s expression turned bleak. “What do You want?”
Leila slid Her hand into the slit of Her dress, pulling Her blade from its place on Her
thigh. “You and I are going to have a conversation.”
Wide-eyed, Gelanor sprang for the window with the energy of a man half his age. Leila
îung Her blade at him, launching it straight into his shoulder.
Wailing, he toppled face-írst to the îoor.
Leila hovered over him, unimpressed. “Calm yourself. There are much more painful
spots, I assure you.” She ripped the blade from his shoulder and waited for his cries
to die. “Are you ready for that conversation?”
When Gelanor said nothing, She held Her blade low, making sure he caught sight of
its bloody edge. His eyes widened. “Yes, we can talk. Just don’t—”
“Hurt you? I’ll try My best.” She tugged at his arm, trying and failing to get him
standing, then cocked Her head at a nearby chair. “Sit.”
With a whimper, Gelanor pulled himself up. Once he was seated, Leila yanked his
sheets from his bed, twisting them like rope and wrapping them around his ankles.
“Oh my God.”
Her head perked up. “Is there a problem, Senator?”
Gelanor went quiet, and Leila continued Her work, tying his legs to the legs of the
chair, his wrists to the armrests.
“It’s You,” Gelanor said. “All the Senators gone missing… It’s You.”
“How very astute you are.”
“I don’t understand. You’re just…killing us? One by one?”
“It seems you understand perfectly.”
“Have You gone mad?”
“Well, it’s not as though you’ve left Me any choice,” She scoìed. “You’ve imprisoned
Me in My own home, have taken all My authority, and now that you’ve properly picked
Me apart, you wait for Me to die—hover over My body like a îock of vultures. And on
top of that, you leave Me with no political means of disbanding you all. You’re here to
stay, and I have no say in the matter. If I can’t cast you out through legal means, then
surely I must cast you out through death.”
Gelanor didn’t speak, his eyes darting between Leila and Her blade.
“I imagine you’re wishing you had revoked that law earlier today,” She said.
“I can do that for You. We can go right now—”
“Oh, that won’t be necessary. I think I prefer it this way, to be honest.”
His eyes narrowed into slits. “You twisted bitch.”
“I’m twisted? Me?” She laughed. “You conspired to kill My mother. You conspired to kill
Me when I was just a child. And now you plan My death yet again. You long to steal
My realm from My line, and you do it all at the expense of My people—people who
are healthy and prosperous because of Me. And I’m the twisted one for burying My
blade into your throats? You understand, My duty, My birthright, is to purge this
realm of sickness and evil. And I have found the foulest evils in My very own palace. In
people like you.”
“It’ll never work, whatever You’re doing. Brontes’s network is vast, his plan extensive—
far beyond what You know, what I know—”
“Of course. Why do you think he’s still alive?”
“You are The Savior,” he said. “A woman of light and purity. Not of…murder.”
“Senator, I was born in death. You and your men made it so.”
The Senator went silent, his mouth hanging open stupidly.
“You’re going to answer a few questions for Me,” She said.
“If You’re to kill me, why should I answer anything?”
Leila slammed Her blade into the Senator’s hand, nailing it to its armrest. He howled
in agony, but Leila was immune to the sound. To the blood.
“A large sum of coin has been transferred from the vault. Where is it going?”
The man moaned, squirming in his restraints, but he said nothing. She ripped the
blade from his hand, sending him reeling again. “Where is My coin?”
“How do You know any of this? You’re not permitted in the vault.”
“For My own good, yes? You know, if I was allowed to access My own coin, I wouldn’t
be standing here. Do you see the trouble you’ve put upon yourself?”
Tears dribbled down Gelanor’s face. She tapped Her foot. “The coin. Where is it
going?”
Silence.
She thrust Her blade toward his other hand.
“Wait!”
The steel tip grazed his wrinkled îesh. Her eyes panned to his.
“Three men,” he said. “He’s using the coin to pay three men.”
“Who?”
“I don’t know, but they’re of an…unsavory disposition. He aims for them to move
against you. In the tournament, somehow.”
“Somehow?”
“I don’t know his methods, I just know…” He sucked in a shallow breath. “I just know
what I’ve already said. There’s three of them, they’re working within the Sovereign’s
Tournament…and none of it’s good for You.”
Tendrils of swampy-green oozed from his îesh, ílling the space around him—the
color of his terror.
“There’s been a slow trickle of coin leaving the vault for some time now,” She said.
“Where’s it going?”
He faltered. “I don’t know.”
“You’re the Vault Keeper. You expect Me to believe that?”
“Brontes is handling those funds exclusively. He won’t talk. It’s very… It’s very private,
he says.”
“Are you lying to me?”
“No,” he spat. “Your Holiness, no, I swear it.”
She lunged forward, grabbing his face hard and tight.
“Your Holiness, please, I’ve told You all I know,” he said. “All of it. I’m utterly useless to
You now. Have mercy. I’ll put this treachery behind me, I swear it.”
She tightened Her grip, and putrid green spilled from his pores. Each emotion carried
a color, and his, like every other man of his kind, was repulsive. She studied his rotten
hue—the fear of a man who had played his cards. Who had nothing left to give.
“Please, I’ve told You everything,” he stammered. “I’m useless.”
Leila hesitated, then dropped Her hand. “I believe you.”
He let out a relieved breath. “Thank You, Your Holiness. Thank You.”
She slammed Her blade into his throat.
Blood poured from his neck, saturating the front of his tunic. As his life drifted away
with the river of red, his eyes locked with Hers.
Leila frowned. “Oh, don’t give Me that look. After all, you are useless to Me.”
His stare went vacant, his body an empty vessel. Yanking Her blade from his îesh,
Leila called over Her shoulder.
“Delphi, I’ve made another mess. Help Me clean it up, would you?

Leave a comment

Filed under Malaysian Golf Courses

January 13, 2010 · 10:54 am

Gilagolf has moved to Gilagolf.net

Gilagolfers,

After 2 and a half years of hacking, destroying and reviewing golf courses, Gilagolf has finally moved to a proper home on this little corner in the internet universe: http://www.gilagolf.net.

Gilagolf.com was unfortunately taken, and negotiations fell through when they realised all we could offer them were used second hand balls and some nasi lemak if they were to come up to Malaysia.

So we had to decide on a new home and some were shortlisted:

1) Gilagolfer.com

2) IHateFrasersHill.com

3)BerjayaCoursesSuck.com

4)HackersofTheNewRepublic.com

5)SelesaHillsIsASorryExcuseOfACourse.com

it was important that the gilagolf branding remained, so we decided on Gilagolf.net. It’s still undergoing some aesthetic changes but it’s basically as similar as possible to the old site.

Gilagolf

BNM RMIT 2023 Part 6

BNM RMIT 2023 Part 5

BNM RMIT 2023 Part 4

BNM RMIT 2023 Part 3

BNM RMIT 2023 Part 2

BNM RMIT 2023 Part 1

Example

Gilagolf has moved to Gilagolf.net

GILAGOLF BLOG HAS MOVED!!

Gila Meter