Case Studies

Protecting Customers with PCI Compliance

Achieving compliance in line with Technology Risk Management guidelines

The Challenge

Monetary Authority of Singapore (MAS) operates as the integrated regulator and supervisor of financial institutions in Singapore. In an effort to protect customer-sensitive data from unauthorised disclosure or misuse MAS notice 644 became effective in law as of 1st July 2014.

Against the backdrop of an increased reliance on complex IT systems and operations in the financial sector is the heightened risk of cyber-attacks and system disruptions. In this regard, banks are expected to continue to deepen their technology risk management capabilities and be ready to handle IT security incidents and system failures. The MAS Internet Banking and Technology Risk Management Guidelines have been revised and enhanced to better guide and address existing and emerging technology risks which confront banks.

Our client is one of the major Australian banks operating in Australia. The bank’s Singapore business was not fully compliant with the MAS notice 644. Non-compliance with the notice could result in significant consequences such as financial penalties, imprisonment, mandated dismissal of directors and executives, MAS administration of Singapore business, suspension or limitation of trading/banking activities or revocation of banking license. Accordingly, for the bank to continue its Singapore operations, compliance with MAS notice 644 was imperative.

The Solution

The project’s purpose was to achieve compliance with the MAS notice 644 in line with the Technology Risk Management (TRM) guidelines.  These guidelines detailed the focus areas and the type and levels of compliance required. The bank’s approach to cover this compliance included two interdependent streams, Policy and Technology.

Terra Firma came on board to deliver compliance for the technology streams of the project. The technology stream had 4 sub-streams (User Access, Privileged User Access, User Logging and Monitoring and Data Loss Protection), and together with the policy stream, addressed the heightened risk and upgrade of technology risk management capabilities needed in the new guidelines. Additionally without the uplift of technology risk controls bank customers would be placed at a greater risk of financial consequences due to fraud and this, in turn, would come back as additional costs to the bank.

In consultation with technology, key solutions to address controls were determined for all assets. An impact assessment was conducted and a delivery strategy for implementation of the solutions to the assets was formulated. A change management strategy and supporting artefacts for successful implementation were designed.

Terra Firma engaged all areas and implemented delivery of the specified solutions for each substream and asset to ensure compliance with MAS.  Due to the varied assets impacted and the complexity of solutions needed for each substream this delivery required Terra Firma to integrate with asset teams to build trust and drive the needed implementation of solutions to ensure that delivery progressed in a timely manner and compliance was achieved.

The Result

As a result of the engagement, Terra Firma successfully delivered outcomes for the technology substreams.

We ensured all of the privileged user access management controls for the assets were deployed onto the CyberArk solution. For user access management, all assets that were flagged as non-compliant were deployed to SARD; resulting in the introduction of SARD user access controls to thousands of users. This compliance ensured that customer sensitive data was protected in line with the specifications and regulations enforced by MAS notice 644.

Data Loss Protection work delivered a requirements mapping document to include detail on what the requirements were, bank current state analysis and key recommendations for the bank to implement including a detailed security roadmap. This led to delivery into the production of additional controls for USB and email.

With the analysis provided by Terra Firma, the bank was able to engage IBM to deliver a new enterprise service to deliver the required logging and reporting capability. Additionally, while the initial outcome was to achieve MAS compliance in the bank’s Singapore operations, Terra Firma were also able to identify future opportunity for leverage of these services within other future bank programs.