The Information Technology Risk Management Guidelines (แนวปฏิบัติในการบริหารความเสี่ยงด้านเทคโนโลยี สารสนเทศ) by the Bank of Thailand (BOT) was refreshed in November 2023 to address evolving cybersecurity threats, digital transformation risks, and regulatory compliance requirements for financial institutions in Thailand. The revised Guidelines include maintaining systems that support mobile banking channels, reporting IT risk self-assessments to the BOT within 30 days, and submitting guidelines for IT risk management implementation and third-party risk management.
Overview of the IT Risk Management Guidelines by BOT
- The primary purpose is to ensure that financial institutions under its supervision can effectively identify, assess, mitigate, and monitor IT-related risks in a rapidly evolving digital landscape.
- The revised guidelines in 2023 are to strengthen cybersecurity resilience to combat the rising cyber threats targeting financial institutions, as well as the increased reliance on cloud services and third-party providers.
Banks, non-bank financial institutions, and payment service providers are supervised by the BOT.
Compliance Brief
Complying with the IT Risk Management Guidelines by the Bank of Thailand (BOT)
Discover how financial institutions comply with the Information Technology Risk Management Guidelines through our comprehensive solutions and learn more about the requirements.
How Thales Helps with the IT Risk Management Guidelines by the Bank of Thailand (BOT)
Thales’ Cybersecurity Solutions help financial institutions address 8 requirements in Chapter 2 – Information Technology Security by simplifying compliance and automating security with visibility and control, reducing the burden on security and compliance teams.
BOT Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks.
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address the BOT – IT Risk Management Guidelines
How Thales helps:
- Classify and assign specific sensitivity levels for data when you are defining your data stores and your classification profiles for different types of data sets.
- Identify the current state of compliance and document gaps.
- Discover and classify potential risk for all public, private and shadow APIs.
How Thales helps:
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Deliver unified protection, with built-in detection and response for deprecated, unauthenticated, and BOLA-prone APIs and many more of the OWASP API Top Ten threats, stopping business logic abuse and API threats in real time.
- Provide continuous protection of all APIs using deep discovery and classification to detect all public, private and shadow APIs.
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Pseudonymize sensitive information in databases.
- Protect the root-of-trust of a cryptographic system within a highly secure environment.
- Protect data in motion with high-speed encryption.
- Protect data in use by leveraging confidential computing.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
How Thales helps:
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
How Thales helps:
- Centralize key lifecycle management tasks including generation, rotation, destruction, import and export.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Support cryptography algorithms such as Advanced Encryption Standard (AES) 256bits, RSA 3072 bits and designed for a post-quantum upgrade to maintain crypto-agility.
- Deploy transparent encryption for strong and standard-based encryption protocols.
- Manage and protect all secrets and sensitive credentials.
Solutions:
Data Security
How Thales helps:
- Employ strong and standard-based encryption protocols, such as the Advanced Encryption Standard (AES) for data encryption and elliptic curve cryptography (ECC) for key exchange.
- Protect cryptographic keys in FIPS-validated and tamper-evident hardware.
How Thales helps:
- Centralize key lifecycle management including generation, rotation, destruction, import and export.
- Manage encryption keys, provide granular access control and configure security policies.
- Ensure secure deletion by removing keys from CipherTrust Manager, digitally shredding all instances of the data.
- Support cryptography algorithms such as Advanced Encryption Standard (AES) 256bits, RSA 3072 bits.
- Offer secure key exchange protocols such as TLS/SSL (Mutual Authentication), PKCS#11, KMIP, REST API (over TLS), Elliptic Curve Diffie-Hellman (ECDH), Key Wrapping (AES-KW, RSA-KW).
- Provide tight control to the HSM with strong multi-factor authentication.
- Protect cryptographic keys in a FIPS 140-3 Level 3 environment.
- Easily backup and duplicate sensitive cryptographic key securely to the FIPS 140-3 Level3 certified backup HSM.
- Manage and protect all secrets and sensitive credentials.
How Thales helps:
- Implement Multi-Factor Authentication (MFA) to ensure that only authorized individuals access the system.
- Deploy Single Sign-On (SSO) to allow users to securely access multiple systems with a single authentication.
- Set up access control policies based on user roles, responsibilities, and risks (Adaptive Access Control).
- Offer audit system access and store usage data (Access Logs) to support retrospective auditing.
- Revoke access rights automatically when no longer needed (Delegated User Management & Automated Deprovisioning).
Solutions:
Identity & Access Management
How Thales helps:
- Offer Multi-Factor Authentication (MFA) to prevent unauthorized network access.
- Create network access control policies based on user roles and risks.
- Monitor and analyze network usage behavior to alert if risks are found.
- Manage external user permissions that need to access the network for security.
Solutions:
Identity & Access Management
How Thales helps:
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Enable continuous monitoring to capture and analyze all data store activity, providing detailed audit trails that show who accesses what data, when, and what was done to the data.
- Enforce user rights management based on data type and user role and produce reports for audit trails.
- Capture detailed data activity automatically for audit purposes.
- Record all changes to permissions, along with the identity of the perpetrator and session details.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Adjust access permissions based on real-time or near real-time user behavior and contextual factors.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Provide log access and activity of privileged users (e.g. system admin) for later review.
- Analyze behavior of privileged users and audit logs to find anomalies such as admin logging in outside working hours or modifying abnormal privileges.
- Create workflows for requesting privileges and recording approvals to support review.
Solutions:
Identity & Access Management
How Thales helps:
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Alert or block database attacks and abnormal access requests in real time.
- Monitor file activity over time to set up alerts on activity that can put financial institutions at risk.
- Continuously monitor processes for abnormal I/O activity and alerts or blocks malicious activity.
- Monitor active processes to detect ransomware – identifying activities such as excessive data access, exfiltration, unauthorized encryption, or malicious impersonation of a user, and alerts/blocks when such an activity is detected.
- Apply contextual security measures based on risk scoring.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
- Monitor user behavior such as admin login from a new location/IP or a wrong system access pattern to alert and prevent attack.
- Analyze User Behavior Analytics (UBA) and context such as time/device/network to add authentication or block access.
- Create workflow to alert, approve, and check incident management of related parties.
Solutions:
Application Security
Data Security
Identity & Access Management
How Thales helps:
- Offer advanced API Verification capabilities to strengthen your defenses against potential vulnerabilities.
- Run assessment tests on data stores such as MySQL or so to scan for known vulnerabilities.
- Scan your databases with over 1,500 predefined vulnerability tests based on CIS and PCI-DSS benchmarks to help you keep your databases covered for the latest threats.
Solutions:
Application Security
Data Security
How Thales helps:
- Manage system access from both corporate and BYOD devices with Identity Verification and Multi-Factor Authentication (MFA).
- Enforce contextual access policies and control system and data access rights based on device and user role risks, such as denying access from unregistered or high-risk devices.
- Create workflows for registering, renewing, and terminating BYOD.
- Verify device identities with digital certificates or trusted authorities before allowing connections.
- Detect unauthorized devices, such as rooted/jailbroken devices, and block access immediately.
Solutions:
Identity & Access Management
How Thales helps:
- Pseudonymize sensitive information in databases to prevent exposure of real data for testing.
How Thales helps:
- Manage the identity of external service providers by checking and verifying their identities before granting access to systems or sensitive data.
- Enforce access policies based on role and risk of the provider to limit access to only the necessary scope of work.
- Manage access rights and assign management rights to administrators or supervisors.
- Create workflows to register, verify, and revoke external service providers' rights according to the contract cycle.
- Track and store logs of external service provider access activities to support retrospective auditing.
Solutions:
Identity & Access Management
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.