monetary-authority-singapore-page-banner

Complying with Technology Risk Management (TRM) Guidelines of the Monetary Authority of Singapore (MAS)

Thales helps organizations comply with key components of the Monetary Authority of Singapore's Technology Risk Management Guidelines.

Monetary Authority of Singapore Guidance

Test

To safeguard sensitive customer data and comply with the Monetary Authority of Singapore’s Technology Risk Management Guidelines, organizations need to apply consistent, robust and granular controls.

The CipherTrust Data Security Platform from Thales helps customers address these guidelines throughout their organization, in part through:

  • Strong access management and authentication
  • Comprehensive data encryption capabilities
  • Centralized policy and key management
  • Access monitoring and intelligence
  • Flexible integration options
  • Regulation
  • Compliance

Regulation Overview

The Monetary Authority of Singapore (MAS) published Technology Risk Management (TRM) Guidelines to help financial firms establish sound technology risk management, strengthen system security, and safeguard sensitive data and transactions.

The TRM contains statements of industry best practices that financial institutions conducting business in Singapore are expected to adopt. The MAS makes clear that, while the TRM requirements are not legally binding, they will be a benchmark the MAS uses in assessing the risk of financial institutions.

Guideline Descriptions

  • 8.4.4 The FI should encrypt backup tapes and disks, including USB disks, containing sensitive or confidential information before they are transported offsite for storage.
  • 9.1.6 Confidential information stored on IT systems, servers and databases should be encrypted and protected through strong access controls, bearing in mind the principle of “least privilege”.
  • 11.0.1.c Access control principle – The FI should only grant access rights and system privileges based on job responsibility and the necessity to have them to fulfill one's duties. The FI should check that no person by virtue of rank or position should have any intrinsic right to access confidential data, applications, system resources or facilities.
  • 11.1.1 The FI should only grant user access to IT systems and networks on a need-to-use basis and within the period when the access is required. The FI should ensure that the resource owner duly authorises and approves all requests to access IT resources.
  • 11.2 Privileged Access Management.
  • 11.2.3.d. Grant privileged access on a “need-to-have” basis.
  • 11.2.3.e. Maintain audit logging of system activities performed by privileged users.
  • 11.2.3.f. Disallow privileged users from accessing systems logs in which their activities are being captured.
  • 13 payment card security (automated teller machines, credit and debit cards).

Thales can help your organization keep data breaches from happening in the first place through:

  • Access control to ensure only credentialed users have access to your systems and data
  • Encryption, tokenization and cryptographic key management to ensure that if data is stolen, it will be meaningless and useless to cybercriminals
  • Security intelligence logs to identify irregular access patterns and breaches in progress

Strong Access Management and Authentication

Thales Access Management and Authentication solutions provide both the security mechanisms and reporting capabilities organizations need to comply with data security regulations. Our solutions protect sensitive data by enforcing the appropriate access controls when users log into applications that store sensitive data. By supporting a broad range of authentication methods and policy driven role-based access, our solutions help enterprises mitigate the risk of data breach due to compromised or stolen credentials or through insider credential abuse.

Support for smart single sign on and step-up authentication allows organizations to optimize convenience for end users, ensuring they only have to authenticate when needed. Extensive reporting allows businesses to produce a detailed audit trail of all access and authentication events, ensuring they can prove compliance with a broad range of regulations.

The CipherTrust Data Security Platform

The CipherTrust Data Security Platform from Thales is the only solution with a single extensible framework for protecting data-at-rest under the diverse requirements of enterprises across the broadest range of OS platforms, databases, cloud environments and big data implementations. The result is low total cost of ownership, as well as simple, efficient deployment and operation.

  • CipherTrust Transparent Encryption provides file and volume level data-at-rest encryption, secure key management, and access controls required by regulation and compliance regimes.
  • CipherTrust Key Management enables centralized management of encryption keys for other environments and devices including KMIP compatible hardware, Oracle and SQL Server TDE master keys, and digital certificates.
  • CipherTrust Security Intelligence provides another level of protection from malicious insiders, privileged users, APTs, and other attacks that compromise data by delivering the access pattern information that can identify an incident in progress.
  • CipherTrust Application Data Protection enables agencies to easily build encryption capabilities into internal applications at the field and column level.
  • CipherTrust Tokenization lets administrators establish policies to return an entire field tokenized or dynamically mask parts of a field. With the solution’s format-preserving tokenization capabilities, you can restrict access to sensitive assets, yet at the same time, format the protected data in a way that enables many users to do their jobs.

Thales High Speed Encryptors

Thales High Speed Encryptors (HSEs) provide network independent data-in-motion encryption (Layers 2,3 and 4) ensuring data is secure as it moves from site-to-site, or from on-premises to the cloud and back. Our HSE solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception—all at an affordable cost and without performance compromise.

  • Related Resources
  • Other key data protection and security regulations

    GDPR

    Regulation
    Active Now

    Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.

    PCI DSS

    Mandate
    Active Now

    Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.

    Data Breach Notification Laws

    Regulation
    Active Now

    Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.