www.secure-it.com.my

Bank Negara Malaysia’s Guidelines on Data Management and MIS Framework and what it means for Malaysian financial institutions PDF Print E-mail

Under the Guidelines on Data Management and MIS Framework (“Guidelines”), Bank Negara expects financial institutions to establish and maintain

a sound data management and management information system framework.  Responsibility for this is placed on senior management and the Board of Directors.  The Board and senior management are specifically entrusted with the duty to put in place a corporate culture that reinforces the importance of data integrity.  The performance of such duty would naturally require financial institutions to commit to putting in place policies preserving data integrity and allocating resources and technology towards compliance with these policies towards meeting the overall objective.  It is pertinent to note that the Guidelines are issued pursuant to Section 126 of the Banking and Financial Institutions Act 1989 thereby rendering non-compliance an offence under the said Act by virtue of Section 104 of the said Act.


The responsibility of the Board of the financial institution is specifically identified under the Guiding Principles set out in the Guidelines.  The Board must maintain effective oversight over data management and MIS framework through providing direction to senior management on broad expectations of the framework and ensuring that these expectations are documented in formal policy statements on data management and the Board is then responsible for ensuring that these expectations are met on a continuing basis and approving strategic resource allocations towards data management and MIS enhancement initiatives.

Senior management should periodically review and advise the board on the effectiveness of the data management and MIS framework.  The data management and MIS framework and governance structure should be subject to independent reviews by an external party or the internal audit function and such audits must be able to evidence the adequacy of data management, effectiveness of controls and maintenance of adherence to established policies.

Financial institutions should establish a sound data governance structure that ensures the effective control of data quality.  This refers to the overall management of the availability, usability, reliability, integrity and security of the data employed in the organization. One of the key functions and specific responsibilities associated with data management is ensuring that data control functions are operating effectively to preserve the integrity of the institutions data, including financial information reported to the Bank and this includes ensuring that adequate controls are in place to safeguard the security of the institution’s data repositories and the transmission of confidential and mission critical data.  These guidelines also specifically direct that controls should also specifically address procedures to be observed for the deletion/destruction of logical or physical data.

It is a common practice in Malaysian financial institutions to outsource IT asset management or their disposal once these data storage media (particularly computers containing hard drives of confidential information).  The Guidelines specifically state that where data is managed by third party vendors under outsourcing arrangements, senior management must ensure that effective oversight, review and reporting arrangements are established.  Taking the example of disposal of computers when obsolete or replaced, there should be a clear auditable document evidencing the destruction of all data stored in those units and the outsource service provider should be able to provide the financial institution such evidence failing which compliance with the Guidelines would be questionable.  The method of erasure therefore becomes critical and the financial institution should ensure that the third party vendor’s methods are highly certified and reliable.

Principle 5 of the Guidelines makes clear that all financial institutions should maintain effective controls over data security and privacy to preserve a high level of systems and data integrity.  This requirement would necessarily mean that controls and assets would have to be updated regularly to ensure that security measures are reflective of the new threats that may arise and exist and the technology used to combat and defend against these threats is current and effective.  One of the major inadvertent sources of data leaks is loss of data through the disposal or loss of data storage media.  A financial institution would have data stored in computer hard drives and its key personnel may require key information to be portable and thereby employ the use of pen drives/portable USB storage devices.  There have been many internationally documented cases of data leaks of critical information through the loss of USB drives or the disposal of computers without effective data erasure having been carried out.  Hence, the Guidelines itself do specifically recognize that financial institutions must establish adequate preventive and detective controls to ensure that logical and physical access to systems and data is secure and only available to authorized personnel for specific purposes.  Policies and procedures are required should be established for the classification of data having regard to the potential impact that unauthorized access to, or tampering of, data could have on, amongst others, the institution’s ability to accurately assess its risk exposures and financial condition and the individual and customer’s right to privacy.

Our research indicates not amongst the financial institutions in Malaysia there is recognition that loss of data through disposal of computers and portable storage media is recognized.  However, the methods employed in preventing such loss of data and complying with the Guidelines are not streamlined nor in some cases, current with technological advances.  The Guidelines are commendable in their objective and intent. Financial institutions should regularly review their processes and policies to ensure that the methods that they employ towards compliance with these Guidelines are consistent with international practices and utilize certified and recognized solutions.

 

Did You Know

arrow Identity theft is the top consumer complaint in the USA according to the Federal Trade Commission.

arrow US consumers reported fraud loss totalling more than $1.1 billion in 2006.

arrow Credit card fraud (25%) was the most common form of reported identity theft in the US in 2006.

arrow More than 100 000 people are affected by identity theft each year in the UK

arrow According to Privacy Rights Clearinghouse, more than 350 data loss incidents involving more than 140 million records have occurred since February 2005

arrow Organisations are obliged by law to take take adequate steps to ensure the proper disposal of data


mxi-3devices0

Visitors

mod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_countermod_vvisit_counter
Now: 2017-09-20 21:32

Who's Online

We have 77 guests online
You are here  :