0002827
Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02
Monetary Authority of Singapore
Self-Regulatory Body Requirement
Free
Notice on Technology Risk Management, Notice No. CMG-N02
Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management
2014-07-01
The document as a whole was last reviewed and released on 2017-05-08T00:00:00-0700.
0002827
Free
Monetary Authority of Singapore
Self-Regulatory Body Requirement
Notice on Technology Risk Management, Notice No. CMG-N02
Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management
2014-07-01
The document as a whole was last reviewed and released on 2017-05-08T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2025 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4 A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4] | Business Processes | Preventive | |
Operational and Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Establish/Maintain Documentation | Preventive | |
| Validate information security continuity controls regularly. CC ID 12008 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Systems Continuity | Preventive | |
Operational management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [A financial institution shall implement IT controls to protect customer information from unauthorised access or disclosure. Technology Risk Management ¶ 9] | Establish/Maintain Documentation | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Establish/Maintain Documentation | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Establish/Maintain Documentation | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Business Processes | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Establish/Maintain Documentation | Preventive | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Systems Design, Build, and Implementation | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Establish/Maintain Documentation | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Process or Activity | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Establish/Maintain Documentation | Preventive | |
| Create an incident response report. CC ID 12700 | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - service to its customers; and Technology Risk Management ¶ 8 (c) iii.] | Establish/Maintain Documentation | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the remedial measures taken to address the root cause and consequences of the relevant incident. Technology Risk Management ¶ 8 (d)] | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - compliance with laws and regulations applicable to the financial institution; Technology Risk Management ¶ 8 (c) i.] | Establish/Maintain Documentation | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - operations; and Technology Risk Management ¶ 8 (c) ii.] | Establish/Maintain Documentation | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an executive summary of the relevant incident; Technology Risk Management ¶ 8 (a)] | Establish/Maintain Documentation | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an analysis of the root cause which triggered the relevant incident; Technology Risk Management ¶ 8 (b)] | Establish/Maintain Documentation | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - Technology Risk Management ¶ 8] | Communicate | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A financial institution shall notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 9(1) and 23(1)(e) of the Securities and Futures (Markets) Regulations 2005 (“Markets Regulations”), regulation 9(1) of the Securities and Futures (Trade Repositories) Regulations 2013 and regulation 11(1) of the Securities and Futures (Clearing Facilities) Regulations 2013. Technology Risk Management ¶ 7] | Communicate | Corrective | |
| Test the incident response procedures. CC ID 01216 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Testing | Detective | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Actionable Reports or Measurements | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Actionable Reports or Measurements | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4 A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4] | Leadership and high level objectives | Preventive | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - Technology Risk Management ¶ 8] | Operational management | Preventive | |
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A financial institution shall notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 9(1) and 23(1)(e) of the Securities and Futures (Markets) Regulations 2005 (“Markets Regulations”), regulation 9(1) of the Securities and Futures (Trade Repositories) Regulations 2013 and regulation 11(1) of the Securities and Futures (Clearing Facilities) Regulations 2013. Technology Risk Management ¶ 7] | Operational management | Corrective | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Preventive | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [A financial institution shall implement IT controls to protect customer information from unauthorised access or disclosure. Technology Risk Management ¶ 9] | Operational management | Preventive | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Preventive | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Preventive | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Preventive | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Operational management | Preventive | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Preventive | |
| Create an incident response report. CC ID 12700 | Operational management | Preventive | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - service to its customers; and Technology Risk Management ¶ 8 (c) iii.] | Operational management | Preventive | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the remedial measures taken to address the root cause and consequences of the relevant incident. Technology Risk Management ¶ 8 (d)] | Operational management | Preventive | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - compliance with laws and regulations applicable to the financial institution; Technology Risk Management ¶ 8 (c) i.] | Operational management | Preventive | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - operations; and Technology Risk Management ¶ 8 (c) ii.] | Operational management | Preventive | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an executive summary of the relevant incident; Technology Risk Management ¶ 8 (a)] | Operational management | Preventive | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an analysis of the root cause which triggered the relevant incident; Technology Risk Management ¶ 8 (b)] | Operational management | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Operational management | Preventive | |
Systems Continuity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Validate information security continuity controls regularly. CC ID 12008 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Preventive | |
Testing | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Test the incident response procedures. CC ID 01216 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational management | Detective | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Notify interested personnel and affected parties that a security breach was detected. CC ID 11788 [A financial institution shall notify the Authority as soon as possible, but not later than 1 hour, upon the discovery of a relevant incident, other than a relevant incident arising from the circumstances set out in regulations 9(1) and 23(1)(e) of the Securities and Futures (Markets) Regulations 2005 (“Markets Regulations”), regulation 9(1) of the Securities and Futures (Trade Repositories) Regulations 2013 and regulation 11(1) of the Securities and Futures (Clearing Facilities) Regulations 2013. Technology Risk Management ¶ 7] | Operational management | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Test the incident response procedures. CC ID 01216 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational management | Testing | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 [A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4 A financial institution shall put in place a framework and process to identify critical systems. Technology Risk Management ¶ 4] | Leadership and high level objectives | Business Processes | |
| Document and use the lessons learned to update the continuity plan. CC ID 10037 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Establish/Maintain Documentation | |
| Validate information security continuity controls regularly. CC ID 12008 [A financial institution shall establish a recovery time objective (“RTO”) of not more than 4 hours for each critical system. The RTO is the duration of time, from the point of disruption, within which a system must be restored. The financial institution shall validate and document at least once every 12 months, how it performs its system recovery testing and when the RTO is validated during the system recovery testing. Technology Risk Management ¶ 6] | Operational and Systems Continuity | Systems Continuity | |
| Establish, implement, and maintain an internal control framework. CC ID 00820 [A financial institution shall implement IT controls to protect customer information from unauthorised access or disclosure. Technology Risk Management ¶ 9] | Operational management | Establish/Maintain Documentation | |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation | |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation | |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
| Establish, implement, and maintain an Asset Management program. CC ID 06630 | Operational management | Business Processes | |
| Establish, implement, and maintain classification schemes for all systems and assets. CC ID 01902 | Operational management | Establish/Maintain Documentation | |
| Apply security controls to each level of the information classification standard. CC ID 01903 | Operational management | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain the systems' availability level. CC ID 01905 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Operational management | Establish/Maintain Documentation | |
| Restrict unscheduled downtime in order to maintain high availability for critical systems. CC ID 12742 [A financial institution shall make all reasonable effort to maintain high availability for critical systems. The financial institution shall ensure that the maximum unscheduled downtime for each critical system that affects the financial institution’s operations or service to its customers does not exceed a total of 4 hours within any period of 12 months. Technology Risk Management ¶ 5] | Operational management | Process or Activity | |
| Establish, implement, and maintain an Incident Response program. CC ID 00579 | Operational management | Establish/Maintain Documentation | |
| Create an incident response report. CC ID 12700 | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on customer service in the incident response report. CC ID 12735 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - service to its customers; and Technology Risk Management ¶ 8 (c) iii.] | Operational management | Establish/Maintain Documentation | |
| Include measures to mitigate the root causes of the incident in the incident response report. CC ID 12714 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the remedial measures taken to address the root cause and consequences of the relevant incident. Technology Risk Management ¶ 8 (d)] | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on regulatory compliance in the incident response report. CC ID 12704 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - compliance with laws and regulations applicable to the financial institution; Technology Risk Management ¶ 8 (c) i.] | Operational management | Establish/Maintain Documentation | |
| Include a description of the impact the incident had on operations in the incident response report. CC ID 12703 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - a description of the impact of the relevant incident on the financial institution’s - operations; and Technology Risk Management ¶ 8 (c) ii.] | Operational management | Establish/Maintain Documentation | |
| Include an executive summary of the incident in the incident response report. CC ID 12702 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an executive summary of the relevant incident; Technology Risk Management ¶ 8 (a)] | Operational management | Establish/Maintain Documentation | |
| Include a root cause analysis of the incident in the incident response report. CC ID 12701 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - an analysis of the root cause which triggered the relevant incident; Technology Risk Management ¶ 8 (b)] | Operational management | Establish/Maintain Documentation | |
| Submit the incident response report to the proper authorities in a timely manner. CC ID 12705 [A financial institution shall, within 14 days or such longer period as the Authority may allow, from the discovery of the relevant incident as described in paragraph 7 or a relevant incident arising from the circumstances set out in regulation 23(1)(e) of the Markets Regulations, as the case may be, submit a root cause and impact analysis report to the Authority. The report shall contain - Technology Risk Management ¶ 8] | Operational management | Communicate | |
| Document the results of incident response tests and provide them to senior management. CC ID 14857 | Operational management | Actionable Reports or Measurements | |