Risk Management in Technology (RMiT)

In common with other financial markets around the world, the Bank Negara Malaysia (BNM) has taken a lead in defining a stringent security controls framework for Malaysian financial institutions. Sustained, advanced persistent threat (APT) attacks on the banking industry such as the Carbanak hack shook the banking world. This co-ordinated and sophisticated attack really was a wake-up call to banks that cybercrime was becoming more organized and effective. Carbanak not only resulted in core banking systems being infiltrated allowing fraudulent electronic fund transfers to be used, but ATM systems were also hacked to allow cash to be stolen directly.

The Risk Management in Technology (RMiT) provides clear guidance for minimum expected standards in cyber security and serves to provide a level of confidence within the market, covering everything from the data center to the ATM/SST. The BNM guidelines are detailed in the RMiT BNM/RH/ED 028-98 publication.

Banking and finance is always a high-risk industry with respect to hackers and it is crucial that awareness of threats is always maintained and new technological innovations are being utilized, for example, leveraging One-Time Passwords (OTP) to reduce the opportunity for fraudulent transactions.

Significantly, the RMiT is very clear in placing responsibility at the Board level for an understanding of the ‘financial institution’s risk appetite’ and its ‘corresponding risk tolerances for technology-related events’. Furthermore, it is also a board-level responsibility to ensure ‘effective implementation of a sound and robust technology risk management framework (TRMF) and cyber resilience framework (CRF), for the financial institution to ensure the continuity of operations and delivery of financial services’. In other words, compliance with RMiT is mandatory and everyone is responsible for its delivery.

Timeline

  • October 2019 Internal gap analysis results to be submitted by all financial institutions
  • January 1, 2020, RMiT is now effective and compulsory for all organizations
  • December 31, 2022, or whenever there is a ‘material change in the data center infrastructure’ External audit required of Data Centre and Network Resilience.

As such, external audits are required regularly and at least every 3 years. But like all cyber security controls, the real need is to operate security best practices continuously and as embedded processes, and with the average time to detect a breach still in excess of 170 days, better detection and evaluation of all change is essential..

The NNT Solution for RMiT

 

The NNT SecureOps™ portfolio is carefully assembled so that, when used in a co-ordinated fashion as part of an overall security controls framework, all key controls are automated and utilized to maximum effect.

NNT SecureOps™ is short for Secure Operations. It includes a combination of the essential, foundational security controls as prescribed by all leading security frameworks such as The CIS and NIST – and of course, RMiT too - with the operational discipline of change management and the innovation of change control, pioneered by NNT.

By ensuring the basic and essential security controls are in place, combined with the ability to validate the safety of all changes, organizations can prevent and protect against cyber-attack while improving IT Service Delivery quality.

The SecureOps™ solution set includes:

  • Asset discovery and Inventory
  • Secure system configuration for all assets
  • Regular vulnerability scanning
  • Change monitoring and control
  • Whitelist approved File Integrity Monitoring
  • Integration with operational Change Management process and systems
  • Security Information and Event Log Management (SIEM)

 

NNT SecureOps™ is the perfect solution for operating & demonstrating RMiT compliance.

vulnerability tracker logo

NNT’s Vulnerability Tracker™ identifies known vulnerabilities within software and configuration settings before they can be exploited by a cyber-attack.

  • Directly addresses RMiT Appendix 5 and Appendix 2 controls for vulnerability management, penetration testing and validation of web application security.
  • Continuously tests and assesses your IT network and any device connected to it against thousands of Network Vulnerability Tests (NVTs).
  • Unique, fully meshed, distributed scanning solution providing UNLIMITED scanning, not restricted by device counts. This makes Vulnerability Tracker the most scalable, flexible and cost-effective enterprise-class scanner.

change tracker gen7r2 logo

NNT Change Tracker Gen 7 R2 provides fundamental cyber security prevention and detection. It does this by leveraging the required security best practice disciplines of system configuration and integrity assurance combined with the most comprehensive and intelligent change control solution available. Change Tracker from NNT will ensure that your IT systems remain in a known, secure and compliant state at all times.

  • Directly addresses RMiT Appendix 5 and Appendix 2 controls for secure configuration hardening, malware protection and change control.
  • Provides context-based File Integrity Monitoring and File Whitelisting to assure all change activity is automatically analyzed and validated.
  • Certified CIS configuration hardening ensures all systems remain securely configured at all times
  • Intelligent change control technology provides unparalleled change noise reduction along with the ultimate reassurance that the changes occurring within your production environment are consistent, safe and as required.

log tracker logo logo

NNT Log Tracker records full audit trails of all user and system activity then correlates events to provide early-warning of hacker behavior.

  • Directly addresses RMiT Appendix 5 and Appendix 2 controls for centralized management and alert aggregation.
  • Securely protects all logs and audit trails
  • Correlates logs from all devices including network devices, Unix and Windows servers, applications and databases, and analyzing them for unusual or suspicious activity
  • Pre-built compliance reports and scorecards
Additional Resources
Latest Resources

CIS

Access CIS Resources
Access a broad range of CIS Benchmark reports to audit your enterprise and continuously monitor for any drift from your hardened state.
Download Reports »

Server Hardening

Server Hardening Resources
Download Hardened Services checklists, derived by NNT in conjunction with Microsoft, to manually audit your servers for compliance.
Download Checklists »

Audit Policy

Audit Policy Template Resources
Gain access to audit policies derived from the Center for Internet Security to generate audit logs on all relevant security levels.
Download Audit Policies »

Contact Us

USA Offices

New Net Technologies LLC
Suite #10115, 9128 Strada Place
Naples, Florida, 34108

New Net Technologies LLC
1175 Peachtree St NE
Atlanta, Georgia, 30361.

Tel: (844) 898-8358
[email protected]

 

UK Office

New Net Technologies Ltd
Rivers Lodge, West Common
Harpenden, Hertfordshire
AL5 2JD

Tel: 01582 287310
 [email protected]

SC Magazine Cybersecurity 500 Infosec Security Winners 2018 CIS benchmarking SEWP Sans Institute Now Certified IBM Security
Copyright 2020, New Net Technologies LLC. All rights reserved. 
NNT and Change Tracker are registered trademarks of New Net Technologies LLC.
All other product, company names and trademarks are the property of their respective owners.