Secure, manage and monitor privileged accounts to meet MAS-TRM guidelines
The Monetary Authority of Singapore (MAS) has adapted and expanded the Internet Banking Technology Risk Management (IBTRM) guidelines. The guidelines were first published in 2001 to provide banks with a risk management framework for internet banking. Due to the advancement of information technology and the rapidly changing threat landscape, MAS has revised, enhanced, and renamed the guidelines to the “Technology Risk Management” (TRM) guidelines.
MAS TRM updates include:
- Expansion to apply to all financial institutions, not just banks
- Application to all IT systems, expanding from IBTRM which controlled only systems that provide online services
- Application of a notice which includes legal requirements for financial institutions (FIs) related to technology risk management
MAS TRM and Privileged Account Security
Privileged accounts are prevalent in all IT systems and represent one of the largest security vulnerabilities an organization faces today. The MAS TRM guidelines include a dedicated section on Privileged Access Management which includes controls such as restricting the number of privileged users, maintaining an audit log of privileged user activities, and prohibiting sharing of privileged accounts.
CyberArk Solutions address the MAS TRM guidelines related to privileged access management and enable FIs to implement strong privileged account security controls.
- Tamper proof audit logs and session monitoring for audit integrity
- Flexible password policy management including password aging, complexity, versioning policy and archiving
- Customizable “request workflows” for credential access approval including dual controls, integration with helpdesk ticketing systems
- Automated privileged identity management including discovery and provisioning, policy-based password changes, and access controls
- Continuous monitoring for protection and compliance without impacting the business
- Isolated privileged sessions for a better security posture against cyber attacks