TABLE OF CONTENTS
1 Introduction………………………………………………………………………………………….. 3
2 Applicability …………………………………………………………………………………………. 3
3 Legal provision …………………………………………………………………………………….. 3
4 Effective date ……………………………………………………………………………………….. 4
5 Interpretation ……………………………………………………………………………………….. 4
6 Related legal instruments and policy documents……………………………………. 6
7 Policy documents and circulars superseded ………………………………………….. 6
PART B POLICY REQUIREMENTS……………………………………………………………………… 8
8 Governance………………………………………………………………………………………….. 8
9 Technology Risk Management …………………………………………………………….. 10
10 Technology Operations Management …………………………………………………… 11
11 Cybersecurity Management …………………………………………………………………. 25
12 Technology Audit ……………………………………………………………………………….. 31
13 Internal Awareness and Training………………………………………………………….. 31
PART C REGULATORY PROCESS …………………………………………………………………… 32
14 Notification for Technology-Related Applications …………………………………. 32
15 Consultation and Notification related to Cloud Services………………………… 34
16 Assessment and Gap Analysis…………………………………………………………….. 35
APPENDICES ………………………………………………………………………………………………..36
Appendix 1 Storage and Transportation of Sensitive Data in Removable Media………. 36
Appendix 2 Control Measures on Self-service Terminals (SST) …………………………. 37
Appendix 3 Control Measures on Internet Banking …………………………………………. 40
Appendix 4 Control Measures on Mobile Application and Devices………………………. 41
Appendix 5 Control Measures on Cybersecurity …………………………………………….. 42
Appendix 6 Positive List for Enhancements to Electronic Banking, Internet
Insurance and Internet Takaful Services ……………………………………….. 43
Appendix 7 Risk Assessment Report…………………………………………………………… 47
Appendix 8 Format of Confirmation………………………………………………………………….. 49
Appendix 9 Supervisory Expectations on External Party Assurance ……………………. 50
Appendix 10 Key Risks and Control Measures for Cloud Services …………………….…52