Enterprise Architecture considerations in the Risk Management of IT
Caption: Aaron Tan Dani, Chief Architect at ATD Solution and President of Iasa in APAC, during a presentation at one of his many workshops
Here’s a little known fact buried deep within Section 10.5 of the Risk Management in Technology (RMiT) draft released by Bank Negara earlier this month.
Within this exposure draft document, it is stated that “A financial institution should establish an enterprise architecture framework or EAF, that provides a holistic view of technology throughout the financial institution.”
This document is slated to become policy by June, and it expects the financial services industry (FSI) comprising of banks, insurers, tactful operators, operators of designated payment systems and eligible issuers of e-money, to comply with it.
Responding to rising cyber security concerns
Multinational law firm Baker McKenzie had shared about the five broad areas that the FSI has to look at, in preparation of RMiT.
These five areas are 1. board and senior management responsibilities, 2, designating a chief information security officer (CISO) role 3. data centres 4. cloud services 5. third-party outsourcing.
The first area highlighted by Baker McKenzie, which is board and senior management responsibilities, is the first clue that the business has to play a bigger role in an organisation’s cyber security efforts.
It does not go so far as to demand accountability from the board and senior management, but recognising that business and IT need to be on the same page, is a huge first step.
ATD Solution’s chief architect and chairman of Singapore Computer Society’s Enterprise Architecture Chapter, Aaron Tan Dani said, “Yes, there are a couple of statements that highlight the importance of Business and IT alignment.
“For example, it mentions that, ‘a financial institution must establish a committee comprising representatives of both business and technology…'”, Tan said.
This statement, and similar ones, appear in other sections of the document, and predominantly under a header entitled, “System Development and Acquisition.”
This document also goes on to describe the EAF as an overall technical design and high-level plan that describes the financial institution’s technology infrastructure, systems’ inter-connectivity and security controls.
Technology measures like enterprise architecture can help eradicate weak links in an organisation’s cyber security defense.
But, cyber security isn’t just a technical issue. It is an organisation-wide matter that requires all hands on board to play their role, for example practice basic cyber hygiene.
Humans are another weak link in a business’ defense chain that needs to be addressed as well.