How Fortra Supports the MAS TRM Notice and Guidelines

The Technology Risk Management (TRM) Guidelines provide comprehensive guidance to financial institutions (FIs) operating under license in Singapore. They establish principles and best practices around technology risk management and information security to address current and future technology risks. They also place responsibility on the board and senior management for ensuring that effective internal controls and risk management practices are implemented to achieve security, reliability, resiliency, and recoverability.

The TRM Notice consists of 15 separate notices, each covering a different type of financial institution in Singapore (e.g., commercial banks, merchant banks, insurance companies). These notices are effective from 18 January 2021 and each notice defines a set of legal requirements relating to technology risk management. These include requirements for a high level of reliability, availability, and recoverability of critical IT systems and for implementation of IT security controls to protect customer information from unauthorised access or disclosure. Failure to comply with the Notice can result in financial penalties and a revocation of licenses to operate in Singapore.

Because the IBM i is a unique platform, many of the technology products you would expect to ensure TRM compliance will either not work or perform inadequately on the platform.

You can’t take any privileged access management solution and expect to fully govern privileged access on the IBM i. Many solutions only control access to shared accounts. Although this is a generally accepted practice, the guidelines specifically prohibit the sharing of privileged accounts. This means individual accounts must be created on each server and partition. One benefit of this is that all privileged activity, including the users’ details, is fully captured in the audit logs, and this step meets another requirement in the guidelines.

The IBM i presents a challenge to organisations looking to comply with the TRM guidelines. Just as most privileged access management solutions aren’t good enough for compliance, the same is true of system management and disaster recovery solutions.

Fortra’s System Management and Security Solutions for IBM i

Fortra is a global provider of systems and network management, security and compliance, and business intelligence solutions. Our software helps reduce data centre costs by improving operational control and delivery of IT services, which allows organisations to meet many aspects of the TRM guidelines.

To meet systems management requirements within the TRM guidelines, there is the Robot solution for the IBM i platform. It offers the world’s most advanced, fully-integrated software for IBM i backup and recovery, system performance monitoring, production control, and message management.

Powertech enables organisations using the IBM i platform to meet many of the security requirements within the TRM guidelines. It allows organisations to centrally create and manage user profiles across multiple systems, to limit and report on the activity of privileged user accounts, to audit and control access through all common network services, and to report real-time security events to SIEM solutions.

How Fortra Helps You Meet TRM Guidelines

The core of the TRM guidelines is a group of principles and accompanying requirements. Differing vendor products may be needed for each of those principles. In certain cases, multiple products may be needed to meet the accompanying requirements. With products built specifically for IBM i, only Fortra can ensure that your platform complies with TRM requirements. Other solutions are forced to compromise platform-specific security and system management best practices in order to support multiple platforms. Fortra can provide the compliance solutions you need without compromise and without dealing with multiple vendors.

Fortra and TRM Guidelines

The following table shows exactly how Fortra products from Robot and Powertech can help organisations meet TRM guidelines for the IBM i platform.

7.2 Configuration Management

Configuration management is the process of maintaining key information (e.g. model, version, specifications, etc.) about the configuration of the hardware and software that makes up each IT system.

The FI should review and verify the configuration information of its hardware and software on a regular basis to ensure it is accurate and up to date.

• Performance Navigator maintains an Enterprise Hardware Summary so that you can stay on top of your hardware and operating system software configurations. 

7.7 Incident Management

The FI should configure system events or alerts to provide an early indication of issues that may affect its IT systems’ performance and security. System events or alerts should be actively monitored so that prompt measures can be taken to address the issues early.

• Powertech SIEM Agent for IBM i allows you to monitor for and be alerted to critical IBM i security events from the network, operating system, or any journal or message queue.
• Robot Monitor provides you with visibility into the performance of your Power servers, allowing you to respond to issues before they impact end users. 

8.1 System Availability and 8.2 System Recoverability

Maintaining system availability and recoverability is crucial in achieving confidence and trust in the FI’s operational capabilities. Availability and recovery plans and processes should be reviewed periodically to identify weaknesses in the existing design.

• With Robot HA, the FI can monitor key performance and availability metrics in real-time.
• Alerts are issued via Robot Monitor that are based on thresholds established by Performance Navigator, which help the FI take timely action to ensure that there is capacity and that systems are running optimally.
• Robot HA also supports the implementation of a complete disaster recovery strategy, including the rotation of data and system saves, management of saved media across multiple data centres, encryption of data on media, and full or partial recovery. 

8.4 System Backup Recovery

The FI should establish a system and data backup strategy, and develop a plan to perform regular backups so that systems and data can be recovered in the event of a system disruption or when data is corrupted or deleted. The FI should also manage the backup data life cycle and ensure that any confidential data stored in the backup media is secured.

• Robot Save offers comprehensive data backup management for IBM i. Robot Save enables centralized backup management, easy restoration, reporting features, and automated backup capabilities.
• Powertech Encryption for IBM i allows users to encrypt backups using their existing tape devices. Backups can also be protected using Keys from Powertech Encryption’s Key Management System.

9.1 User Access Management

The principles of “never alone,” “segregation of duties,” and “least privilege” should be applied when granting staff access to information assets so that no one person has access to perform sensitive system functions. Access rights and system privileges should be granted according to the roles and responsibilities of the staff, contractors, and service providers.

• Powertech Exit Point Manager for IBM i helps monitoring and control exit point traffic by restricting data access only to authorized users.
• Powertech MFA authenticates users who are accessing sensitive system functions.
• Powertech Command Security for IBM i monitors, controls, and records the execution of IBM i commands.
• Powertech Compliance Monitor for IBM i allows audit journal data to be retrieved and stored in a highly compressed state to provide visibility into activity across systems.
• Powertech Authority Broker for IBM i makes it easy for administrators to delegate to users precisely the level of access and authority they need to perform their jobs. 

9.2 Privileged Access Management

Users granted privileged system access have the ability to inflict severe damage on the stability and security of the FI’s IT environment. Access to privileged accounts should only be granted on a need-to-use basis; activities of these accounts should be logged and reviewed as part of the FI’s ongoing monitoring.

• Powertech Authority Broker for IBM i allows you to delegate and monitor elevated privileges, eliminating the need for special authorities in staff members’ everyday profiles. Define users who have the ability to swap into privileged profiles and track and record their actions while they are in a privileged state.

9.3 Remote Access Management

Remote access allows users to connect to the FI’s internal network via an external network to access the FI’s data and systems, such as emails and business applications. Strong authentication, such as multi-factor authentication, should be implemented for users performing remote access to safeguard against unauthorised access to the FI’s IT environment.

• Powertech Multi-Factor Authentication for IBM i provides the assurance that users are who they say they are. And with multiple ways to verify user identities, the authentication process has the flexibility and reliability that users expect.

11 Data and Infrastructure Security

The FI should develop comprehensive data loss prevention policies and adopt measures to detect and prevent unauthorised access, modification, copying, or transmission of its confidential data.

• Powertech Exit Point Manager for IBM i limits access to specific objects and libraries to only the users and groups who have a demonstrated business need.
• Powertech Database Monitor for IBM i offers real-time visibility into every change users make across all systems, allowing security administrators to virtually eliminate the risk of undetected data corruption
• Powertech MFA employs a variety of authentication options to ensure that users attempting to access confidential data are exactly who they say they are.
• Powertech Antivirus for IBM i includes anti ransomware technology that blocks intrusion attempts and halts the activities of suspicious users, preventing the theft of organizational data.

13 Cyber Security Assessment

The FI should establish a process to conduct regular vulnerability assessments (VA) and penetration tests (PT) on their IT systems to identify security vulnerabilities and ensure risk arising from these gaps are addressed in a timely manner.

• Fortra’s IBM i Risk Assessment examines your system’s security vulnerabilities and provides you with a detailed report of expert findings and recommendations.
• Fortra’s Penetration Testing Services uncover your environment’s security weaknesses, determine the level of risk they pose, and provide tailored remediation strategies and services.
• Powertech Policy Minder for IBM i automates the comparison of your security policy to your system's current security settings and fixes any out-of-compliance items.

Summary

No one solution will allow an organisation to meet MAS TRM guidelines in full. Each organisation will need to build a solution using technology that is already deployed, along with either purchasing new technology to fill gaps or developing compensating controls.

IBM i organisations attempting to use products that aren’t specifically for the IBM i platform to meet the MAS TRM guidelines run significant operational risks. Because these products are not completely fit for purpose, the organisation could be opening up security or operational holes. This is further compounded by a false sense that simply using the products meets the requirements. As a result, attention is turned elsewhere and the products are only checked occasionally.

When it comes to the IBM i, Fortra has the most comprehensive product set available on the market and it’s completely fit for purpose, as it has been developed to work only on the IBM i. Fortra is the only vendor whose products enable organisations to meet both the security and system management requirements of the MAS TRM guidelines.