Cybersecurity Bootcamp | Module 6

Cybersecurity Regulations (PDPA

& MAS TRM Guidelines)
Class Pointers

● Please switch on your webcams! Communication is 70% body language.

● This is not a webinar. This is an interactive, hands-on training workshop,
where everyone participates!
● Keep your mic constantly muted (to prevent background noise)
● Unmute your mic to speak up and ask questions
● Always clarify your doubts. Don’t be shy!
● Feel free to ask any questions. This is a safe zone for everyone, no matter
your starting level.

© 2022 Vertical Institute

Vertical Institute
Class Pointers
● Use the ‘Raise Hand’ or ‘Thumbs Up’ function!

Step 1:

Step 2:

© 2022 Vertical Institute

Vertical Institute
Agenda

• Tutorial:
• Personal Data Protection Act (PDPA)
• Objectives of securing our personal data
• How PDPA works
• Applying PDPA to personal and work activities
• Protecting personal data online
• Monetary Authority of Singapore – Technology Risk Management
• Establish Sound and Robust Technology Risk Governance and
Oversight
• Maintain Cyber Resilience
• Activity:
• Case study on commission decisions on financial institutions

© 2022 Vertical Institute

Personal Data Protection Act
(PDPA)
How did data privacy concerns come about?

Consumers getting spammed by

companies because of accidental
More companies are digitalising, as a
disclosure of their personal contacts
result, more hacks and accidental
disclosures
Emails, phone numbers, social media
profiles, etc.

© 2022 Vertical Institute

What is it in for businesses?

Directions from the PDPC to secure

compliance with the PDPA Additional Penalty for
the “Do Not Call Provision”

• 5% Annual Turnover
Directions by the PDPC to pay a financial • SGD $1 million
penalty of such amount not exceeding • Whichever is higher
S$1 million as the PDPC thinks fit

© 2022 Vertical Institute

What is it in for me?

Any person guilty of an offence under Subsection 1 (Data Protection Provision)

• Conviction to a Fine
• Imprisonment not exceeding 12 months

© 2022 Vertical Institute

Personal Data Protection Act (PDPA)

Under the Personal Data Protection Act Personal data refers to data, whether
2012 (PDPA), organisations are required true or not, about an individual who can
to appoint one or more Data Protection be identified
Officers (DPOs) to be responsible for
ensuring the organization's compliance
with the PDPA.
(i) directly from that data or

(ii) from that data together with other

information which an organisation has or
is likely to have access.

© 2022 Vertical Institute

Personal Data Protection Act (PDPA)

Personal Data includes:

• full name
• home and email addresses,
• identification card number,
• mobile number,
• passport number,
• date of birth, and
• location data (e.g., the location data function on mobile phones) and
Internet Protocol (IP) address

© 2022 Vertical Institute

 Exercise: Read a case from PDPC
regarding a financial services
organization
https://www.pdpc.gov.sg/All-Commissions-Decisions

© 2022 Vertical Institute

 Do Not Call Registry
https://www.dnc.gov.sg/index.html

© 2022 Vertical Institute

 Is photograph of you considered personal
data?
• Yes
• No

© 2022 Vertical Institute

 Is photograph of you considered personal
data?
• Yes
• No

© 2022 Vertical Institute

 Personal or work capacity?

● Personal capacity ● Work Capacity

○ Photos/videos taken and ○ Photos/videos taken and
uploaded to Facebook only uploaded to Facebook accessible
accessible to friends to the world
○ Personal or domestic capacity is ○ Consent is required
an exception to the consent
obligation

https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Advisory-Guidelines/AG-on-Selected-Topi
cs/Advisory-Guidelines-on-the-PDPA-for-Selected-Topics-4-Oct-2021.ashx?la=en

© 2022 Vertical Institute

Vertical Institute
Types of data
Data can be

Digital Physical

Text file Documents including

personally identifiable
information
PDF

Attendance sheet with

name, email, location
Excel Sheets

Sign in/out sheets

Microsoft Word

© 2022 Vertical Institute

Data Security

Classify the sensitivity of data

Use authorised systems to handle sensitive of data

Only use authorised and approved software

Cloud drives not for storing sensitive data

Use approved thumb drives and hard disk drives

Lock your screen when you are away

© 2022 Vertical Institute

 What kind of sensitive
data do you work on in a
day-to-day basis?

Exercise: Identify What kind of personal

and protect personal data are your parents or
children providing online?
data

How can you protect

those personal data?

© 2022 Vertical Institute

 Not covered under the Data Protection obligations
Business • Name,
Contact • Telephone,
• Email,
Information • Business address
appearing in your name cards are not covered

© 2022 Vertical Institute

 10 main obligations of the Protection Provision
1. Consent
2. Purpose limitation
3. Notification
4. Access and correction
5. Accuracy
6. Protection
7. Retention
8. Transfer limitation
9. Accountability obligation
10. Data breach notification

© 2022 Vertical Institute

Consent

Organization collecting, using or disclosing

personal data are required to notify the
individual

© 2022 Vertical Institute

Consent - Example

• Sarah wants to sign up for a spa package. The terms and conditions include a provision that
the spa may share her personal data with third parties, including selling her personal data to
third party marketing agencies. Sarah does not wish to consent to such a disclosure of her
personal data and requests the spa not to disclose her personal data to third party marketing
agencies. The spa refuses to act on her request and informs her that the terms and conditions
are standard, and that all customers must agree to all the terms and conditions. Sarah is left
either with the choice of accepting all the terms and conditions (i.e. giving consent for use and
disclosure of her data as described) or not proceeding with the sign up.

• In this case, even if Sarah consents to the disclosure of her data to third party marketing
agencies, the consent would not be considered valid since it is beyond what is reasonable for
the provision of the spa’s services to its customers, and the spa had required Sarah’s consent
as a condition for providing its services.

© 2022 Vertical Institute

Purpose limitation

• An organization may collect, user or disclose personal data:

• For reasonably appropriate purposes
• If the individual has been informed of the purpose

For any other purposes that the organisation deem fit

© 2022 Vertical Institute

Consent for processing of payment and delivery

• Bella orders furniture from a retailer through an e-commerce platform and provides
her personal data (e.g. credit card details, contact number and residential address)
for the purchase and delivery of goods. She also selects the option to have her
furniture delivered to her home by a delivery company.

© 2022 Vertical Institute

Deemed consent for processing of payment

• Sarah is deemed to consent to a spa collecting, using or disclosing her credit card details
to process the payment for her facial. While processing the payment, her credit card
details are transmitted to the spa’s bank which handles the payment. Since Sarah is
deemed to consent to the disclosure of her credit card details by the spa to its bank,
deemed consent by contractual necessity would apply to all other parties involved in the
payment processing chain who collects or uses Sarah’s personal data, where the
collection, use or disclosure is reasonably necessary to fulfil the contract between Sarah
and the spa. These parties include, for example, Sarah’s bank, the spa’s bank, the banks’
processors and the credit card scheme’s payment system providers.

© 2022 Vertical Institute

Bank’s network analysis to prevent fraud and financial crime,
and perform credit analysis
A bank intends to integrate data across individuals and their associated organisations and businesses to
build further profiles about them. The use of personal data allows the bank to identify individuals who may
have committed a financial crime or received funds in relation to a crime; and to identify individuals and
organisations with credit inter-dependencies to form better assessments of their actual credit standings and
sources of funds for repayment.

In addition to comply with the Monetary Authority of Singapore’s (“MAS”) requirements, the bank conducts
an assessment of legitimate interests and assesses that the benefits of using the data (i.e. detection and
deterrence of flow of illicit funds through Singapore's financial system, understanding prospects’ or
customers’ financial standing) outweigh any likely adverse effect to the individuals (e.g. identification of
individuals with potential nefarious intentions, enforcement actions by authorities, and impact on credit
facilities to individuals assessed to be of poorer credit standing). The bank includes in its privacy policy that
it is relying on the legitimate interests exception to collect, use and disclose personal data for conducting
credit checks, analyses and due diligence checks as required under applicable laws.

In this case, the bank may rely on the legitimate interests exception to collect, use and disclose personal
data to prevent fraud and financial crime, and
perform credit analysis.

© 2022 Vertical Institute

Consent - Corporate group

• For example, when an individual subscribes to a service offered by one organization in a

corporate group, the organization could have obtained the individual’s consent to the collection,
use and disclosure of his personal data for the purposes of marketing and promoting the
products and services of that organization and the other companies within the corporate group.

© 2022 Vertical Institute

SPA case
• Sarah provides the personal data of her friend Jane to the sales consultant at her spa as part of
a member’s referral programme the spa is running. Before recording Jane’s personal data, the
sales consultant asks Sarah a few questions to determine if Jane had been informed of the
purposes for which her personal data is being disclosed to and used by the spa, and if Jane had
indeed provided her consent. After obtaining verbal confirmation from Sarah in the affirmative to
those questions, the sales consultant proceeded to collect Jane’s personal data.
• The sales consultant is likely to have exercised appropriate due diligence in this situation.
• As good practice, before sending your friends’ contact to an organization, seek consent.

© 2022 Vertical Institute

Consent exceptions?
 Consent • the collection is necessary to respond to an
emergency that threatens the life, health or safety
exceptions of the individual or another individual;
• the personal data is publicly available; and
• the collection is necessary for evaluative purposes.

© 2022 Vertical Institute

 • You are a financial consultant working for an

Who owns insurance company.

• You have worked with hundreds, or thousands of
the data? customers and you have saved their mobile
number, email address and home addresses into
your laptop.
• You have the intention to switch company
• Who owns the customers’ data?

© 2022 Vertical Institute

 Who owns • The company
the data?

© 2022 Vertical Institute

 Recall the contract
you have signed
with your • Rights to own data and work by employer
employer?

© 2022 Vertical Institute

 Notification • Notify for which it intends to collect, use, or
disclose the individual’s personal data on or
before such collection, use or disclosure of the
personal data.
• Notify data subject if you will reuse data for
the different or new purpose

© 2022 Vertical Institute

Notification - Gym membership

Sarah signs up for a membership at a gym. The application form contains an extract of the most
relevant portions of the Data Protection Policy in a physical document. For example, it states that
Sarah’s address details will be used for sending her a gym membership card and other
communications related to her gym membership. The sales representative of the gym informs her
that the full Data Protection Policy is available on the gym’s website and provides her with relevant
information to locate it. In this case, the gym has informed Sarah of the purposes for which her
personal data will be collected, used or disclosed.

© 2022 Vertical Institute

Notification - Electronic store compliant?

An electronics store sells products online through its website. It informs individuals
purchasing products through its website of the purposes for which it will be collecting,
using and disclosing personal data, including that the contact details provided by the
customers will be disclosed to other companies in the electronics store’s corporate group
and outsourced marketing company for the purposes of marketing the products of the
various companies in its corporate group from time to time.

© 2022 Vertical Institute

Notification - Electronic store compliant?

An electronics store sells products online through its website. It informs individuals
purchasing products through its website of the purposes for which it will be collecting,
using and disclosing personal data, including that the contact details provided by the
customers will be disclosed to other companies in the electronics store’s corporate group
and outsourced marketing company for the purposes of marketing the products of the
various companies in its corporate group from time to time.

In this case, the electronics store would be considered to have stated a sufficiently
specific purpose.

© 2022 Vertical Institute

Access and correction

• Upon request, organisations are required to provide an individual access to his/her

personal data.
• If the request will take more than 30 days to process, businesses need to provide
response to the data subject
• Must provide time by which the organization will respond

© 2022 Vertical Institute

Access and correction

● Correct an error or omission in an individual’s personal data

○ As soon as possible
○ Within 30 days with interim if the organization is not able to provide the personal data
○ No fees to be levied

© 2022 Vertical Institute

Access and correction – Compliant?

• Company ZYX receives an access request from a customer to view his personal data stored in a
format that is readable only by a special machine. The company owns two such machines, but
both are faulty. In order to respond to the customer’s request in a timely manner, ZYX purchases
another machine and transfers its cost to the customer as part of the access fee. Because of this,
the access fee amounts to $50,000.

© 2022 Vertical Institute

Access and correction

• Company ZYX receives an access request from a customer to view his personal data
stored in a format that is readable only by a special machine. The company owns two
such machines, but both are faulty. In order to respond to the customer’s request in a
timely manner, ZYX purchases another machine and transfers its cost to the customer as
part of the access fee. Because of this, the access fee amounts to $50,000.

This would not be considered a reasonable fee as ZYX is expected to have the general
means to comply with its customers’ access requests.

© 2022 Vertical Institute

Access and correction exceptions
• A shopping centre receives a request from an individual to view all CCTV footage of
him recorded at the shopping centre over the past year. In this scenario, reviewing all
CCTV footage from the past year to find records of the individual making the request
would require considerable time and effort. To the extent that the burden of providing
access would be unreasonable to the shopping centre and disproportionate to the
individual’s interests as the individual is making a general request for all CCTV
footage, the shopping centre is unlikely to have to provide the requested personal
data under the Access Obligation.

© 2022 Vertical Institute

 • Your organization should ensure that the
Accuracy personal data collected by the organization is
accurate and complete.

© 2022 Vertical Institute

Accuracy – Personal details of a bank’s customer
Nick applies for a credit card from a bank. The bank asks Nick to provide relevant details such as his
name, address, current employment status and income, which constitute personal data, in order to
assess the application. Related to this, the bank asks Nick to provide supporting documents including
an identity document and his most recent payslip, in order to verify the information provided by Nick. It
also asks Nick to declare that the information he has provided is accurate and complete. In this
scenario, the bank has made a reasonable effort to ensure that the personal data collected from Nick
is accurate and complete.

Two years later, Nick applies for a home loan from a bank. The bank has not made any checks during
the two years that Nick’s personal data is accurate and complete. When the bank received the home
loan application, the bank showed Nick their records of his personal data and asked Nick to make a
fresh declaration that the record is accurate and complete. In addition, noting that the supporting
documents previously obtained for the credit card application are now dated two years back, the bank
asked Nick to provide a copy of his most recent payslip and proof of employment. In this scenario, the
bank has made a reasonable effort to ensure that the personal data collected from Nick is accurate
and complete.

© 2022 Vertical Institute

Accuracy - Job change

A company is considering whether an existing employee, John, should be

transferred to take on a different role in its IT department. One of the criteria for the
transfer is the possession of certain qualifications and professional certifications.
The company has information about John’s qualifications and professional
certifications that was provided by John (which form part of his personal data) when
he joined the company five years before.

The company asks John to update them with any new qualifications or certifications
he may have obtained in the last five years since joining the company but does not
ask him to re-confirm the information about the qualifications he provided when he
joined the company. In this scenario, the company is likely to have met its obligation
to update John’s personal data.

© 2022 Vertical Institute

Protection

• Reasonable security arrangements must be made to protect the personal data in

your organization's possession to prevent unauthorised access, collection, use,
disclosure or similar risks.

Administrative Physical Technical

Requiring employees to be bound Marking confidential Encrypting personal data to

by confidentiality obligations in documents clearly and prevent unauthorized access;
their employment agreements prominently; Installing appropriate computer
Storing confidential documents security software and using
in locked file cabinet systems suitable computer security settings

© 2022 Vertical Institute

Administrative controls

● Policies, procedures designed to protect information

● For example:
○ Office-wide policies of setting secure passwords
○ User acceptable policy
○ Access authorisation

© 2022 Vertical Institute

Administrative controls examples

● Cybersecurity awareness training to whole of organization every 6 months

● Risk assessments and security measures
● Incidence response procedures

© 2022 Vertical Institute

Physical controls

● Physical protections to protect computers, workplace equipment and information.

© 2022 Vertical Institute

Physical controls examples

● Employee badges for access into the building and rooms

● Workstations are locked to the table to prevent theft
● Closed-circuit surveillance cameras monitored 24x7 by security team

© 2022 Vertical Institute

Technical controls

● Anti-virus
● Firewall
● Patching
● Intrusion detection systems
● Security orchestration and response

© 2022 Vertical Institute

Retention

● Cease retention of personal data or dispose of it in a proper manner when it is no longer

needed for any business or legal purpose.
○ Only when purpose remains valid
○ Personal data must not be kept by an organization “just in case” it may be needed for
other purposes that have not been notified to the individual concerned

© 2022 Vertical Institute

Examples on Retention Limitation

● A dance school has collected personal data of its tutors and students. It retains and uses
such data (with the consent of the individuals), even if a tutor or student is no longer with the
dance school, for the purpose of maintaining an alumni network. As the dance school is
retaining the personal data for a valid purpose, it is not required to cease to retain the data
under the Retention Limitation Obligation.

© 2022 Vertical Institute

 Are your deleted files in
recycle bin really
deleted?

© 2022 Vertical Institute

 Emptied bins can be
recovered.

© 2022 Vertical Institute

 Recycle bin
needs to be Requires Sdelete or 3rd party software.

shredded.

© 2022 Vertical Institute

 Transfer personal data to another country only
Transfer according to the requirements prescribed under the
regulations, to ensure that the standard of protection
Limitation is comparable to the protection under the PDPA,
unless exempted by the PDPC.

© 2022 Vertical Institute

Transfer limitation example

Organization ABC is transferring personal data of its customers to its parent company overseas via
the group’s centralised customer management system. The conditions of the transfer, including the
protections that will be accorded to the personal data transferred, are set out in binding corporate
rules that apply to both ABC and its head office. ABC has reviewed these binding corporate rules
and assessed that they comply with the conditions prescribed under the Personal Data Protection
Regulations 2021 and would provide protection that is comparable to the standard under the
PDPA. In this case, ABC’s transfer of the personal data to its parent company overseas would
follow the Transfer Limitation Obligation.

© 2022 Vertical Institute

Global challenges when it comes to
multi-region cloud computing
● Where is your data stored?
● How is it stored?
● Are you backing up to another region for protection?
● Where are your files located in Google drive/OneDrive/Cloud Storages?

© 2022 Vertical Institute

 • In the event of a data breach, organisations must
take steps to assess if it is notifiable. If the data
breach likely results in significant harm to
individuals, and/or are of significant scale,
Data Breach organisations are required to notify the PDPC and
the affected individuals as soon as practicable.
Notification • Within 30 calendar days
• Provide the Commission an explanation for
the time taken to carry out the assessment
• Significance
• Data breach of over 500 or more individuals

© 2022 Vertical Institute

Types of data involving personal data to notify the
affected individuals and the Commission
● Full name +
○ Salary, wages, credit card, net worth, investments, debts
○ Identification of child or young person
■ Arrested, in custody, under investigation
○ Individual under investigation, order made by a court
○ Medical information
○ Adoption matters
○ Private key
● Password, security code, access code, etc.

© 2022 Vertical Institute

Misplaced storage drive

Sarah, a HR executive, misplaces an organization-issued

storage device containing the personal data and work
evaluation reports of her company’s staff and interns in her
company’s premises.
After a few days, the misplaced storage drive is found in her
company’s premises by another staff, Rachel. Sarah’s
company confirms that Rachel immediately returned the
storage drive to the HR department upon finding it, and that
no one accessed the storage drive while it was misplaced.

*Forensics have been completed to confirm that there are no

external access to the storage drive during that period.*

© 2022 Vertical Institute

Misplaced storage drive

Sarah, a HR executive, misplaces an organization-issued

storage device containing the personal data and work
evaluation reports of her company’s staff and interns in her
company’s premises.
After a few days, the misplaced storage drive is found in her
company’s premises by another staff, Rachel. Sarah’s
company confirms that Rachel immediately returned the
storage drive to the HR department upon finding it, and that
no one accessed the storage drive while it was misplaced.

In this case, the DBN Obligation would not apply as it

occurred within the organisation.

© 2022 Vertical Institute

 Lost and Found:
USB Sticks with Data on 460,000 People
The plight of a technician tasked with transferring a city’s worth of
personal data is a lesson in the risks of combining small, important
objects with a night out drinking.

Explained at a news conference, were the names, birthdays and ID numbers of

about 460,000 people: the entire population of the city. Their home addresses
and bank details were in the trove of data, too.

https://www.nytimes.com/2022/06/28/world/asia/usb-japan-flash-drive-amagasaki.html

© 2022 Vertical Institute

 Lost and Found:
USB Sticks with Data on 460,000 People
The plight of a technician tasked with transferring a city’s worth of
personal data is a lesson in the risks of combining small, important
objects with a night out drinking.

• Why was a subcontractor allowed to take data into a thumb drive?

• What security mechanisms are in the thumb drive?
• Why could the data not be accessed via other more secure means?

https://www.nytimes.com/2022/06/28/world/asia/usb-japan-flash-drive-amagasaki.html

© 2022 Vertical Institute

 Lost and Found:
USB Sticks with Data on 460,000 People
The plight of a technician tasked with transferring a city’s worth of
personal data is a lesson in the risks of combining small, important
objects with a night out drinking.

How would you do better?

© 2022 Vertical Institute

Access of customers’ records

• On 10 October 2016, the Commissioner was informed by the Complainant that the
Prudential folders had been disposed of by leaving beside the rubbish bin at level 2 of
the multi-storey car-park at Blk 821A Jurong West Street 81. Upon further inspection,
the Complainant found that the Prudential folders contained 13 Certificates of Life
Assurance issued by Prudential, and bore the names of 12 individuals, in addition to 2
letters addressed to 2 of the aforementioned individuals.

© 2022 Vertical Institute

MAS TRM
 Monetary Authority of Singapore –
Technology Risk Management
https://www.mas.gov.sg/-/media/MAS/Regulations-and-Financial-Stability/Regulatory-and-Super
visory-Framework/Risk-Management/TRM-Guidelines-18-January-2021.pdf

© 2022 Vertical Institute

 Establish sound and robust technology risk

Guidance governance and oversight

Maintain cyber resilience

© 2022 Vertical Institute

Role of the Board of Directors

● Sound and robust risk management framework

● Oversee technology risk management
● Give senior executives sufficient authority, resources and access to the board of directors
● Approve the risk appetite and risk tolerance
● Regular reviews of technology risk management
● Independent audit function to assess the effectiveness of controls

© 2022 Vertical Institute

Role of Senior Management

● Establish technology risk management framework and strategy

● Manage technology risks
● Sound and prudent policies, standards and procedures
○ Established and maintained, standards and procedures are implemented effectively

© 2022 Vertical Institute

Policies, Standards and Procedures

● Policies
○ Statement of intent
● Standards
○ Rules to achieve that intent, usually, measurable
● Procedures
○ Steps to perform specific operations

© 2022 Vertical Institute

Management of Information Assets

● Accurate and complete view of FI’s operating environment

● Inventory of information assets

© 2022 Vertical Institute

Management of Third-Party Services

● Can be impacted by Third-Party services

● Assess and manage exposure to technology risks with Third-Party
● On-going assessment of care and diligence

© 2022 Vertical Institute

Competency and Background Review

● Contractors
● Service Providers

© 2022 Vertical Institute

Remember Insider
Threats?
Security Awareness and Training

● Comprehensive training on prevailing cyber threat landscape and its implication

● FI’s IT security policies and standards
● Applicable laws, regulations and guidelines
● At least annually
● Including Board of Directors, Staffs, Contractors and Service Providers

© 2022 Vertical Institute

Sounds familiar
Risk Management Framework

● Achieve Confidentiality, Integrity and Availability of its IT operating environment

● Risk owners
● Framework:
○ Risk identification
○ Risk assessment
○ Risk treatment
○ Risk monitoring, review and reporting

© 2022 Vertical Institute

IT Project Management and
Security-by-Design
Project Management Framework

● Consistency in project management practices

● Scope, activities, milestones and deliverables of project
● Project risks management

© 2022 Vertical Institute

Project Steering Committee

● Key stakeholders
● Business owners and IT
● Direction, guidance and oversight
● Risks and issues escalation

© 2022 Vertical Institute

System Acquisition

● Standards and procedures for vendor evaluation and selection

● Level of assessment and due diligence commensurate with criticality of project
● Robustness of vendor’s software development and security practices
● Do you have access to the source code?

© 2022 Vertical Institute

System Development Life Cycle and Security-By-Design

● Framework for SDLC

● Processes, procedures and controls
● Minimise system vulnerabilities and reduce attack surface

© 2022 Vertical Institute

System Requirements Analysis

● Identify, define and document the functional requirements of the IT system including security
controls
● Potential threats and risks to the IT system and determine acceptable level of security

© 2022 Vertical Institute

System Design and Implementation

● Review proposed architecture and design of the IT system

● System requirements are met by system design and implementation

© 2022 Vertical Institute

System Testing and Acceptance

● Methodology for system testing

● Business logic, system function, security controls and system performance

© 2022 Vertical Institute

Quality Management

● Quality attributes and assessment metrics

● Independent quality assurance function

© 2022 Vertical Institute

Software Application
Development and
Management
Secure Coding, Source Code Review and Application Security Testing

● Secure programming practices, input validation, access controls, etc.

● Policy and procedure on the use of third party and open-source software codes
● Keep track of updates and vulnerabilities
● Software developers are security trained

© 2022 Vertical Institute

Application Programming Interface Development

● APIs to be tested before making these APIs publicly accessible

● Risk assessment of external IT systems connection to the APIs
● Monitoring and alerting

© 2022 Vertical Institute

Management of End User Computing and Applications

● Control and monitor the use of shadow IT

● Assess risk of end user developed or acquired applications

© 2022 Vertical Institute

IT Service Management Framework

● How do you manage your information technology environment?

● Configuration management
○ Hardware and software
● Technology refresh management
○ Monitor End Of Support (EOS) dates – These technology can lead to exposed
vulnerabilities as they are unpatched
○ Risk assessment for hardware and software approaching EOS

© 2022 Vertical Institute

IT Service Management Framework

● Patch Management
○ To secure systems from vulnerabilities
○ Tested patches
● Change Management
○ Changes are assessed before implementation
○ Risk and impact analysis on changes
○ Backup of information asset prior to change implementation
○ Define procedures

© 2022 Vertical Institute

IT Service Management Framework

● Software Release Management

○ Segregation of duties
○ Traceability and integrity for software codes
● Incident Management
○ Facilitate and support incident response and recovery
○ Process and procedure
○ Maintenance and protection of evidence
○ Roles and responsibilities

© 2022 Vertical Institute

IT Resilience

● System Availability
○ Redundancy or fault-tolerant solutions
○ Monitoring system resources against thresholds
● System Recoverability
○ Recovery Time Objectives and Recovery Point Objectives
○ Disaster recovery plan
● Testing of Disaster Recovery Plan
○ Validate effectiveness of plan
■ Disruption scenarios
■ Recovery dependencies

© 2022 Vertical Institute

IT Resilience

● System Backup and Recovery

○ Regular backups
○ Backup data life cycle
○ Periodic tests
● Data Centre Resilience
○ Threat and Vulnerability Risk Assessment

© 2022 Vertical Institute

Access Control

● User Access Management

○ Never alone
○ Segregation of duties
○ Least privilege
○ Password policies and Multi-Factor Authentication
○ User access review
● Privileged Access Management
○ Need-to-use
○ Activities to be logged
● Remote Access Management
○ Encrypted connections
○ Remote access from secured devices

© 2022 Vertical Institute

Cryptography

● Protect data confidentiality, maintain data integrity and authenticity.

● Cryptographic key management

© 2022 Vertical Institute

Data and Infrastructure Security

● Data loss prevention policies

● Detect and prevent unauthorized access, modification, copying or transmission of its
confidential data
● Network security
○ Firewalls, network segmentation, network intrusion prevention systems, denial of
service protection

© 2022 Vertical Institute

Data and Infrastructure Security

● System security
○ Hardware and software configuration
○ Application of standards
○ Bring Your Own Device (BYOD) security
● Virtualisation Security
● Internet of Things

© 2022 Vertical Institute

Cyber Security Operations

● Cyber Threat Intelligence and Information Sharing

● Cyber Event Monitoring and Detection
○ Baseline profile of IT systems
○ User behavioral analytics
● Cyber Incident Response and Management

© 2022 Vertical Institute

Cyber Security Assessment

● Vulnerability Assessment
● Penetration Testing
● Cyber Exercises
○ Simulated social engineering attacks, table-top exercises, cyber range exercises
● Adversarial Attack Simulation Exercise
○ Test and validate effectiveness of cyber defense and response
● Intelligence-Based Scenario Design
● Remediation Management

© 2022 Vertical Institute

Online Financial Services

● Security of Online Financial Services

○ Payments, trading, insurance via the Internet
○ Secure communications channel
○ Minimise exposure to common attacks
○ Actively monitor for phishing campaigns targeting the Financial Institution and its
customers
● Customer Authentication and Transaction Signing
○ Multi-Factor Authentication
○ Biometrics-related data and authentication credentials are encrypted in storage and
during transmission

© 2022 Vertical Institute

Online Financial Services

● Fraud Monitoring
○ Identify and block suspicious transactions
○ Investigation of suspicious transactions
○ Notify customers
● Customer Education and Communication

© 2022 Vertical Institute

IT Audit

● Audit Function
○ Assess effectiveness of controls, risk management and governance process in financial
institution
○ Independent and objective

© 2022 Vertical Institute

 Your accounts, devices, and information all

You are have tremendous value to cyber attackers.

You are key in not only protecting your
the shield company but helping to identify and report
when we are being attacked.

© 2022 Vertical Institute

 Are photos of you personal
data?
A. True
B. False

© 2022 Vertical Institute

 Are photos of you personal
data?
A. True
B. False

© 2022 Vertical Institute

 Is your name and bank account number
personal data?
A. True
B. False

© 2022 Vertical Institute

 Is your name and bank account number
personal data?
A. True
B. False

© 2022 Vertical Institute

 Does photos taken during your wedding belong
to you or the photographers?
A. Me
B. Photographers

© 2022 Vertical Institute

 Does photos taken during your wedding belong
to you or the photographers?
A. Me
B. Photographers

© 2022 Vertical Institute

 Copyright Act
Singapore’s amended Copyright Act grants rights over wedding
photos to photographers

https://www.asiaiplaw.com/article/singapores-amended-copyright-ac
t-grants-rights-over-wedding-photos-to-photographers

© 2022 Vertical Institute

Thank You!