/oct 23, 2014

Monetary Authority of Singapore (MAS) Compliance: As Easy as Chewing Gum and Walking

By John Montesi

Singapore is famous for its balmy weather, insanely clean streets — and maximum-security banks.

The dark side of such a utopia is an overwhelming set of rules and regulations that can quickly become disastrous for tourists. The half-joke about visiting Singapore, chewing gum, and never leaving has a little too much truth to be funny.

But I digress. Singapore is renowned for its economy and is quickly becoming the Switzerland of Asia for its bank security and business-friendly tax policies.

Strict laws and safe banks make for both a millionaire's dream come true and an international business nightmare. The MAS, or Monetary Authority of Singapore, is known to have some of the most comprehensive cybersecurity regulations in the world. Its Technology Risk Management Guidelines are widely regarded as the standard for financial institutions in this international Internet age. Globalization on the Internet means you have to obey all laws at all times, not just the ones that apply to the place where you're sitting. We've already dreamed of a world where someone takes care of all the tedious legalese for you, but it doesn't hurt to look at what compliance means for your company.

As a major hub in the modern financial landscape, it's inevitable that money from your enterprise will pass through Singapore. Instead of getting overwhelmed by the MAS's demanding business guidelines, compliant businesses should be grateful that an international powerhouse is establishing best practices for third-party applications. We're here to understand what that means and how you can avoid making a mistake like chewing gum in public — without having to wade through all the legal documents.

The Gold Standard

The Monetary Authority of Singapore has the strictest national guidelines for cyberbanking in the world. This isn't all bad. If you implement a comprehensive security program that complies with its guidelines, you know you'll be safe in all other markets, too. However, if your enterprise cuts corners and implements a security program that's compliant with domestic standards, you'll be risking financial penalties any time you conduct business in Singapore. Here are five of the major Technology Risk Management Guidelines that, while difficult to implement, are essential to a truly secure enterprise:

1. Source-Code Review

The MAS has issued rigorous demands regarding reviewing source code, cementing what we've long known about user and acceptance tests: they stink. You cannot prove compliance with their guidelines unless your system's source code has been thoroughly (and frequently) tested, which highlights the need for the latest crop of automated security services that inventory and review all systems' source code. It is possible to manually review source code and check it against the latest threats — but, frankly, nobody's got time for that.

2. Outsourced IT Vetting

Unless you are located in Singapore, your enterprise is considered outsourced by the Monetary Authority of Singapore. Further complicating matters, any additional software you employ is considered a third-party application, which also must be thoroughly vetted. The rapid rise of the cloud further complicates comprehensive security as multitenancy becomes more common. Essentially, every piece of software in any chain that links to Singapore must be MAS-compliant. That includes anyone you share cloud space with — another realm where Singapore leads the industry. The latest security services automatically examine all apps in your network for compliance, ensuring that you don't go to jail because your neighbor did something you didn't even know about.

3. Mobile Security

The points at which mobile apps and browsers access websites are common vulnerabilities. The Monetary Authority of Singapore recognizes that only a comprehensive mobile-services and payment-security system can prevent attacks from finding backdoors through dated or untested versions of mobile apps. It's easy to overlook mobile security as a key aspect of compliance, but industry-leading regulations in Singapore recognize the importance of securing all points of entry. Proof of compliance includes a thoroughly tested mobile solution — a standard that is rapidly becoming the norm.

Even as mobile security becomes mandated, mobile platforms remain diffuse. When choosing a security solution, ensure that it covers iOS, Android, Windows and BlackBerry. Many solutions offer partial compliance, but security is only as strong as its weakest link.

4. Vulnerability Assessment and Penetration Testing

Virtually all cyberenterprises have some version of these practices in place, but the MAS calls for quarterly vulnerability assessments and annual penetration testing — aggressive time lines by the standards of yore. As more organizations adopt Singapore's guidelines, this will sound less extreme and more like the obvious thing to do. The Authority's guidelines advise a combination of manual and automated testing processes, making security services with integrated testing and reporting obvious choices for compliance. As you continue to consider compliance as a sales tool and general no-brainer instead of a groan-worthy thing that you'll get to someday, the trend toward routine testing and easy-to-read audits will only make life easier.

5. Speaking of Audits...

The Authority's guidelines mandate routine IT audits set at a schedule suited to an enterprise's size and complexity. Knowing all the applications tied into your system goes a long way toward making sure they're all secure. Independent, automated audit services that provide objective reviews of both software and security systems are the easiest way to confirm your compliance while minimizing the sense of complexity in your system.

No Trouble in Paradise

While it sounds like a lot to deal with, the regulations in Singapore are simply setting the standard for globalized IT. And with more security solutions offering comprehensive compliance, there are no excuses or headaches for companies striving to comply. In fact, it's probably harder to leave your gum at home than it is to please the MAS.

Related Posts

By John Montesi

John is a B2B and SaaS expert who likes to explain complex concepts using cute animals and cocktail napkins. He believes that content marketing is the future and sometimes ghost writes, but he can never prove it.