Travel: Hong Kong – Macau 2017

Had a 7 day trip with my family to Hong Kong and Macau. Writing this piece to record some of the interesting experience we had that may be useful in future.



We prepared approximately SGD 500 per person. It was more than enough for our food, gifts, activities and transport. (exclude accommodations and air ticket).


We flew to Hong Kong and transferred to Macau via a ferry, without clearing Hong Kong immigration. After staying two nights in Macau, we took another ferry to Hong Kong, where we stayed for another 4 nights before flying home.

Transiting from Hong Kong to Macau

  1. When checking in for departure, make sure that you have received baggage reclaim tags of check-in luggage, if any.
  2. Make the flight to Hong Kong.
  3. HACK: Keep the arrival and departure card given by your airline but don’t fill it up. You will need it when you travel from Macau to Hong Kong.
  4. Upon arrival, ask around or look at the directions to head to ferry transfer area.
  5. There are multiple companies offering ferry service to Macau. Be sure to check the timings that are best suited for you, and whether the ferry provides baggage transfer that you may require. (Just ask the ticketing staff for more information. For this trip we took a Cotai Water Jet ferry).
  6. Go to the your desired ferry company ticketing counter located in the ferry transfer area to purchase the ticket. If you require baggage transfer, highlight to the ticketing staff and pass them your baggage reclaim tag, in exchange for a new tag issued by the ferry company. (The company staff will reclaim the luggage on your behalf at the airport and load it up the ferry).
  7. While waiting to check-in, use the kiosk located near the ferry transfer area to check if your luggage has been successfully loaded up the ferry. (Scan the barcode on the ticket to check the status).
  8. Check the display screen to know if the gate is open. Once it is open, you can check-in and board the ferry.
  9. After arriving at Macau, clear the immigration, and if you had luggage transferred, remember to retrieve it from the baggage reclaim area.
  10. You can consider hoping on to any casino shuttle bus for a ride to the city area free of charge.

Travelling within Macau

  • The cheapest way to travel within Macau is via casino shuttle buses. The casino operators provide scheduled free transfers between various casinos across Macau, as well as shuttle to certain tourist attractions. (Check with the hotel you are staying in for a complete schedule).
  • Alternatively, you can call for a cab, or use UBER. UBER fares are pretty cheap. But do note that UBER is not yet legal in Macau as of now.

From Macau to Hong Kong

  1. Hop on to a casino shuttle bus heading for the terminal. There are two ferry terminals in Macau, that offer ferry services to different destinations. (Check online, or ask your hotel on which terminal to go to).
  2. Head to the ticketing area in the terminal, check for your desired departure timing, and purchase your ticket. There should be no need to check-in luggage as you are free to store them at the back of the ferry cabin. (For our trip, we took a TurboJET ferry).
  3. Clear the customs, board the ferry and enjoy your ride.
  4. HACK: You can pull out your arrival and departure card and fill it up. You will need it to clear immigration when you reach Hong Kong.
  5. After arrival, proceed to your destination, either by cab or by MTR. (For our trip, we arrived at the terminal in Kowloon, which is right on top of Kowloon MTR station.)

Travelling within Hong Kong

  • The public transport system is pretty cheap, efficient and connected. It can take you to most destinations.
  • Purchase an Octopus card at any MTR stations. It will allow you to pay for rides on the MTR, public buses, Ding Ding trams, or even make purchases at 7-eleven. At the end of your trip, you may refund the card.
  • The MTR is very similar to MRT in Singapore. Just follow the directions and you should do just fine getting around.
  • Public buses are also similar to Singapore, just that you pay a fixed fare regardless of distance traveled. Use your GPS or on-board digital signage to identify your destination, and remember to press the bell to alight!
  • Ding Ding trams are an interesting experience to enjoy some sight-seeing in the city. Take note of the following:
    • There only a few Ding Ding trams routes that are differentiated by colour. Check out the route map to plan your journey.
    • Every Ding Ding stop only serves tram going in a single direction, either east-bound or west-bound. Therefore the stops are typically located in pairs, to serve opposing directions. Make sure you board at the correct stop.
    • The common practice is to board the tram from the back, and alight from the front. Similarly, you will move to the upper deck from the stairs at the back, and exit to the lower deck from the stairs in front.
    • Pay your fare before you alight by tapping your Octopus card.

Travelling Home

  • Following this route, and a family of 4 with luggage, the most efficient way to get to the airport is to take a cab. From Mong Kok to HKIA will cost around HKD 300.
  • From the airport, the procedure is straightforward. Just follow the directions and you will be fine.


Food sold in the hotels and casino can be pretty expensive in Macau. It is a good idea to stock up on some snacks at the airport before taking the ferry to Macau, as the casino areas do not have a single convenience store.

For cheap food, consider eating outside of the casino area, such as Taipa village. If you have to remain in the casino area, it is a good idea to locate the bakeries in some of the shopping malls. These bakeries tend to slash their prices after the late evening, so you can stock up on your breakfast or even lunch for the next day.

Food prices in Hong Kong varies depending on the location. Here is the Egg Tart Index that we have come up with. Plan where to have your meals strategically if you are on a tight budget.

Egg Tart index

Here are my recommendationsfor food worth trying:

  • Sheng Ji Porridge
    Signature Ji Di Porridge and Fish Belly Porridge
  • Yat Lok Roast Goose
    Roast Goose and Char Siew are must-trys. Don’t bother with the roast pork.
  • One Dim Sum
    Siew Mai, Char Siew Bun, Malay Cake, Carrot Cake.
  • Pork Chop
    Any cafe selling pork chop is decent. Try the standard HK breakfast set while you are at it.
  • 7-Eleven
    Alcoholic beverages are much cheaper in Hong Kong.
  • Yee Shun Dairy Company
    Steamed Milk Pudding.
  • Koi Kei Bakery
    Almond Biscuit and Peanut Cookies. This gift shop can be found in Macau and Hong Kong.
  • Street Food
    Egglet / Egg Waffle / Ji Dan Zai, Egg Tarts, Milk Tea.
  • Tang Shui Lao / Tong Shui Lo
    Red Bean Paste or Red Bean Soup. Signature dessert of HK.

Here are the food which I think you can skip:

  • The rest of the street food not mentioned above
  • Australian Dairy Company
  • Wanton Noodles

Of course, remember to feel free and explore. There are lots of hidden gems in HK. Consider using the Michelin street food guide. The recommendations are not bad.

Attractions / Activities

Booking your attractions or activities with Klook allows you to beat the queue, worth considering.

Museums are free on certain days of the week. Do some research before going.

Victoria Peak is a good experience but DO NOT go to the peak if the weather is foggy, you will not be able to see any scenery.

If you are attempting to hike on Dragon Back Trail, follow a comprehensive guide online, but take note:

  • Remember to press the bell to alight at the correct stop when you are taking bus to the start of the trail.
  • You can Google Map for the entire trail; there are data and GPS reception.
  • You will not be able to see any scenery after the first kilometers of the trail, due to the tall vegetation. Consider turning back and exit from the starting point instead (unless you want to visit the beach as well).
  • After returning to the bus terminal at Shau Kei Wan, consider having a meal at Aldrich Bay Market. There is a fantastic Zi Char stall, Siu Wah Kitchen.

Skip the Ladies Street in Mong Kok. It is totally not worth your time. Instead, visit Argyle Centre for better products and bargains.

Additional Pointers

There is no need for universal adapters the power sockets in Macau, HK, and SG are identical.


Reading: Data Driven, by J. Dearborn

The author aims to draw out some insights from her past experience in implementing data analytics to improve sales performance in her organisation. I particularly appreciate the style of using a fictional story, of a company struggling to improve their sales and their eventual adoption of data analytics, allowing most readers to empathise with the protagonist, as well as relate the situations to the readers’ workplace. Here are some of the key learning points that I have picked up:


Sales as the Guinea Pig – we should all consider this when pushing for changes in our own organisation. Dearborn stated that about 80% of any companies is related to sales in some ways, and improvements in sales are easy to measure, and therefore more potential to gather support for the project following any initial successes.

Company’s Responsibility – I like the author’s thinking, that a company is responsible for preparing their staff with sufficient skills to manage technology changes in the workplace. Without any focus on proper training, layoffs are inevitable should the company continue to grow.

Chapter 1: Playing the Blame Game

The game that we are all too familiar with. When confronted with finding root cause of declining sales, all team leaders, from sales, per-sales, marketing, training, recruitment, product development, and operations, start pointing fingers at each other and making excuses for their situation.

Without making use of data, these leaders will end up setting unrealistic goals, solve the wrong problems (as root causes are typically identified based on “gut feel”), and end up measuring the wrong performance indicator.

I appreciate Dearborn pointing out the common bad habit of teams measuring efficiency instead of effectiveness as a justification of their performance. For example, an IT team is extremely focused on ensuring and reporting system up time, however they may be missing the fact that this system is not critical and does not contribute to the sales of other business units at all. When confronted with declining sales, the IT team never fails to pull out the system up time to justify their value and contribution, and starts shifting the blame to other teams. This is one of the factors that perpetuates the “silo” mentality that plagues many organisations.

Chapter 2: Pulling Back the Curtain

An important warning for every company venturing into data analytics. The landscape evolves constantly and there is no standard analytics taxonomy, so leaders who are embracing data analytics in their company must be comfortable with this mess. If you require every step of the journey to be properly structured and defined by some kind of “industry best practice”, then this is probably not for you.

Also, there are a lot of hype in the market, and some sellers pushing products and solutions to your face may be making unsubstantiated claims on their analytics capability. They may not be analytics at all, just some re-packaging and re-marketing of traditional solutions. So do yourself a favour, gather more knowledge before making any investments.

Chapter 3: Changing Mindsets

Start Small – If you start big and fail, everyone will lose their trust in data analytics, and be rest assured future projects will never take off, ever.

Company Leadership – The project must be headed by the management, preferably someone interested in fact-based decision making. Successful transformation of the company depends on changes in processes, skills, culture, not just the implementation of a solution.

Internal Capabilities – I feel that this is a crucial point that many top management failed to appreciate. No consultants or solution providers will be able to transition your company, without you first establishing internal analytics capabilities. Your internal team will understand the nuances particular to your business and are driven to use analytics to make changes with more motivation than any outsource parties. Of course, assemble the team with staff of the right skills and mindset is the key to success.

Other pointers from Dearborn are to not rush to outsource your analytics capabilities, and do not expect analytics solution to work like a silver bullet for your problems.

Chapter 4: Finding the Keys

Always start off by considering all the possible variables that affects the performance output that you are trying to improve. This is a brainstorming exercise, and a lot of the factors maybe eliminated eventually as they are not as significant as others.

Next, try to locate the data. It may be in multiple systems within the organisation, or it may even come from external sources, like firmographics. Not all data that corresponds to the variables may be available, and some data cleansing will need to be performed.

Chapter 5: Descriptive Analytics

Descriptive analytics simply use software tools to present the data in a meaningful manner. I like that the author warned the readers not to be too particular with the terminology, and to accept that all the analysis in the subsequent chapters may make use of the exact same tools, the difference is merely the way we use data and the objective we are trying to achieve.

Chapter 6: Diagnostic Analytics

The story described the use of a machine learning model trained to identify high performers and poor performers through a large set of input data. Once the model is able to predict performance with high confidence, the configuration within the model will point out which input variables has the greatest impact on the outcome, and those are likely the areas that the company wants to focus on.

Once key variables had been identified, the performance of each staff in the respective variables can also be identified, which highlights the areas for improvement tailored to each staff.

Chapter 7: Predictive Analytics

With limited resources, the company will have to prioritise which staff and customers deserves more attention. Using the same machine learning model in the previous chapter, the company will be able to identify deals which are more likely to close than others, , and staff who are more likely to under perform. This helps the company to decide on resource allocation, just in time to bring up overall performance.

Chapter 8: Prescriptive Analytics

The author admits that prescriptive analytics is an extension of all the above analytics, and it really isn’t a tool or a method. In my opinion, it is a systematic way of using the results derived from the above analytics and take action.

Descriptive analytics had helped to provide the mechanism to look at performance objectively in greater details. Diagnostic analytics had identified the key areas of improvement that matter more than others. Predictive analytics then highlights customers and staff that the company can work on for quick wins with limited resources. Finally, all it takes is to communicate with the staff that are most likely to improve with the least amount of resources, work on key areas tailored for the staff, and focus on customers that are most likely to close the deals.

Chapter 9: Celebrating Success

[Spoiler Alert] Of course the story has a happy ending. The company saw encouraging sales improvements and adoption of data analytics.

In summary, this book teaches an action model that is applicable to most companies:

  1. Identify key factors that affects performance, and collect data for those factors.
  2. Diagnose which factors have the most impact on results.
  3. Predict the performance and identify quick wins.
  4. Act on the areas highlighted, and continuously measure and improve on the action plan.

IT Security 002: MAS TRMG Appendix

Continuing from the previous post, this is a summary of Appendix A-F of MAS Technology Risk Management Guidelines (TRMG).

The appendix provides more details for some of the specifications mentioned in the main body of the guidelines, and may tend to be a little bit more technical.

Appendix A: System Security Testing and Source Code Review

  1. Security testing alone is ineffective in detecting all threats and weaknesses. FIs should also include system source code review in its System Development Life Cycle (SDLC).
  2. FIs should take note of the following during system testing and source code review:
    • Information Leakage – scrutinise the potential sources of sensitive information leakages through verbose error messages, hard-coded data, files and directories operations.
    • Resiliency Against Input Manipulation – Lack of proper input validation can spawn major vulnerabilities such as script injection and buffer overflows. Validation routines should be reviewed and tested to assess effectiveness. Validation should include:
      • validate all inputs to an application.
      • validate all forms of data input format.
      • verify the handling of null or incorrect inputs.
      • verify content formatting.
      • validate maximum length of input.
    • Unsafe Programming Practices – review the source code to identify unsafe practices:
      • vulnerable function calls.
      • poor memory management.
      • unchecked argument passing.
      • inadequate logging and comments.
      • use of relative paths.
      • logging of authentication credentials.
      • assigning inappropriate access privilege.
    • Deviation From Design Specifications – test critical modules (such as authentication functions and session management) to ensure no deviation. Include:
      • verify security requirements (credential expiry, revocation, reuse) and protection of cryptographic keys for authentication.
      • verify sensitive information stored in cookies are encrypted.
      • verify session identifier is random and unique.
      • verify session expires after a pre-defined length of time.
    • Cryptographic Functions – strength of cryptography depends on algorithm, key size, and implementation. Consider:
      • implement cryptographic modules based on authoritative standards and reputable protocol.
      • review algorithms and key configurations for deficiencies and loopholes.
      • assess the choice of ciphers, key sizes, key exchange protocols, hashing functions, RNG.
      • testing all cryptographic operations and key management procedures.
      • (refer to Appendix C).
    • Exception Handling – ensure robust exception and error handling that facilitates fail-safe processing, assist problem diagnosis through logging, and prevent leakage of sensitive information.
    • Business Logic – ensure that business logic are tested and deny unauthorised function or transaction. Consider the use of negative testing.
    • Authorisation – perform tests to ensure actual access rights granted conform to the approved security access matrix.
    • Logging – ensure the following when implementing logging functions:
      • sensitive information should not be logged.
      • maximum data length for logging is pre-determined.
      • logs both successful and unsuccessful authentication.
      • logs both successful and unsuccessful authorisation.

Appendix B: Storage System Resiliency

  1. Overview
    1. Resiliency and availability of storage systems are crucial to continuous operation of critical applications.
  2. Reliability and Resiliency
    1. FIs should review storage system architecture and connectivity regularly (both centralised and distributed storage). Prevent single points of failure and fragile functional design, ensure technical support.
    2. Poorly designed SANs concentrate risks to system infrastructure. FIs should ensure redundancy of all SAN components (multiple links and switches for all I/O operations between hosts, adapters, storage processors and storage arrays), and a HA, resilient, and flexible architecture.
    3. FIs should establish sound patch management process for timely update of storage systems, and rigorous change management process for deploying of configuration changes and upgrades.
    4. FIs should establish in-house alert and monitoring capability for early detection of storage systems outages. Consider data replication mechanisms and vendor call-home capability for enhanced resiliency. Should also maintain oversight of diagnostics and remediation activities.
  3. Recoverability
    1. FIs should ensure architecture of storage system is able to switch from primary production to alternate site to meet expected RTO and RPO. Should regularly test the recoverability and data consistency at alternate site.

Appendix C: Cryptography

  1. Principles of Cryptography
    1. Primary purpose is to protect integrity and privacy of sensitive information.
    2. Secrecy of the key is important, not the secrecy of algorithm. Ensure protection and secrecy of all keys used (master keys, key encrypting keys, data encrypting keys).
  2. Cryptographic Algorithm and Protocol
    1. Cipher algorithms may need to be enhanced or replaced in the face of ever improving computer hardware and techniques enabling the attacks on cryptography.
    2. FIs should review algorithms and key configurations for deficiencies and loopholes, and assess the choice of ciphers, key sizes, key exchange protocols, hashing functions, RNG.
    3. FIs should ensure RNG has sufficient size and randomness of seed number to preclude the possibility of optimised brute force attack.
  3. Cryptographic Key Management
    1. FIs should establish key management policy and procedures that covers generation > distribution > installation > renewal > revocation > expiry.
    2. FIs should ensure the keys are securely generated, such that constituents are destroyed or no single person has access to the entire key or all constituents. Ensure that keys are created > stored > distributed > changed under stringent conditions.
    3. FIs should ensure unencrypted symmetric keys are entered into tamper-resistant devices (e.g. HSM) using principles of dual control. Keys should only be used for single purpose to reduce exposure.
    4. FIs should decide the appropriate effective timeframe (cryptoperiod) of keys, using sensitivity of data and operational criticality to determine frequency of key changes.
    5. FIs should ensure HSM and keying materials are physically and logically protected.
    6. FIs should ensure keys are not exposed during usage or transmission.
    7. FIs should use secure key destruction method on expired key to prevent recovery by any parties.
    8. New keys should be generated independently from the previous keys.
    9. FIs should maintain a backup of keys, with same level of protection accorded to the original keys.
    10. FIs should immediately revoke > destroy > replace any compromised keys, as well as all derived keys or encrypted keys affected. Inform all parties concerned of the revocation.

Appendix D: Distributed Denial-Of-Service Protection

  1. Overview
    1. Proliferation of botnets and new attack vectors have increased the potency of DDOS attacks.
    2. Evolving threat landscape allows more sophisticated DDOS attack on other layers of OSI with minimal bandwidth.
    3. DDOS attack would cripple the network and system of even large commercial organisations, causing massive service disruption or cessation.
    4. In spite of malware protection, FIs should still bolster the system robustness against DDOS attacks.
  2. Detecting and Responding to DDOS Attacks
    1. FIs should deploy appropriate tools to detect, monitor, analyse anomalies in networks and systems (unusual traffic, volatile system performance, sudden surge in utilisation) and have anti-DDOS equipment to respond to DDOS attacks.
    2. On top of network perimeter security devices that alert FIs of suspected attacks, consider using purpose-built high performance appliances to handle DDOS so that legitimate traffic is still allowed as malicious packets are filtered.
    3. Elimination of single source of failure vulnerable to DDOS attacks should be eliminated through source code review, network design analysis, and configuration testing.
  3. Selection of Internet Service Providers
    1. Effective countermeasure to DDOS often rely on ISPs to dampen attacks in upstream network.
    2. FIs should incorporate DDOS attack considerations when selecting ISP and determine:
      • whether ISP offers DDOS protection or clean pipe services.
      • the ability of ISP to scale up network bandwidth on demand.
      • the adequacy of ISP’s incident response plan.
      • capability and readiness of ISP to respond quickly to attacks.
  4. Incident Response Planning
    1. FIs should devise incident response framework and routinely validate it to facilitate fast response to DDOS attacks. Include:
      • detailed immediate steps to counter an attack.
      • invoke escalation procedures.
      • activate service continuity arrangements.
      • trigger customer alerts.
      • reporting the attack to MAS.
    2. FIs should assimilate ISP incident response plans into their own, establish a communication protocol with the ISP and conduct periodic joint incident response exercises.

Appendix E: Security Measures for Online Systems

  1. Overview
    1. MITM attack = an interloper accessing and modifying communications between two parties without revealing that the link has been compromised.
    2. There are many possible MITM attacks (on computing devices, internal networks, information service providers, web servers, anywhere along the path between user and FI’s server).
  2. Security Measures
    1. FIs should implement adequate controls and measures to prevent MITM as part of 2FA infrastructure.
    2. For high-risk transactions, consider:
      • use digital signatures and key-based message authentication codes (KMAC) to prevent MITM.
      • ensure customer is able to distinguish generation of OTP from hardware token and the process of signing a transaction.
      • use different cryptographic keys for generating OTP and for signing.
    3. FIs may choose to implement challenge-based or time-based OTP. Time-based OTP validity window should be configured on server side, and be as short as practicable to lower risks.
    4. Customers should be notified through a second channel of high-risk transactions, with meaningful information of the transaction. The notification should not be sent to the same device performing the transaction.
    5. FIs should implement end-to-end encryption security at application layer to protect customer PINs and password, on top of SSL.
    6. Online sessions should automatically terminate after a fixed period unless customer re-authenticate.
    7. FIs should educate customers to terminate login session when facing wrong SSL server certificate warning, and notify the FI immediately.

Appendix F: Customer Protection and Education

  1. Overview
    1. FIs should protect customers’ accounts and data, and raise customers’ security awareness with regard to online financial services.
  2. Customer Protection
    1. FIs should not distribute software to customers via the internet unless there are adequate security and safeguards. There should be appropriate alert and assistance for the customer to verify the origin and integrity of those downloads.
    2. Observe the following controls when handling customers’ login credentials:
      • implement dual control and segregation of duties in password generation, dissemination and account activation.
      • print password mailer in secure location where access is restricted and monitored.
      • destroy mailer spoilages immediately and generate a new password for each reprint.
      • destroy all stationary that may contain password imprint during mailer printing.
      • ensure passwords are not exposed or compromised during dissemination process.
      • ensure passwords are not processed, transmitted, stored in clear text.
      • require customers to change passwords immediately upon first login.
      • only distribute hardware token that has been assigned to a customer account.
    3. FIs should inform customers about risks and benefits, terms and conditions, rights, obligations and responsibilities of all parties (in particular regarding processing errors and security breaches) before customer subscribe to the service, in an easy to understand format.
    4. FIs should make the terms and conditions readily available to the customers and require a positive acknowledgement on initial logon or subscription.
    5. FIs should post these disclosures on its website:
      • customer privacy and security policy
      • customer dispute handling, reporting, and resolution procedures, including expected response time. Explain the process to resolve problems or disputes,  and circumstances which losses would be attributable to FI or the customers if security breaches occur.
      • security measures and reasonable precautions customers should take when accessing their online accounts (prevent unauthorised transactions, fraud, stealing of credentials, impersonation).
    6. FIs should ensure that any interference to an authenticated session will result in session termination, and affected transactions are resolved or reversed out. Promptly notify the customer of such incident.
  3. Customer Education
    1. FIs should educate the customers on the security and reliability of their interaction with FIs. It will build customer confidence, and customer will understand the appropriate security measure they should take to safeguard their own devices.
    2. FIs should provide sufficient instruction and information to customers on new operating features and functions. Continual education and timely information will help customers in reporting security problems.
    3. FIs should remind customers on the need to protect their authentication information. FIs may display security instructions on login pages. Consider the following guidelines:
      • PIN should be at least 6 digits or alphanumeric characters.
      • PIN should not be based on guessable personal information.
      • PIN should be kept confidential.
      • PIN should be memorised and not recorded anywhere.
      • PIN should be changed regularly when there is any suspicion of compromise or impairment.
      • Same PIN should not be used for multiple applications.
      • Customer should not allow browser to store or retain usernames and passwords.
      • Customer should check authenticity of FI’s website by validating the URL and digital certificate information (SSL EV certifications).
      • Customers should check that secure HTTP and security icon appears in browser when authentication and encryption is expected on the website.
      • Customer should not allow anyone to tamper with their OTP token.
      • Customer should not reveal the OTP generated from their token.
      • Customer should not divulge the serial number of their OTP token.
      • Customer should check their account information, balance and transactions frequently and report any discrepancies.
      • Customer should inform FI immediately on the loss of their mobile phones, or changes in phone numbers.
    4. FIs should advise customers to adopt the following security precautions and practices:
      • install anti-virus, anti-spyware, and firewall software on their personal devices.
      • update OS and protection software regularly.
      • remove file and printer sharing in computers, especially when connected to internet.
      • regularly backup critical data.
      • consider encryption technology to protect highly sensitive information.
      • log off at the end of online sessions.
      • clear browser cache after online sessions.
      • do not install software or run programs of unknown origins.
      • delete junk or chain emails.
      • do not open email attachments from strangers.
      • do not disclose personal or financial information to little-known or suspicious website.
      • do not use a device that cannot be trusted.
      • do not use public internet or devices to access online services or perform financial transactions.
    5. FIs should educate customers on the features of payment cards and the associated risks, the security features and steps to report card loss or fraud cases.
    6. The above information are not intended to be static or exhaustive. FIs should provide updated security practices and guidelines to customers in a user-friendly manner.


IT Security 001: MAS Technology Risk Management Guidelines (TRMG)

The Monetary Authority of Singapore (MAS) had published a set of Technology Risk Management Guidelines (TRMG) to help financial institutions address technology risks. Instead of finding the TRMG a nuisance, I felt that the guidelines are fantastic as they provide a starting point for an IT department begin addressing the technology risks that may go unnoticed if the department do not already possess the skills and expertise to address these concerns. Even if you are not a financial institution, I guess the TRMG is still relevant for you to benchmark your own risk management capabilities.

I attempt to create my own TL;DR version of the TRMG to capture the key principles and make it easier to remember for myself. Please only use this as a cheat sheet, and thoroughly review the Guidelines on your own if you are providing consultation or advice for your company.

1. Introduction

  1. IT is important to financial institutions (FI) business strategies.
  2. IT systems of FIs become more complex.
  3. FIs are offering more variety of IT services, therefore FIs should fully understand and manage the technology risks.
  4. TRMG consists of management principles and best practice to guide FIs in:
    • Establish a sound and robust technology risk management (TRM) framework.
    • Strengthening system security, reliability, resiliency, and recoverability.
    • Protect customer data, transactions and systems.
  5. TRMG is not legally binding, but MAS strongly encourage FIs to consider.

2. Applicability of the Guidelines

  1. FIs may adapt the TRMG where appropriate. TRMG should be applied in conjunction with relevant regulatory requirements and industry standards.
  2. TRMG objective is to promote sound practices and processes for managing technology.

3. Oversight of Technology Risks by Board of Directors (Board) and Senior Management (SM)

  1. Critical IT system failures can lead to reputational damage, regulatory breaches, revenue and business losses.
  2. Board and SM should have oversight of technology risks and ensure IT is capable of supporting business.
  3. Roles and Responsibilities
    1. Board and SM should ensure TRM framework is established and maintained. They should be involved in key IT decisions.
    2. Board and SM should ensure that controls and practices achieve security, reliability, resiliency and recoverability.
    3. Board and SM should consider cost-benefit issues (reputation, consequential impact, legal implications) when investing in controls and security measures for IT (systems, networks, datacentres, operations, and backups)
  4. IT Policies, Standards and Procedures
    1. FIs should establish policies, standards and procedures to manage risks and safeguard information system assets (data, systems, network device and other IT equipment).
    2. Policies, standards and procedures should be reviewed and updated regularly.
    3. Compliance process should verify that standards and procedures are enforced. Deviations should be addressed on a timely basis by a follow-up process.
  5. People Selection Process
    1. Have a screening process to carefully select staff, vendors and contractors to minimise technology risks due to system failure, internal sabotage or fraud.
    2. Staff, vendors and contractors authorised to access systems should be required to protect sensitive or confidential information.
  6. IT Security Awareness
    1. Establish a comprehensive security awareness training program for every staff. To include:
      • IT Security policies and standards
      • Individual responsibility
      • Measures to safeguard information system assets
      • Applicable laws, regulations and guidelines pertaining to usage, deployment and access to IT resources.
    2. Training program conducted and updated at least annually. Applicable to new and existing staff, contractors and vendors, accessing IT resources.
    3. SM to endorse training program. Content to be reviewed and updated to be relevant to emerging and evolving technology risks.

4. Technology Risk Management Framework

  1. TRM framework manage risks in a systematic and consistent manner. It encompasses:
    • Roles and responsibilities in managing technology risks.
    • Identification and prioritisation of information system assets.
    • Identification and assessment of impact and likelihood of current and emerging threats, risks and vulnerabilities.
    • Implementation of appropriate practices and controls to mitigate risks.
    • Periodic update and monitoring of risk assessment to include changes in systems, environmental or operating conditions that would affect risk analysis.
  2. Risk management practices and internal controls should be instituted to be effective.
  3. Information System Assets
    1. Assets should be adequately protected from unauthorised access, misuse, fraudulent modification, suppression or disclosure.
    2. FIs should establish clear policy on assets protection. Identify criticality of assets to develop protection plans.
  4. Risk Identification
    1. Entails determination of threats and vulnerabilities in the IT environment:
      • internal and external network
      • hardware and software
      • applications and systems interfaces
      • operations and human elements
    2. Threat may take any forms as long as it can cause harm by exploiting system vulnerabilities. Humans are significant sources of threats.
    3. FIs should be vigilant in monitoring mutating and growing risks e.g. ransomware outbreaks.
  5. Risk Assessment
    1. Analyse and quantify the business and operations impact of risks identified.
    2. Extent of impact depends on likelihood of threat and vulnerabilities occurring and causing harm.
    3. FIs should develop a threat and vulnerability matrix to assess potential impact and prioritise risks.
  6. Risk Treatment
    1. FIs should implement risk mitigation and control strategies for each type of risk identified. Measures should be consistent with the value of information system assets and level of risk tolerance.
    2. Risk mitigation entails a methodical approach for evaluating > prioritising > implementing risk control, which includes a combination of:
      • technical control
      • procedural control
      • operational control
      • functional control
    3. FIs should prioritise to address highest ranking risks given time and resources constraints. FIs should also consider their risk tolerance for damage and losses, and the cost benefit analysis (CBA) of implementing risk controls.
    4. FIs should maintain their business stability (costs effectiveness concerns) while managing and controlling risks.
    5. FIs should avoid implementing IT systems with unmanageable risks.
    6. FIs should consider taking insurance cover if applicable.
  7. Risk Monitoring and Reporting
    1. FIs should institute a monitoring and review process for continuous assessment and treatment of risks. FIs should maintain a risk register to:
      • Prioritise risks based on severity
      • Monitor risks closely
      • Report regularly on the mitigation actions
    2. FIs should use IT risk metrics (consider risk events, regulations, audit observations) to highlight systems, processes or infrastructure with highest risk exposure. Provide an overall technology risk profile to board and SM.
    3. FIs should review, evaluate, and update risk controls as IT environment changes to maintain effectiveness.
    4. Review and update of risk controls should also consider changing circumstances and risk profile of the FI.

5. Management of IT Outsourcing Risks

  1. There are many forms of IT outsourcing. May be single or multiple vendors, local or abroad.
  2. Due Diligence
    1. Board and SM should fully understand the risk of IT outsourcing. Determine the following before appointing outsource vendor:
      • viability, capability
      • reliability, track record
      • financial position
    2. FIs should ensure contractual T&C are fully covers all roles, relationships, obligations and responsibilities. Usually includes:
      • performance targets, service levels
      • availability, reliability, scalability
      • compliance, audit, security
      • contingency planning, disaster recovery (DR) capabilities
      • backup processing facilities
    3. FIs should ensure outsource service provider (as part of the contractual agreement) grant access to the FI or nominated parties and regulatory authorities without any hindrance:
      • to systems, operations, facilities and documentations
      • to review for regulatory, audit or compliance purpose
      • to inspect, supervise and examine service provider’s roles, responsibilities, obligations, functions, systems and facilities.
    4. Outsourcing should never weaken FI’s internal controls. FI should require service provider to employ high standard of care and diligence in:
      • Security policies, procedures, and controls
      • Protection of confidential and sensitive information (customer data, files, records, object programs and source codes).
    5. FIs should require service provider to implement the above controls as stringent as itself would.
    6. FIs should monitor and review the above controls regularly, and commission or obtain periodic expert reports on security adequacy and compliance w.r.t. the operations and services provided by the service provider.
    7. FIs should require service provider to have DR contingency framework (defines roles and responsibilities for documenting, maintaining and testing DR plans).
    8. Everyone concerned (including outsourced partners) should receive regular training in executing DR.
    9. DR plan should be reviewed, updated and tested regularly, according to changing environment.
    10. FIs should have contingency plan for viable alternatives to resume operations if service provider experience critical failure in a credible worst case scenario.
  3. Cloud Computing
    1. Cloud computing is a service and delivery model which users may not know the exact locations of IT resources in the service provider’s computing infrastructure.
    2. The same principle of due diligence applies to cloud computing. Note these unique attributes and risks:
      • data integrity
      • data sovereignty
      • data commingling
      • platform multi-tenancy
      • recoverability
      • confidentiality
      • regulatory compliance
      • auditing
      • data offshoring
    3. Considering multi-tenancy and data commingling architecture, FIs should ensure service provider is capable of isolating and identifying customer data and information system assets for protection.
    4. FIs should have contractual power and means to promptly remove or destroy data stored with service provider on contract termination.
    5. FIs should verify the service provider’s ability to recover within the stipulated RTO before outsourcing.

6. Acquisition and Development of Information Systems

  1. Many systems fail due to poor design, implementation and testing. FIs should identify defects and deficiencies in initial project phase.
  2. FIs should establish steering committee (business owners, developers, stakeholders) to oversee the project.
  3. IT Project Management
    1. Project management framework should include
      • Roles and responsibilities.
      • risk assessment and classification
      • critical success factors
      • milestones and deliverables
    2. FIs should document project plans that set out clear deliverables at each milestones.
    3. FIs should ensure that the following are approved by IT and Business:
      • functional requirements, system design, technical specs
      • business cases and CBA
      • test plans
      • service performance expectation
    4. FIs should establish management oversight to ensure timely completion. Issues cannot be solved by project committee should be escalated to SM.
  4. Security Requirements and Testing
    1. FIs should perform compliance checks on security standards against statutory requirements. Also, FIs should specify security requirements in early phase related to:
      • system access control, authentication
      • transaction authorisation
      • data integrity
      • system activity logging, audit trail, security event tracking
      • exception handling
    2. System testing methodology should be established to cover the following in various stress-load and recovery conditions:
      • business logic
      • security controls
      • system performance
    3. FIs should ensure full regression testing before system changes are made. Affected users should sign-off test results (refer to Appendix A).
    4. FIs should conduct penetration testing (pen-test) for new systems with internet accessibility and open network interface. Also perform vulnerability scanning of external and internal network components connected to the system.
    5. FIs should maintain separate environment for unit, integration, and UAT, and closely monitor vendor and developers access to these.
  5. Source Code Review
    1. Program code may conceal threats and loopholes which cannot be effectively identified through testing.
    2. Source code review is a methodical examination to find:
      • coding errors, poor coding practices, malicious codes
      • security vulnerabilities and deficiencies
      • mistakes in system design or functionality
    3. FIs should ensure high degree of system and data integrity for all systems. Ensure appropriate security control that considers complexity of applications.
    4. FIs should perform a combination of testing, source code reviews, and compliance reviews according to risk analysis.
  6. End User Development
    1. There are simple self-service applications for end users to do their own developments.
    2. FIs should assess the importance of such applications.
    3. Minimum recovery measures, user access and data protection controls should be implemented.
    4. FIs should test end user developed programs to ensure integrity and reliability.

7. IT Service Management

  1. IT service management framework supports:
    • IT systems, services, operations
    • change and incident management
    • stability of production environment
  2. Framework should include governance structure and processes and procedures for:
    • change management
    • software release management
    • incident management
    • capacity management
  3. Change Management
    1. Establish process to ensure production systems changes are assessed > approved > implemented > reveiwed.
    2. Process should apply to:
      • system and security configuration changes
      • patches for hardware devices
      • software updates
    3. Risk and impact analysis should be performed before deploying changes. Consider affected:
      • infrastructure, network
      • upstream and downstream systems
      • security implications
      • software compatibility
    4. Changes should be tested before deploying to production. Test plans should be documented. Tests results should be sign-off by users.
    5. Changes to production environment should only be approved by personnel with delegated authority.
    6. FIs should backup the systems and have a rollback plan prior to change. Should also have alternative recovery options if rollback is not possible after change.
    7. FIs should ensure logs are recorded for changes made.
  4. Program Migration
    1. Migration involves moving codes and scripts from development to test or production environment. Risks of malicious code injections.
    2. Each environment should be physically or logically separated.
    3. If controls in non-production environment is less stringent than production, FIs should perform risk assessment to ensure sufficient preventive and detective controls before migrating.
    4. Segregation of duties should be enforced to ensure no single individual can alone develop, compile and move objects across environments.
    5. Successful changes in production should also be replicated in DR system for consistency.
  5. Incident Management
    1. IT incident should be managed to avoid mishandling or aggravating of situation that prolong service disruption.
    2. FIs should establish incident management framework to restore IT services as quickly as possible following an incident, with minimal impact to business. Should include:
      • Roles and responsibilities
      • Recording of incidents
      • Analysing of incidents
      • Remediating of incidents
      • Monitoring of incidents
    3. FIs may delegate to a centralised technical helpdesk for assessing and assigning severity levels to incidents. Criteria of severity levels should be established and documented.
    4. Escalation and resolution procedures, and resolution timeframes should be appropriate to respective severity level.
    5.  Escalation and response plan should be tested on a regular basis.
    6. FIs should have an emergency response team made up of internal staff, with the technical and operational skills to handle major incidents.
    7. SM should be kept informed of incident developments in order to timely activate DR in case an incident aggravate into a crisis. Procedures to notify MAS when critical systems failed over to DR should be established.
    8. FIs should have predetermined action plan to address public relations issues, to maintain customer confidence throughout a crisis.
    9. FIs should keep customers informed of any major incident and consider effectiveness of communication (includes informing the general public).
    10. FIs should perform root-cause and impact analysis for major incidents and take remediation actions to prevent recurrence.
    11. FIs should have incident report that includes:
      • executive summary of incident
      • root-cause analysis
      • impact analysis
      • measures to address consequences of incident and the root cause
    12. Analysis should cover:
      1. Root Cause Analysis
        • when, where, why, and how the incident happened.
        • How frequent the incident occurred over last 3 years.
        • Lessons learnt from incident.
      2. Impact Analysis
        • Extent, duration, and scope of incident (include information of systems, resources, and customers affected).
        • Magnitude of incident (include foregone revenue, losses, costs, investments, number of customers affected, implications, consequences to reputation).
        • Breach of regulatory requirements.
      3. Corrective and Preventive Measures
        • Immediate corrective action to address consequence of incident (priority on addressing customers).
        • Measures to address root cause.
        • Measures to prevent similar future occurrence.
    13. FIs should address all incidents within corresponding resolution timeframes, and monitor all incidents to their resolution.
  6. Problem Management
    1. Problem management aim to determine and eliminate root cause to prevent occurrence of repeated problems.
    2. FIs should establish roles and responsibilities, and identify > classify > priorities > address problems in a timely manner.
    3. FIs should define criteria to categorise problems by severity level, and establish target resolution time and escalation processes for each severity levels.
    4. Trend analysis of past incidents will help with problem identification.
  7. Capacity Management
    1. FIs should ensure indicators for systems and infrastructure such as performance, capacity, and utilisation are monitored and reviewed.
    2. FIs should establish monitoring processes and appropriate threshold to be able to cater additional resources in a timely manner.

8. Systems Reliability, Availability and Recoverability

  1. This is important as critical system failures can lead to widespread and disruptive impact, affecting reputation and confidence.
  2. FIs should define recovery and business resumption prioritities, test and practise its contingency procedures.
  3. System Availability
    1. Important factors are:
      • adequate capacity
      • reliable performance
      • fast response time
      • scalability
      • swift recovery capability
    2. FIs should develop built-in redundancies to reduce single point of failure. Should maintain standby hardware, software and network components for fast recovery.
    3. FIs should achieve high availability for critical systems.
      • High availability = Other than planned maintenance, downtime should be minimised with suitable resiliency solutions.
      • Critical system = system which will lead to significant impact to operations or customers if failed.
  4. Disaster Recovery Plan
    1. Recovery plan should include scenario analysis for contingency scenarios such as major system outages, hardware malfunction, operating errors, security incidents, and failure of primary DC.
    2. FIs should review and update recovery plan and incident response procedures at least annually or when there are operations, systems or network changes.
    3. FIs should implement rapid backup and recovery capabilities at individual system or application cluster level, considering inter-dependencies when creating recovery plan and contingency tests.
    4. FIs should define recovery and business resumption priorities with specific RTO and RPO.
      • RTO = time to restore a system disruption.
      • RPO = acceptable amount of data loss.
    5. FIs should establish a geographically separated recovery site to restore critical systems and resume business operations when primary site fails.
    6. Recovery speed requirements depend on criticality and available alternatives. FIs may explore on-site redundancy and real-time data replication to enhance recovery capability.
    7. For critical systems outsourced to offshore service providers, FIs should consider cross-border network redundancy, engaging multiple network providers, and alternate network path to enhance resiliency.
  5. Disaster Recovery Testing
    1. FIs should refrain from adopting impromptu and untested recovery measures during system outage, as they carry high operational risks without validating effectiveness.
    2. FIs should test the effectiveness of recovery requirements and ability of staff to execute the procedures at least annually.
    3. DR tests should cover various scenarios like total shutdown, primary site failure, and individual component failure.
    4. FIs should conduct bilateral or multilateral recovery testing for systems or networks linked to specific service providers.
    5. FIs should involve business users in designing test cases to verify recovered systems. FIs should also participate in DR tests conducted by its service providers.
  6. Data Backup Management
    1. FIs should develop data backup strategy for storage of critical information.
    2. FIs may implement DAS, NAS, or SAN as part of the data backup and recovery strategy. Processes should be in place to review storage architecture, connectivity, and technical support by service providers (refer to Appendix B).
    3. FIs should carry out periodic testing of backup media and assess if media is adequate and effective in supporting recovery processes.
    4. FIs should encrypt backup media (including USB disks) containing sensitive information before transporting to offsite storage.

9. Operational Infrastructure Security Management

  1. FIs should implement security solutions at data, application, DB, OS, and network layers to adequately address potential cyber attacks.
    • Cyber Attacks = phishing, DOS, spam, sniffing, spoofing, hacking, key-logging, MITM, malware.
  2. FIs should have appropriate measures to protect sensitive and confidential information (personal, account, transaction data). Customers should properly authenticate before accessing data. Secure data against exploits like ATM skimming, card cloning, hacking, phishing and malware.
  3. Data Loss Prevention
    1. Insider attacks (from current and ex-staff, vendors and contractors) are among the most serious risks. FIs should adopt adequate measures to detect and prevent unauthorised access, copy, or transmission of important and confidential data.
    2. FIs should have comprehensive data loss prevention strategy that considers:
      • Data at endpoint – notebooks, PC, portable storage, mobile.
      • Data in motion – across network, or transport across sites.
      • Data at rest – files, DB, backup media, storage.
    3. FIs should address risks of data theft, data loss and data leakage from endpoints. Confidential information should be stored with strong encryption.
    4. FIs should not use unsafe internet services to exchange confidential information, and implement measures to detect and prevent the use of such services.
    5. For exchanging confidential information with external parties, FIs should employ strong encryption with adequate key length, and send the encryption key in separate transmission channel. May also use other secure methods.
    6. Confidential information stored on IT systems should be encrypted with strong access controls and principle of “least privilege”.
      • least privilege = “need-to-have” basis.
    7. FIs should determine the appropriate media sanitisation method, depending of security requirement of data, to prevent loss of confidential information through disposal of IT systems.
  4. Technology Refresh Management
    1. FIs should maintain up-to-date inventory of software and hardware used in production and DR environments, including relevant warranty and support contracts.
    2. FIs should actively replace outdated and unsupported systems, as EOS products cease to have security patches for vulnerabilities.
    3. FIs should establish technology refresh plan to ensure that systems and software are replaced in a timely manner. Conduct risk assessment and risk mitigation for continued usage of systems approaching EOS.
  5. Network and Security Configuration Management
    1. FIs should configure systems and devices with expected level of security. Establish baseline standards to facilitate consistent security configurations across OS, DB, network devices and enterprise mobile.
    2. FIs should conduct regular enforcement review to ensure baseline standards are applied, with frequency of review which commensurate with the level of risks.
    3. FIs should apply anti-virus to servers. Update anti-virus definition files regularly and schedule automatic scans.
    4. FIs should install network security devices (firewalls, IDS, IPS) at critical infrastructure juncture to protect network perimeter. Deploy internal firewalls or similar measure to minimise security exposure to both internal and external network. Regularly backup and review network security rules to remain appropriate and relevant.
    5. FIs deploying WLAN should be aware of the risks and implement measures to secure network from unauthorised access.
  6. Vulnerability Assessment (VA) and Penetration Testing
    1. VA is the process to discover > identify > assess security vulnerabilities in a system. FIs should conduct VA regularly.
    2. FIs should deploy a combination of automated tools and manual techniques to perform comprehensive VA (include common web vulnerabilities for VA on web-based external facing system).
    3. FIs should establish process to remedy issues identified in VAs, and validate the success.
    4. FIs should conduct pen-test through simulating actual attacks to evaluate security posture of system. Pen-test on internet-facing system at least annually.
  7. Patch Management
    1. FIs should establish patch management procedures that identify > categorise > priorities security patches, and have implementation timeframe for each category.
    2. FIs should test security patches rigorously before deploying to production.
  8. Security Monitoring
    1. FIs should establish security monitoring systems and processes to promptly detect unauthorised or malicious activities by external and internal parties.
    2. FIs should implement network surveillance and security monitoring procedures with network security devices to be alerted of intrusions.
    3. FIs should implement security monitoring tools which detects changes to critical IT resources, to identify unauthorised changes.
    4. FIs should perform real-time monitoring of security events for critical systems.
    5. FIs should regularly review security logs of systems, applications and network devices for anomalies.
    6. FIs should adequately protect and retain system logs for future investigations. Retention period should consider statutory requirements.

10. Data Centres Protection and Controls

  1. It is important for DC to be resilient and physically secured.
  2. Threat and Vulnerability Risk Assessment (TVRA)
    1. TVRA identify security threats and operational weakness in a DC to determine the level and type of protection to be established.
    2. TVRA should consider various scenarios (theft, explosives, arson, unauthorised entry, external attacks, insider sabotage) and various factors:
      • criticality of DC
      • geographical location
      • multi-tenancy and type of tenants in DC
      • impact of natural disaster
      • political and economic climate of country
    3. TVRA scope should include:
      • review of DC’s perimeter and surrounding
      • building and facility, critical mechanical and engineering system
      • building and structural elements
      • daily security procedures
      • physical, operational, and logical access control
    4. FIs should obtain TVRA of provider DC, verify that report is current and provider is committed to address vulnerabilities identified, before selecting DC. TVRA should be performed during feasibility study when building FI’s own DC.
  3. Physical Security
    1. FIs should limit DC access to authorised staff only (principle of least privilege).
    2. FIs should ensure temporary access for non-DC personnel are properly notified, approved, and accompanied by authorised employee.
    3. FIs should ensure DC is physically secured and monitored, employing physical, human, and procedural controls where appropriate (security guards, card access systems, mantraps, bollards).
    4. FIs should deploy security systems and surveillance tools to monitor and record activities within DC. Have physical security measures to prevent unauthorised access to systems, equipment racks and tapes.
  4. Data Centre Resiliency
    1. FIs should assess redundancy and fault tolerance in:
      • electrical power
      • air-conditioning
      • fire suppression
      • data communications
    2. FIs should monitor and regulate environment within DC such as temperature and humidity. Escalate to management and resolve abnormalities detected in a timely manner.
    3. FIs should implement appropriate fire protection and suppression systems to control full scale fire. Includes:
      • smoke detectors
      • hand-held fire extinguishers
      • passive fire protection (e.g. fire wall)
    4. FIs should install backup power consisting:
      • uninterrupted power supplies
      • battery arrays
      • diesel generators

11. Access Control

  1. Three of the most basic internal security principles for protecting systems:
    • Never alone principle = critical systems functions and procedures are carried out by more than one person or at least checked by another person. Includes critical systems initialisation and configuration, PIN generation, creation of cryptographic keys, use of admin accounts.
    • Segregation of duties principle = design transaction processes so that no single person may initiate, approve, execute, and enter transactions into a system for fraud. Job rotation for security administration. Responsibilities for the following should be performed by separate groups:
      • OS functions
      • systems design and development
      • application maintenance
      • access control administration
      • data security
      • librarian and backup data file custody
    • Access control principle = only grant access rights on principle of least privilege, regardless of rank or position. Only provide authorisation for legitimate purposes.
  2. User Access Management
    1. FIs should only grant access on need-to-use basis and within required period. Ensure that resource owner authorise and approve the access.
    2. External parties given access to critical systems should be subjected to close supervision, monitoring, access restrictions similar to internal staff.
    3. FIs should ensure user access are uniquely identified and logged for audit and review purposes.
    4. FIs should regularly review user access privileges to verify that privilege is appropriate, and identify dormant or wrongly provisioned accounts.
    5. FIs should enforce strong password controls that include:
      • change of password on first logon
      • minimum password length and history
      • password complexity
      • maximum validity period
    6. FIs should ensure no one has concurrent access to production and backup systems, and access to backup systems should only be for specific reason and period.
  3. Privileged Access Management
    1. FIs should apply stringent selection criteria and thorough screening when appointing staff for critical operations and security functions.
    2. These staff (system admin, security officers, programmers) are capable of severely damaging critical systems by virtue of their privilege access.
    3. FIs should closely supervise these staff, log and review their system activities, and adopt the following controls and security practices:
      • strong authentication mechanism (e.g. 2FA).
      • strong control over remote access.
      • restrict number of privilege users.
      • Grant privilege access on “need-to-have” basis.
      • Maintain audit logging of system activities.
      • Disallow privilege user access to logs of systems they are accessing.
      • Review activities on a timely basis.
      • Prohibit sharing of accounts.
      • Disallow vendors and contractors privilege access without close supervision.
      • Protect backup data from unauthorised access.

12. Online Financial Services

(Refers to provision of banking, trading, insurance, other financial services and products via electronic delivery channels)

  1. FIs should recognise the risk of offering services via internet platform.
  2. Varying degree of risks are associated with different types of services:
    • information service
    • interactive information exchange service
    • transactional service (highest risk due to irrevocable execution)
  3. FIs’ risk management process should clearly identify the risks and formulate security controls, system availability, and recovery capabilities which commensurate with the level of risks.
  4. Online Systems Security
    1. FIs should devise security strategy to ensure confidentiality, integrity, and availability of data and systems.
    2. FIs should assure customers that online services are adequately protected and authenticated.
    3. MAS expects FIs to properly evaluate security requirements associated with internet systems and adopt well-established international encryption standards (refer to Appendix C).
    4. FIs should ensure information processed, stored, or transmitted are accurate, reliable and complete, by implementing physical and logical access security, processing and transmission controls.
    5. FIs should implement monitoring or surveillance system to be alerted of abnormal system activities, transmission errors, or unusual transactions, and have follow-up process to verify the issues are addressed.
    6. FIs should maintain high resiliency and availability, put in place measures to plan and track capacity utilisation and guard against online attacks (refer to Appendix D).
    7. FIs should implement 2FA login and transaction-signing. These secure authentication process, protect data integrity, and enhance customer confidence.
    8. For systems serving institutional investors, accredited investors or corporate entities, using alternate controls and processes to authorise transactions, FIs should perform risk assessment to ensure security level is at least as adequate as token-based mechanisms.
    9. FIs should take appropriate measures to minimise exposure to other cyber attacks such as MITM, MITBrowser, MITApplication (refer to Appendix E).
    10. FIs should implement measures to protect customers, educate them on the measures put in place, and ensure they have access to continual education to raise security awareness (refer to Appendix F).
  5. Mobile Online Services and Payments Security
    1. Mobile Online Services refers to provision of financial services via mobile devices, either through web browser or FI’s self-developed applications on mobile platforms (Apple iOS, Google Android, Microsoft Windows OS).
    2. Mobile Payment refers to use of mobile devices to make payments, which may use various technologies (e.g. NFC).
    3. Both are extensions of online financial services. FIs should implement similar security measures as online financial services, conduct risk assessment and implement appropriate measures to counteract payment card fraud on mobile devices.
    4. FIs should ensure protection of sensitive or confidential information as mobile devices are susceptible to theft and loss. Implement encryption to secure data in storage and transmission, and ensure processing are done in secure environment.
    5. FIs should educate customers on security measures to protect their own mobile devices from malware.

13. Payment Card Security (Automated Teller Machines, Credit and Debit Cards)

  1. Payment cards allows physical purchase, online purchase (and over mail-order or over telephone) and ATM cash withdrawals.
  2. There are many forms of payment cards. Magnetic stripe cards are vulnerable to skimming attacks, which can take place during payment card processing (at ATMs, payment kiosk, EFTPOS terminals).
  3. Payment card frauds include:
    • counterfeit
    • lost or stolen
    • card-not-received (CNR)
    • card-not-present (CNP)
  4. Payment Card Fraud
    1. FIs offering payment card service should protect sensitive data. Implement encryption to secure data in storage and transmission, and ensure processing are done in secure environment.
    2. FIs should use secure chips to store sensitive data and implement strong authentication methods such as dynamic data authentication (DDA) or combined data authentication (CDA). Should not use magnetic stripe to store sensitive data. If interoperability concerns require the use of magnetic stripe for transactions, ensure adequate control measures are implemented.
    3. For transactions using ATM cards, FIs should perform authentication of sensitive customer information (not third party service provider). FIs should perform regular security reviews on infrastructure and processes used by service providers.
    4. FIs should ensure security controls on payment card systems and network.
    5. FIs should only activate new payment cards upon obtaining customer’s instruction.
    6. FIs should implement dynamic OTP for CNP transactions via internet to reduce risk.
    7. FIs should promptly notify cardholders when withdrawals or charges exceeding customer-defined threshold is made. Alert should include transaction source and amount.
    8. FIs should implement robust fraud detection systems with behavioural scoring or equivalent, and correlation capabilities. FIs should set out risk management parameters according to risk posed by cardholders, nature of transactions or other risk factors.
    9. FIs should investigate transactions that deviates significantly from cardholder’s usual usage patterns and obtain cardholder’s authorisation before completing transactions.
  5. ATMs and Payment Kiosk Security
    1. ATMs and payment kiosks (e.g. SAM and AXS) are targets of card skimming attacks.
    2. FIs should consider the following measure to secure consumer confidence in using these systems:
      • anti-skimming solutions to detect foreign devices placed over or near card entry slot.
      • detection mechanism that sends alerts to FI staff for follow-up responses and actions.
      • tamper-resistant keypads to ensure customers’ PIN are encrypted during transmission.
      • appropriate measures to prevent shoulder surfing of customers’ PINs.
      • Video surveillance of activities at the machines and maintain quality CCTV footage.
    3. Verify adequate physical security are implemented in third party payment kiosks which accept and process FI’s payment cards.

14. IT Audit

  1. FIs need to develop effective internal control systems to manage technology risks.
  2. IT audit provides Board and SM independent and objective assessment of the effectiveness of controls to manage technology risks.
  3. FIs should establish organisational structure and reporting lines for IT audit in a way that preserves the independence and objectivity.
  4. Audit Planning and Remediation Tracking
    1. FIs should ensure IT audit scope is comprehensive and includes all critical systems.
    2. IT audit plan comprising auditable IT areas for the coming year should be developed, and approved by the FI’s Audit Committee.
    3. FIs should establish audit cycle and determine the frequency of IT audit that commensurate with criticality and risk of IT system or process.
    4. Follow-up process to track and monitor IT audit issues, and escalation process to notify IT and business management of key issues should be established.



I will be publishing appendix A-F of the TRMG in a separate blog post.

Analytics 001: Power BI walkthrough

All the consultants out there are talking about deriving more insights from your “data” and your own top management are also singing in unison to move towards a “data-driven” future. No doubt, “Qlik” and “Tableau” had definitely been brought up in these conversations. You must be thinking, “Seriously? These software are gonna bring change to my company? Oh please!”.

Well I had that exact same thought. So I decided to explore these Business Intelligence (BI) tools further, starting with Microsoft Power BI. Why? Because it is free!

What is Power BI?

Power BI logo

Check it out from the official site:

I would say it is Microsoft’s attempt to compete with the two leading BI tools by leveraging on its strengths in Office Suite and Cloud Services. My first impression of Power BI was pretty good. The start-up is fast, the UI is similar to a typical Office software, and making changes to the dataset is also smooth. If you are a seasoned Excel user, then learning to use Power BI should be a breeze for you. As an absolute noob, you might have to go through the tutorials offered by Microsoft and hangout in the Power BI forum.

However, after using the tool for a while, I come to realise that all the hype over “Self-Service” BI does not equate to ease of use or intuitiveness. The tools merely combined some basic data extraction and manipulation with the ability to create graphs and charts. It is definitely not designed for the ordinary users who do not have an inkling of how data set can form relations, perform table join operations, and how the data can be presented objectively. Even though it is not necessary, having some foundation in data science will certainly help.

Cloud, Desktop, and Mobile

The Power BI desktop client is the application designed primarily to interact with the data and build reports. Power BI also provides a cloud service that can perform the required BI analysis, although the main objective of this service is to publish and share any reports that you have built. The mobile application is designed for users to read the published reports from the cloud using their mobile devices.

So for someone who would like to explore the analysis capabilities of this tool, installing the desktop client is a must.

Report Building Process

This is generally the sequence of actions for building a new report from scratch. I have yet to figure out how to create a report development workflow that will apply existing report templates to new or updated data sources. The following are performed with Power BI Desktop.

  1. Connect to Data Source
    In my case, I worked with a couple of Excel spreadsheet. You may consider connecting directly to databases. After connecting, the tool will extract/query all the available data tables.
  2. Modify the Data
    The data table may not be in a desirable format to produce any useful visualisation. Use the Query Editor to manipulate the data without modifying the source. It provides a number of useful functions, it processes the familiar Excel formula language (DAX or Data Analysis Expression), and also can execute your custom scripts on the data.I noticed that every change performed on the data is recorded as a layer (similar to Photoshop). You may go up and down the stack and modify or remove any layers you wish. This comes in handy when you are trying to explore/clean up your data but do not want to commit the changes until you are confident.
  3. Relationship View
    One of the three views that Power BI desktop provides. This allows you to create relationship between different data tables (outputs from step 2). Note that relationships only makes it easier for you to find information across tables pertaining to specific records using related fields between tables. It is not a join operation and it will not provide any benefit that a table join otherwise will provide. (Table joins should be performed at step 2).
  4. Data View
    I honestly feel that this view provides the same functionality as Query Editor, which makes me wonder what I should do with this view. My guess is for any further modification of the data that you failed/forgotten to perform in step 2, you may perform it in this view.Some the things you can do to your data includes filtering, data transform, data transpose, changing data format, data processing using DAX, aggregation, table joins, adding and removing fields and records, etc.
  5. Report View
    When you have finally gotten all your data prepared, the report view will assist you to create visualisations from the data and assemble it into a report, that can be published on the cloud service.In the report view, all that you should be doing is to match data and present them using the variety of charts. You should not attempt to manipulate the data within the report view. Of course, even if you are not prepared, you can revisit any of the previous steps and make the necessary adjustments.
  6. Publish to Cloud
    And after all your hard work, you may publish the report to the cloud service and share your creation with others. You may also choose to modify the Phone view so that the report may be accessed from a mobile device using the Power BI mobile app.
  7. Interactive Visuals
    What I like about Power BI is the interactive visualisations that automatically filter values and changes the charts dynamically as you click on it. You are also able to drill down into deeper details of the data.

Additional Helpful Tips

The following information may get into the details of using Power BI. These tips were very helpful when I was learning to use Power BI, and I will just park them here for future reference.


Data Preparation

Data Modelling


Open Source 001: Development Environment

It has been awhile since I developed anything for fun. This series will document the steps I have taken to get my own developments going. As the series title suggest, I will be referring to a lot of sources on the internet.

1. Virtualisation

I have chosen to use my gaming machine as the host since there are more system resources available, and honestly I was not willing to subscribe to any IaaS providers. The machine is running on Windows 10.

As we all know, if we are going to be dealing with a lot of open source programs, then a Linux OS will probably be more efficient than my current Windows 10. I have chosen to use Ubuntu through a VM on VirtualBox. Why I chose this arrangement over dual boot? I prefer to watch Netflix on my host OS while I compile stuff on my development environment 😛

2. Docker

I recently got to know about Docker technology. Sounds like a good way to do development on any machines without worrying about dependencies.

3. Node.js

I am using node only as an example since there are plenty of resources available online to guide me. Purely a personal preference. The following guides will cover instructions to install node, along with other software installation, and tutorial that covers the basics of node application development.


4. Putting it together

Now that I am able to build a simple full stack application, it is time to put all the knowledge together and make the application deployable everywhere.

Business 001: Digital Technology and Retail Malls

Traditionally, location and tenant mix are the two most important factors that determine the success of retail mall businesses. Even though these factors remain important, the use of digital technology is allowing weaker players to level the playing field in the industry.

Facing Digital Disruption

Retail mall business is only concerned with the management of physical space in the past. However, with the proliferation of online retailing, the industry struggles to handle digital disruption, with various malls adopting a spectrum of strategy. At one extreme, we see retail malls embracing the online platform by rolling out “click & collect” programs, allowing shoppers to make purchases online but collect the goods at the physical store. At the other extreme, there are malls which reject digital technology entirely. Most retail malls adopt some forms of digital technology to complement their business, but at this stage, there is no indication which strategy will come to dominate the industry, and all malls are expected to tread carefully into this area.

Connecting with Shoppers

Omni-channel marketing has been gaining attention in the industry. Technology is empowering retailers to connect with potential customers with more targeted and personalised messages, across multiple digital platforms. Compared to Above The Line (ATL) marketing channels, digital marketing is likely to be more cost effective. The software tools to design, orchestrate, execute and analyse omni-channel marketing campaign is also readily available in the market. Should the mall management not have any IT expertise, these software are also available in cloud subscription models.

However, even if a retail mall wish to embrace such technology, the direct impact on retail mall revenue is still limited. The mall would ultimately require cooperation of its tenants as the core content of all marketing campaign is still made up of the products and services of the shops in the mall.

Loyalty program is another avenue for retail malls to grow their business organically. You can see that almost all of our local retail malls have some form of loyalty program. This is a great initiative for the mall, as a little bit of investment into a Customer Relationship Management (CRM) system to hold the data of all the loyal members will allow the malls to gain deeper insights through analytics and provide leads for future marketing campaign. The loyalty program also provides great value and cost efficiency, as any promotions, e.g. “10% off” will yield the desired outcome and limit the cost to strictly 10% of sales, or what ever the ratio depending on the promotion.

Besides the CRM system, technology plays a part in helping the retail malls acquire and retain loyal members through websites and mobile applications. The key to success is to provide great user experience, keep the contents fresh, and deliver proper information to the right target audience.

Expectations of Tenants

The expectations of tenants have also evolved, creating another set of challenges for the retail malls. The trend of pop-up store is expected to pick up, as more online retailers look to physical stores to complement their sales activity, such as organising flash sales, set up show room and etc. Traditional lease duration and lease terms do not appeal to this new segment of tenants, which will be looking for shorter leases and lower rentals. However, as retail malls cater to the needs of online retailers, the management must take note of the potential backlash from existing tenants. This poses a dilemma which may eventually cause a paradigm shift in the business model of retail malls.

Most retail mall rental rates consist of a variable component that adjusts according to the sales turnover of the tenant. However, as shops are increasingly looking to close sales through their online platform, the physical shop spaces in the malls will function as show rooms and storage space instead of a venue for transaction. The malls will no longer be able to accurately measure the sales performance of their tenants and price the rental accordingly. This is certainly a tough problem with no clear resolution available.