Bank Negara of Malaysia’s Risk Management in Technology (RMiT)

Disclaimer: Organizations are not required as a matter of law to comply with this document, unless legislation, or a direction given under legislation or by some other lawful authority, compels them to comply. This document does not override any obligations imposed by legislation or law. Furthermore, if this document conflicts with legislation or law, the latter takes precedence. 

The Bank Negara of Malaysia is the Central Bank of Malaysia. It provides monetary policy for the country and regulates the financial sector within Malaysia. On July 18, 2019, the bank released the Risk Management in Technology (RMiT) policy to ensure Malaysian financial institutions properly manage their cyber-risk exposure by establishing the necessary risk frameworks, governance structures, policies, and procedures.

The published RMiT policy covers the following six domains: 

• Governance
• Technology Risk Management
• Technology Operations Management
• Cybersecurity Management
• Technology Audit
• Internal Awareness & Training

All financial organizations within Malaysia are required to implement the minimum prescribed standards in this policy to prevent the exploitation of weak links in interconnected networks and systems that may cause detriment to other financial institutions and the wider financial systems. The requirements in this policy document are specified pursuant to — (a) Sections 47(1) and 143(2) of the Financial Services Act 2013 (FSA); (b) Sections 57(1) and 155(2) of the Islamic Financial Services Act 2013 (IFSA); and (c) Sections 41(1) and 116(1) of the Development Financial Institutions Act 2002 (DFIA). The guidance in this policy document is issued pursuant to section 266 of the FSA, section 277 of the IFSA, and section 126 of the DFIA. The policy went into effect January 1, 2020. For more detailed information on the RMiT, you can download the policy document here.

The LogRhythm platform enables your organization to meet many RMiT guidelines by collecting, managing, and analyzing log data. LogRhythm AI Engine (AIE) rules, alarms, reports, investigations, and general SIEM functionality also help your organization satisfy certain risk management elements outlined by the RMiT.

LogRhythm understands that organizations may be at different points of compliance maturity, so the RMiT module gives organizations the flexibility to realize value at any point along that maturity scale. The RMiT module is focused on the control requirements traditionally used for best practice purposes. LogRhythm supports some RMiT recommendations and decreases the cost of meeting others through pre-built content and functionality. Using advanced LogRhythm functionality such as NetMon, TrueIdentity, SysMon, Threat Research content, and Case Management may enhance pre-built content to better support an organization's compliance efforts. 

IT environments consist of heterogeneous devices, systems, and applications — all reporting log data. Millions of individual log entries can be generated daily, if not hourly. The task of organizing this information can be overwhelming. Additional recommendations to analyze and report on log data render manual processes or homegrown remedies inadequate and cost-prohibitive for many organizations. LogRhythm delivers log collection, archiving, and recovery across the entire IT infrastructure and automates the first level of log analysis. Log data is categorized, identified, and normalized for easy analysis and reporting. LogRhythm’s powerful alerting capabilities automatically identify the most critical issues and notify relevant personnel. The RMiT module and associated reporting package work out of the box with some level of customization available. Utilizing the RMiT module assists in building and maintaining a sound compliance program.