The 6 Critical Questions About RMiT That Everyone Is Asking

On 18-July-2019, Bank Negara Malaysia released the “Risk Management in Technology” document. This document is a policy document which sets out the regulation for financial institutions on management of technology risk.

Top 6 critical questions and answers

1. Is compliance voluntary?

This policy document states the compulsory ‘must’ and ‘shall’ clauses as well as guidelines. It is clearly indicated in clause 5.2 that “failure to comply may result in one or more enforcement actions”, as such, this is not a voluntary standard/guideline.

2. Which organisations must abide by RMiT?

Financial institutions (in the definition of the RMiT), are licensed banks, investment banks, Islamic banks, insurers including professional reinsurers, takaful operators including professional retakaful operators as well as prescribed development financial institutions, approved issuer of electronic money and operators of a designated payment system. Details are available in the Malaysian FSA, IFSA and DFIA legal provisions.

3. Do all data centres need to comply to RMiT?

RMiT applies to all data centres which the financial organization operates including production and disaster recovery sites. Where a financial organization is using outsourced data centre providers such as commercial data centre operators as well as cloud-based service provides then they fall under the scope as well.

4. What is the scope of RMiT?

Although the RMiT is a standalone document, many of its requirements can be mapped back to existing standards with some of the clauses requiring an extension to ensure the scope is covered as per the definition of Bank Negara Malaysia. This illustration below gives an overview of the RMiT requirements.

Scope	Reference / Applicable Standards
Governance	Bank Negara Malaysia guidelines
Risk Management & Security	ISO/IEC 27001:2013
Data Centre Operations	DCOS® - Data Centre Operations Standard Maturity level: 3 Domains: - Service Level Management - Operations Management - Facilities Management - Monitoring/Reporting/Control, Security - Organizational Resilience
Data Centre & Network Resilience	ANSI/TIA-942-B Concurrent Maintainable: Rated-3

5. When are the deadlines?

Financial organizations must submit a gap analysis of the existing practices in managing technology risk against the requirements of RMiT by no later than 18 October 2019. It will then have to address any potential gaps to ensure that the organisation is fully compliant as per 1st of January 2020.

6. Is self-assessment an option?

The RMiT policy document states in clauses 10.25 and 10.40 that the Data Centre and Network Risk Assessment shall be conducted by an external auditor.

EPI RMiT Services

EPI’s assessment services will ensure you meet the RMiT requirements saving you time and effort and giving you peace of mind.
We have four service offerings;

1. DCRA – Data Centre Risk Assessment
This will review the Data Centre and Network Resilience as per the requirements of the RMiT based on the ANSI/TIA-942-B. EPI is currently the ONLY accredited TIA-942 Audit organization.

2. DCORA – Data Centre Operations Risk Assessment
This will review the Data Centre Operations section of the RMiT requirement. The audit will be conducted based on the first and only data centre operations standard – DCOS®.

3. DGRA – Data Centre Governance Assessment
This will review the governance aspects of the organization with the ISO-27001 standard at the core of the risk assessment.

4. DCRA + DCORA + DGRA
You can also opt for our full RMiT package which will combine DCRA+DCORA+DGRA audit such that the organization will conform to the RMiT risk assessment requirement of Bank Negara Malaysia and which can then be submitted as a single report.

HURRY, TIME IS RUNNING OUT!

You will have to submit the first report to BNM by October 2019. Contact us now to ensure you are compliant and avoid BNM’s enforcement actions.

Email David Goh at davidg@epi-ap.com.

Download RMiT brochure here