bank indonesia regulation 9/15/2007 it risk management
TRANSCRIPT
Why Bank Indonesia is very powerful?
Anjar Priandoyo 2015
BI Regulation from 9/15/2007 IT Risk Management Perspective
Law & Regulations in Indonesia
1
Institution Regulation Scope
Government of Indonesia
UU ITE 2008 Information & Electronic
Transaction Law
Article 15, 16 Data Security, Integrity,
Availability
Peraturan Presiden no 54 tahun 2010 Procurement of Good/Services - IT
BPMIGAS (The Upstream Oil
and Gas Executive Agency)
PTK 007 BPMIGAS 2011 Applicable to all Upstream Oil & Gas operation
in Indonesia including PSC & Contractor
Bank of Indonesia
PBI 9/15/2007 IT Risk Management
IT Risk Management
Electronic Banking Regulation
Third Party Independent review for E-
Banking/E-Payment Product Launching
PBI 11/11/2009 Card Based Payment
System
Card Based Payment System
Registration process for E-Banking System
PBI 1/6/1999 SPFAIB Internal Audit Function and Standards
Bursa Efek Indonesia Peraturan Bursa Efek Indonesia 2010
Remote Trading
Business Continuity Plan
Huge population, there are 131 bank in Indonesia, Central Bank is one of the most powerful institution in Indonesia
Why Bank Indonesia is Powerful? Part#1
2
BI monitoring is very effective (now in OJK), but the BI organ
has been working since the Independence
Why Bank Indonesia is Powerful? Part#2
• BI regularly perform intensive monitoring and review
• There would be a fine on every late report or inaccurate report
• BI will give authorization and approval of new product related with technology such as
Internet Banking Launch, ATM Launch
3
BI coverage is all aspect in the Bank’s business operation
Why Bank Indonesia is Powerful? Part#3
• The structure of BI regulation as follows
BI Regulation. Peraturan Bank Indonesia e.g PBI9/15/2007 IT Risk Management
Circular Letter. Surat Edaran Bank Indonesia e.g SEBI 9/30/DPNP IT Risk
Management. DPNP = Direktorat Penelitian dan Pengaturan Perbankan
− Sample of PBI
SPFAIB (Standar Pelaksanaan Fungsi Audit Internal Bank) PBI 1/6/1999
IT Risk Management PBI 9/15/2007
APMK (Alat Pembayaran Menggunakan Kartu) PBI 11/11/2009
Good Corporate Governance PBI 8/4/2006, 11/33/2009 (untuk Bank Syariah)
Know Your Customer (KYC) PBI 11/ 28/2009
4
PBI 9/15/2007 is de Facto standard for IT Security in
Indonesia
Why Bank Indonesia is Powerful? Part#4
• Although the are Ministry of IT, Oil & Gas Regulatory Body, Telco Regulatory Body. But
in reality most of companies would like to use 9/15/2007 as their reference.
• Fast growing of finance related transcation which involve non banking industry is
expecting the highest level of security which their reference is BI.
5
Case Study #1 – IT Audit Based on
PBI9/15/2007
• Relation between PBI 9/15/2007 & SEBI 9/30/DPNP
Scenario #1 IT Audit Based on PBI 9/15/2007
7
PBI 9/15/2007
Perlu ditetapkan
ketentuan yang
mengatur
Penerapan Manajemen
Risiko dalam Penggunaan
Teknologi
Informasi oleh Bank Umum
dalam Peraturan Bank
Indonesia.
SEBI 9/30/DPNP
Pedoman ini merupakan
pokok-pokok
penerapan manajemen
risiko dalam
penggunaan TI yang harus
diterapkan oleh Bank untuk
memitigasi risiko yang
berhubungan dengan
penyelenggaraan TI.
An integrated end to end IT Assurance, a beauty of integrated
framework
Scenario #1 IT Audit Based on PBI 9/15/2007
1. MANAJEMEN
2. PENGEMBANGAN DAN PENGADAAN (Development)
3. AKTIVITAS OPERASIONAL TEKNOLOGI INFORMASI (IT Operation)
4. JARINGAN KOMUNIKASI ( Network)
5. PENGAMANAN INFORMASI (Security)
6. BUSINESS CONTINUITY PLAN
7. END USER COMPUTING
8. ELECTRONIC BANKING
9. AUDIT INTERN TEKNOLOGI INFORMASI
10.PENGGUNAAN PIHAK PENYEDIA JASA TEKNOLOGI INFORMASI
8
• Scope PBI 9/15/2007
1. MANAJEMEN
2. PENGEMBANGAN DAN PENGADAAN
3. AKTIVITAS OPERASIONAL TEKNOLOGI INFORMASI
4. JARINGAN KOMUNIKASI
5. PENGAMANAN INFORMASI
6. BUSINESS CONTINUITY PLAN
7. END USER COMPUTING
8. ELECTRONIC BANKING
9. AUDIT INTERN TEKNOLOGI INFORMASI
10. PENGGUNAAN PIHAK PENYEDIA JASA TEKNOLOGI INFORMASI
Scenario #2 IT Audit Based on PBI 9/15/2007
9
Case Study #2 – E-Banking Product
Launching
10
PBI Usage Case Study #1 Product Launching
11
Credit Card Transaction Mechanism
12
NASABAH
BANK PENGELOLA “XYZ”
MERCHANT
BANK PENERBIT “ABC”
Bank Penerbit : Bank Penerbit Kartu Kredit (ISSUER)
Bank Pengelola : Bank yg bekerjasama dengan Merchant (ACQUIRER)
Merchant : Mitra Usaha yg menerima transaksi dengan Kartu Kredit. MDR=Merchant Discount Rate
N : Harga Produk
EDC
PRINCIPAL
Visa,
MasterCard,
JCB, BCA
OTORISASI
Fee: < 1,6% x N
Fee: < 0,25% X N
Fee: < 1,15% x N
(MDR= < 3% x N)
Pembayaran Lembar
Tagihan
EDC Machine
13
Vendor VeriFone Ingenico KeyCorp Hypercom (now
Verifone)
Hypercom (now
Verifone)
Omni (now Verifone) Axalto/Gemalto (now
Verifone)
Criteria\Machine
Series
VeriFone Vx 510 Ingenico i5100 K23 Optimum T2100 T7 Plus Omni 3750 Magic
3 X-8
Physical View
Processor 200 MHz ARM9 32-bit
RISC processor
29 MHz ARM7
processor
CPU 16-bit, optional
cryptographic co-
processor
32-bit RISC processor
with 32-bit memory
access
32 bit ARM9
processor
32-bit microprocessor Main processor: 32 bit
ARM9 microprocessor
200 MHz, MMU:
Secure processor 32
bit microprocessor
Memory 3 MB – dial only
6 MB (4 MB of Flash, 2
MB of SRAM)
2MB RAM /
4 or 8MB Flash
1MB SRAM (up to
2MB) 4MB Flash (up to
8MB)
4MB Flash, 8MB
SDRAM (standard)
and 512 KB battery-
backed SDRAM
RAM 512 KB; 1 MB
optional, EPROM 32
KB
3, 4, or 6 MBytes 8 MBytes flash, 16
Mbytes SDRAM
Display 128 x 64 pixel
graphical LCD with
backlighting; supports
8 lines x 21 characters
Graphic 128 x 64 ,
Backlit Yellow/Green
128x64 backlit
graphics display,
64 x 128 pixels; LED
backlight
2 lines x 20 characters
test display standard, 4
lines x 20 characters
text display optional,
with backlight
128 x 64 pixel LCD
with backlighting;
supports 8 lines x 21
characters, including
graphics
128 x 64 pixel
graphical LCD with
backlighting Icon bar
Magnetic Card
Reader
Triple track (tracks 1,
2, 3), high coercivity,
bi-directional
Triple track (tracks 1,
2, 3)
Magnetic stripe and
chip card readers
Triple track (tracks 1,
2, 3)
Tracks 1, 2; Tracks 1,
2, 3 optional
Triple track (tracks 1,
2, 3), high coercivity,
bi-directional
Bi-directional magnetic
stripe
reader – ISO 1&2&3
Smart Card
Reader
[optional] ISO 7816,
1.8V, 3V, 5V; EMV
Level 1 and 2 Type
approved
1 smart card reader Accept a range of
smart cards including
EMV chip cards
EMV4.0 Level 1 and 2
certified; ISO 7816;
ISO 7816, EMV-
compliant, non-captive
ISO 7816, 3V, or 5V;
EMV Level 1 and 2
type-approved
Smartcard reader EMV
4.0 certified
SAM Card Reader [optional] 3 Security
Access Modules
(SAMs)
up to 3 Security
Access Modules
(SAMs)
[optional] Upgradeable
up to 4 SAM's
3 SAM sockets 4 SAMs 2 or 4 SAMs optional SAM readers: 4 SIM
format, 3 SIM
format+1Full (optional)
EDC Transaction Mechanism
14
1
Network
Connection
NAC Host Bank
Mandiri
2
3
4
8
VISA Net
NAC Host Bank
Lain
Network
Connection
Jaringan Bank Lain
5
6
7
10
Bank
Copy
Merchant
Copy
Customer
Copy PIN: XXXXXX
9
Question?
15