PETALING JAYA: Bank Negara is likely to impose minimum standard qualifications on pen testers as a measure to enhance the rules on cyber security for lenders and other financial institutions, sources say.
Pen-testing, short for penetration testing is security enhancement, in layman terms.
In other words, what a pen-tester does is test, measure and improve security measures on IT systems and support areas at organisations.
In Malaysia, it is understood that pen-testing, an integral part of cyber-security, is done mostly by private firms, some of which may not have proper professional qualifications.
According to one source, talk is that pen testers who are doing testing for banks in Malaysia will soon have to have certain certification by selected body/ ies or risk not being able to undertake testing even if they have already secured a job from a financial institution.
The idea behind this is so that there will be a minimum benchmark set and standards can be maintained, the source points out.
The central bank had not replied to queries sent to it on this matter, as at press time.
Nevertheless, such talk come on the heels of Singapore central bank, The Monetary Authority of Singapore’s (MAS) recent move to tighten regulations on cyber security for financial institutions.
Last Thursday, MAS proposed to make “legally binding a set of six essential cyber-security measures to protect their IT systems,” Singapore’s The Straits Times reported.
The measures are already part of the existing MAS Technology Risk Management Guidelines, but MAS is proposing to raise them into legally binding requirements, the paper said, noting that the move comes on as more financial processes are being conducted digitally, and in the wake of the rising number of attacks in the cyber world.
Among the six measures, are addressing system security flaws in a timely manner, establishing and implementing robust security for systems and restricting the use of system administrator accounts that can modify system configurations, according to the Singapore paper.
It also quoted MAS chief cyber security officer Tan Yeow Seng as saying: “The proposed notice on cyber hygiene seeks to strengthen the overall readiness of all financial institutions to address cyber threats by delineating a clear and common cyber-security waterline for the financial industry.
“This will help ensure that our financial sector as a whole continues to be resilient to cyber threats.”
Singapore experienced what it calls the country’s worst cyber attack this year which saw the personal data of some 1.5 million SingHealth patients including that of its Prime Minister Lee Hsien Loong, being leaked.
In Malaysia, cyber threats are nothing new.
Last year, news broke about what is now thought to be Malaysia’s biggest ever data breach where leaked data included personal information of subscribers of telcos and Internet service providers.