PE OJK 11 2022

Need to have it governance

It governance factors

 Business strategy and goals

 Bank size and complexity
 IT role in said banks
 IT Procurement
 IT risk management
 International best practices

Activity cycle

Define&planning , Development, Deploy, Monitor Evaluate

WHO

 USER (BUSSINES LINE UNIT)

 IT UNIT

What to need to be mapped

 Business process
 Governance
 Organisational structure
 Human resource
 Information Flow
 Hardware,software operationability and security

Governance needs to be consistent on all level

Framework-Policy-general procedure- technical procedure

Pasal 4 Clear roles and responsibility between BOC, BOD, IT committee, and IT divisions

Pasal 5 BOD responsibility (Plan, set Policy,guidelines, communicate said guidelines , and evaluate
results)

Pasal 6 BOC responsibility

Pasal 7 Needs to make a committee to help BOC in

 Strategic and Policy making

 Evaluate IT cost and reward balance
 Align development plan and strategic plan
 Resolve issues cant be solve by lower levels

Committee member

 IT director
 Risk Director
 Head of IT divisions
 Head of Business unit related to IT usage
Administration fines if don’t

 Have IT committee
 Have a specialised IT division
 Have it mappings and regular evaluation of said mappings
 Have clear responsibilities

Fines such as

 Cant release new products

 Business freeze
 Bank governance Health score reduction

IT Infrastructure planning (Pasal 11)

Factors to be considered

 Business plan,business capability,business complesity

 Organisation size
 IT management policy
 Bank’s capacity to implement changes
 Regulation

Life cycle

Plan-design-implement-control

IT strategic planning

 Need to align to corporate goals

 Strategic planning need to be reported to regulation at late November annually

PASAL 15

IT RISK MANAGEMENT

NEEED TO HAVE

 RISK IDENTIFICATION
 RISK MEASURE
 RISK MONITORING
 RISK CONTROL

PASAL 16

IT Information security

Aspect :

 People
 Process
 Technology
 Physical
Pasal 17

Confidentiality Integrity Authentication

PASAL 18

DRP

Need simulation minimum annually

Pasal 21 (MR SIBER 29/03/2022)

 Identify
 Perlindungan Aset
 Deteksi insiden siber
 Penanggulangan dan pemulihan

Pasal 22

RCSA

Pasal 23

 Screnario testing
 Penetration testing (source code SAST,MAST, Black-box Penetration test)

Pasal 25

Penetration testing must include

 Penetapan tujuan, cakupan, dan scenario

 Pelaksanaan pengujian
 Evaluasi hasil pengujian

Pasal 29

IT Vendor in banks (probable another SE OJK )

THIRD PARTY IT RISK MANAGEMENT

Identify vendor

Selection Process

Third party engagement procedure

Third party evaluation

Analisis IT VENDOR

 Qualification
 Cost benefit analysis
 Risk factors

IF FOUND mishaps

 Report regulatory body

 Pursue remediation plans such as termination of contract(optional)
Pasal 35

IT infrastructure placement

National data placement, if not request to regulatory bodies

Execption

 Internal management system

 Disaster (temporary)

PASAL 44&45 PDP

Need to

 Clasify personal information

 Rights and responsibilities of related parties
 Terms and conditions
 Data Platform and said platform’s security

Pasal 48

Banks can provide it services to another company in financial industries

PASAL 53

Internal control

 Risk control awareness

 Identify and measure risk
 Control and separation of duties

Need to have

 Regular monitoring
 Remediation to audit findings
 Auditory bodies for IT process