Skip to content

RMiT Control Mapping

Map Waspada components to Bank Negara Malaysia Risk Management in Technology expectations.
Not a certification. This is a CISO working table: paragraph → control → evidence → gap.

Source document

FieldValue
Primary citeBNM Policy Document Risk Management in Technology, BNM/RH/PD 028-98, issued 19 June 2020
SupersessionUpdated RMiT PD issued 1 June 2023 (cloud ¶10.50 / ¶15 / Appendix 10 phased). Paragraph numbers below are from the 2020 text we mapped against; re-verify cloud/MFA rows against the current PDF before a formal FI submission.
Official PDFbnm.gov.my — PD-RMiT (2023)
Applicability noteRMiT binds financial institutions. Waspada is a third-party technology provider to FIs — the FI remains accountable (¶10.41). This table shows how Waspada supports an FI’s RMiT posture.

Legend: S = Standard (must) in the PD · G = Guidance · Status = Waspada implementation maturity.


Control mapping

RMiT citeDomain (PD)Expectation (summary)Waspada controlEvidenceStatusGap / residual
S 10.54–10.56Access control (§10)Identify, authenticate, authorise users; authentication commensurate with riskPartner RS256 JWT (iss / kid); analyst API key → short-lived SSE tickets (no long-lived key in query string); deny-by-default ingestJWT verification module, analyst auth, production boot guardsShippedMFA for analyst console is FI-side (G 10.58 / 2023 MFA standard) — not implemented in Waspada UI
S 10.61(b)Access / auditUser activities in critical systems logged ≥ 3 years, reviewedStructured ingest / disposition / delivery logs; durable audit_events (B1); disposition rows with analyst_id: pilot-analystGateway structured logs; audit event store; disposition recordsShipped (90d default)Product retention default 90 days (PDPA-aligned). FI must set retention ≥ 3 years or export logs to their SIEM for ¶10.61
S 10.16–10.19CryptographyStrong crypto policy; key lifecycle; protected private-key environmentTLS in transit; client AES-256-GCM evidence; gateway RSA-SHA256 alert signatures from env PEM (no ephemeral in prod); per-row AES-256-GCM DEK + KEK wrap + AAD tenant_id:alert_id:fieldAlert crypto module, gateway key pair loader, DPIA §4, KEK runbookShipped (app-level)HSM/TEE (¶10.19) not claimed — KEK is env/KMS-bound; rotate-and-rewrap documented, not automated
S 10.41–10.47Third-party TSPFI oversight of TSP; confidentiality; recoverability; logical segregationTenant isolation (tenant_id); encrypted alert blobs; advisory disposition (bank owns freeze); HTTPS-only FMS in production; FMS_DELIVERY_REQUIRED; ADV-005 public-triage quarantine (source_tier) so anonymous reports cannot reach FMS/corroborationAdvisory module, FMS delivery client, B0 schema constraints, advisory contractShipped (pilot); quarantine writers gated until public ingestFormal SLA / regulator access clauses are contractual (FI↔Waspada), not code
S 10.49–10.53 / 2023 ¶10.50 + App. 10CloudCloud risk assessment; data/key ownershipDeployable on FI VPC or managed cloud; FI retains data ownership; KEK under FI/env control; no receipt image upload to WaspadaArchitecture + DPIA data flowsDesignFI must complete their cloud assessment; Waspada supplies DPIA inputs
S 10.33–10.39 (network) + /healthOps resilienceResilient design; monitoringRedis shared JTI/rate-limit/tickets; REQUIRE_REDIS refuses memory soft-fail; /health (postgres, store backend); Streams + SSE pub/subStore backend, event bus, SSE publisherPartialMulti-AZ / DC resilience is platform (Railway/FI VPC). Chaos/load report pending
§11 + Appendix 5Cybersecurity ManagementBaseline cyber hygiene for systems processing FI dataHardened runtime (no demo signing oracle); PII dual gate; RDAP SSRF caps; replay jti; rate limits; prod boot guardsAppSec hardening trail; extraction CI gate; VAPT engagement briefPartialIndependent VAPT / external assurance not yet obtained — brief scoped for hire; FI expectation under §11 and Appendix 5 (Control Measures on Cybersecurity)
S 12 Technology AuditAuditabilityEvidence for internal/external tech auditMeasured extraction CI gate; encrypted durable alerts; event bus idempotency (processed_events); STIX exportCorpus evaluation suite, B0–B4 schemaPartialExternal assurance pack (App. 9 style) not produced
§9 Technology Risk ManagementRisk frameworkIdentify/monitor tech riskDPIA residual risks (alias re-ID, NRIC regex ≠ DPIA sign-off); advisory-only until corroborationDPIA, advisory contractDraftBoard-level TRMF is FI responsibility
PDPA (adjacent, not RMiT)PrivacyLawful processing / minimisationOn-device strip NRIC/phone/email; alias policy include/hash/omit; crypto-shred designSDK PII gate; alias policy module; retention runbookPartialFormal DPIA sign-off pending

How to use this in a bank review

  1. FI maps each S row to their own control owner and evidence folder.
  2. Anything Partial / Gap becomes a pilot condition or contractual obligation (e.g. SIEM log shipping for 3-year retention).
  3. Do not mark the engagement “RMiT compliant” until the FI’s compliance function accepts this table + VAPT + completed cloud assessment.

Claims we still do not make

  • “BNM-approved” / “RMiT-certified”
  • HSM-backed KEK as shipped default
  • 3-year on-platform log retention without FI SIEM export
  • Replacement for the FI’s own RMiT gap analysis (¶15)

Change log

DateChange
2026-07-11Replaced stub with paragraph-cited table (BNM/RH/PD 028-98 2020; 2023 supersession noted)

Waspada AI: Enterprise infrastructure powering public defense.