Appearance
RMiT Control Mapping
Map Waspada components to Bank Negara Malaysia Risk Management in Technology expectations.
Not a certification. This is a CISO working table: paragraph → control → evidence → gap.
Source document
| Field | Value |
|---|---|
| Primary cite | BNM Policy Document Risk Management in Technology, BNM/RH/PD 028-98, issued 19 June 2020 |
| Supersession | Updated RMiT PD issued 1 June 2023 (cloud ¶10.50 / ¶15 / Appendix 10 phased). Paragraph numbers below are from the 2020 text we mapped against; re-verify cloud/MFA rows against the current PDF before a formal FI submission. |
| Official PDF | bnm.gov.my — PD-RMiT (2023) |
| Applicability note | RMiT binds financial institutions. Waspada is a third-party technology provider to FIs — the FI remains accountable (¶10.41). This table shows how Waspada supports an FI’s RMiT posture. |
Legend: S = Standard (must) in the PD · G = Guidance · Status = Waspada implementation maturity.
Control mapping
| RMiT cite | Domain (PD) | Expectation (summary) | Waspada control | Evidence | Status | Gap / residual |
|---|---|---|---|---|---|---|
| S 10.54–10.56 | Access control (§10) | Identify, authenticate, authorise users; authentication commensurate with risk | Partner RS256 JWT (iss / kid); analyst API key → short-lived SSE tickets (no long-lived key in query string); deny-by-default ingest | JWT verification module, analyst auth, production boot guards | Shipped | MFA for analyst console is FI-side (G 10.58 / 2023 MFA standard) — not implemented in Waspada UI |
| S 10.61(b) | Access / audit | User activities in critical systems logged ≥ 3 years, reviewed | Structured ingest / disposition / delivery logs; durable audit_events (B1); disposition rows with analyst_id: pilot-analyst | Gateway structured logs; audit event store; disposition records | Shipped (90d default) | Product retention default 90 days (PDPA-aligned). FI must set retention ≥ 3 years or export logs to their SIEM for ¶10.61 |
| S 10.16–10.19 | Cryptography | Strong crypto policy; key lifecycle; protected private-key environment | TLS in transit; client AES-256-GCM evidence; gateway RSA-SHA256 alert signatures from env PEM (no ephemeral in prod); per-row AES-256-GCM DEK + KEK wrap + AAD tenant_id:alert_id:field | Alert crypto module, gateway key pair loader, DPIA §4, KEK runbook | Shipped (app-level) | HSM/TEE (¶10.19) not claimed — KEK is env/KMS-bound; rotate-and-rewrap documented, not automated |
| S 10.41–10.47 | Third-party TSP | FI oversight of TSP; confidentiality; recoverability; logical segregation | Tenant isolation (tenant_id); encrypted alert blobs; advisory disposition (bank owns freeze); HTTPS-only FMS in production; FMS_DELIVERY_REQUIRED; ADV-005 public-triage quarantine (source_tier) so anonymous reports cannot reach FMS/corroboration | Advisory module, FMS delivery client, B0 schema constraints, advisory contract | Shipped (pilot); quarantine writers gated until public ingest | Formal SLA / regulator access clauses are contractual (FI↔Waspada), not code |
| S 10.49–10.53 / 2023 ¶10.50 + App. 10 | Cloud | Cloud risk assessment; data/key ownership | Deployable on FI VPC or managed cloud; FI retains data ownership; KEK under FI/env control; no receipt image upload to Waspada | Architecture + DPIA data flows | Design | FI must complete their cloud assessment; Waspada supplies DPIA inputs |
| S 10.33–10.39 (network) + /health | Ops resilience | Resilient design; monitoring | Redis shared JTI/rate-limit/tickets; REQUIRE_REDIS refuses memory soft-fail; /health (postgres, store backend); Streams + SSE pub/sub | Store backend, event bus, SSE publisher | Partial | Multi-AZ / DC resilience is platform (Railway/FI VPC). Chaos/load report pending |
| §11 + Appendix 5 | Cybersecurity Management | Baseline cyber hygiene for systems processing FI data | Hardened runtime (no demo signing oracle); PII dual gate; RDAP SSRF caps; replay jti; rate limits; prod boot guards | AppSec hardening trail; extraction CI gate; VAPT engagement brief | Partial | Independent VAPT / external assurance not yet obtained — brief scoped for hire; FI expectation under §11 and Appendix 5 (Control Measures on Cybersecurity) |
| S 12 Technology Audit | Auditability | Evidence for internal/external tech audit | Measured extraction CI gate; encrypted durable alerts; event bus idempotency (processed_events); STIX export | Corpus evaluation suite, B0–B4 schema | Partial | External assurance pack (App. 9 style) not produced |
| §9 Technology Risk Management | Risk framework | Identify/monitor tech risk | DPIA residual risks (alias re-ID, NRIC regex ≠ DPIA sign-off); advisory-only until corroboration | DPIA, advisory contract | Draft | Board-level TRMF is FI responsibility |
| PDPA (adjacent, not RMiT) | Privacy | Lawful processing / minimisation | On-device strip NRIC/phone/email; alias policy include/hash/omit; crypto-shred design | SDK PII gate; alias policy module; retention runbook | Partial | Formal DPIA sign-off pending |
How to use this in a bank review
- FI maps each S row to their own control owner and evidence folder.
- Anything Partial / Gap becomes a pilot condition or contractual obligation (e.g. SIEM log shipping for 3-year retention).
- Do not mark the engagement “RMiT compliant” until the FI’s compliance function accepts this table + VAPT + completed cloud assessment.
Claims we still do not make
- “BNM-approved” / “RMiT-certified”
- HSM-backed KEK as shipped default
- 3-year on-platform log retention without FI SIEM export
- Replacement for the FI’s own RMiT gap analysis (¶15)
Change log
| Date | Change |
|---|---|
| 2026-07-11 | Replaced stub with paragraph-cited table (BNM/RH/PD 028-98 2020; 2023 supersession noted) |