Why Bank Indonesia is very powerful?

Anjar Priandoyo 2015

BI Regulation from 9/15/2007 IT Risk Management Perspective

Law & Regulations in Indonesia

1

Institution Regulation Scope

Government of Indonesia

UU ITE 2008 Information & Electronic

Transaction Law

Article 15, 16 Data Security, Integrity,

Availability

Peraturan Presiden no 54 tahun 2010 Procurement of Good/Services - IT

BPMIGAS (The Upstream Oil

and Gas Executive Agency)

PTK 007 BPMIGAS 2011 Applicable to all Upstream Oil & Gas operation

in Indonesia including PSC & Contractor

Bank of Indonesia

PBI 9/15/2007 IT Risk Management

IT Risk Management

Electronic Banking Regulation

Third Party Independent review for E-

Banking/E-Payment Product Launching

PBI 11/11/2009 Card Based Payment

System

Card Based Payment System

Registration process for E-Banking System

PBI 1/6/1999 SPFAIB Internal Audit Function and Standards

Bursa Efek Indonesia Peraturan Bursa Efek Indonesia 2010

Remote Trading

Business Continuity Plan

Huge population, there are 131 bank in Indonesia, Central Bank is one of the most powerful institution in Indonesia

Why Bank Indonesia is Powerful? Part#1

2

BI monitoring is very effective (now in OJK), but the BI organ

has been working since the Independence

Why Bank Indonesia is Powerful? Part#2

• BI regularly perform intensive monitoring and review

• There would be a fine on every late report or inaccurate report

• BI will give authorization and approval of new product related with technology such as

Internet Banking Launch, ATM Launch

3

BI coverage is all aspect in the Bank’s business operation

Why Bank Indonesia is Powerful? Part#3

• The structure of BI regulation as follows

BI Regulation. Peraturan Bank Indonesia e.g PBI9/15/2007 IT Risk Management

Circular Letter. Surat Edaran Bank Indonesia e.g SEBI 9/30/DPNP IT Risk

Management. DPNP = Direktorat Penelitian dan Pengaturan Perbankan

− Sample of PBI

SPFAIB (Standar Pelaksanaan Fungsi Audit Internal Bank) PBI 1/6/1999

IT Risk Management PBI 9/15/2007

APMK (Alat Pembayaran Menggunakan Kartu) PBI 11/11/2009

Good Corporate Governance PBI 8/4/2006, 11/33/2009 (untuk Bank Syariah)

Know Your Customer (KYC) PBI 11/ 28/2009

4

PBI 9/15/2007 is de Facto standard for IT Security in

Indonesia

Why Bank Indonesia is Powerful? Part#4

• Although the are Ministry of IT, Oil & Gas Regulatory Body, Telco Regulatory Body. But

in reality most of companies would like to use 9/15/2007 as their reference.

• Fast growing of finance related transcation which involve non banking industry is

expecting the highest level of security which their reference is BI.

5

Case Study #1 – IT Audit Based on

PBI9/15/2007

• Relation between PBI 9/15/2007 & SEBI 9/30/DPNP

Scenario #1 IT Audit Based on PBI 9/15/2007

7

PBI 9/15/2007

Perlu ditetapkan

ketentuan yang

mengatur

Penerapan Manajemen

Risiko dalam Penggunaan

Teknologi

Informasi oleh Bank Umum

dalam Peraturan Bank

Indonesia.

SEBI 9/30/DPNP

Pedoman ini merupakan

pokok-pokok

penerapan manajemen

risiko dalam

penggunaan TI yang harus

diterapkan oleh Bank untuk

memitigasi risiko yang

berhubungan dengan

penyelenggaraan TI.

An integrated end to end IT Assurance, a beauty of integrated

framework

Scenario #1 IT Audit Based on PBI 9/15/2007

1. MANAJEMEN

2. PENGEMBANGAN DAN PENGADAAN (Development)

3. AKTIVITAS OPERASIONAL TEKNOLOGI INFORMASI (IT Operation)

4. JARINGAN KOMUNIKASI ( Network)

5. PENGAMANAN INFORMASI (Security)

6. BUSINESS CONTINUITY PLAN

7. END USER COMPUTING

8. ELECTRONIC BANKING

9. AUDIT INTERN TEKNOLOGI INFORMASI

10.PENGGUNAAN PIHAK PENYEDIA JASA TEKNOLOGI INFORMASI

8

• Scope PBI 9/15/2007

1. MANAJEMEN

2. PENGEMBANGAN DAN PENGADAAN

3. AKTIVITAS OPERASIONAL TEKNOLOGI INFORMASI

4. JARINGAN KOMUNIKASI

5. PENGAMANAN INFORMASI

6. BUSINESS CONTINUITY PLAN

7. END USER COMPUTING

8. ELECTRONIC BANKING

9. AUDIT INTERN TEKNOLOGI INFORMASI

10. PENGGUNAAN PIHAK PENYEDIA JASA TEKNOLOGI INFORMASI

Scenario #2 IT Audit Based on PBI 9/15/2007

9

Case Study #2 – E-Banking Product

Launching

10

PBI Usage Case Study #1 Product Launching

11

Credit Card Transaction Mechanism

12

NASABAH

BANK PENGELOLA “XYZ”

MERCHANT

BANK PENERBIT “ABC”

Bank Penerbit : Bank Penerbit Kartu Kredit (ISSUER)

Bank Pengelola : Bank yg bekerjasama dengan Merchant (ACQUIRER)

Merchant : Mitra Usaha yg menerima transaksi dengan Kartu Kredit. MDR=Merchant Discount Rate

N : Harga Produk

EDC

PRINCIPAL

Visa,

MasterCard,

JCB, BCA

OTORISASI

Fee: < 1,6% x N

Fee: < 0,25% X N

Fee: < 1,15% x N

(MDR= < 3% x N)

Pembayaran Lembar

Tagihan

EDC Machine

13

Vendor VeriFone Ingenico KeyCorp Hypercom (now

Verifone)

Hypercom (now

Verifone)

Omni (now Verifone) Axalto/Gemalto (now

Verifone)

Criteria\Machine

Series

VeriFone Vx 510 Ingenico i5100 K23 Optimum T2100 T7 Plus Omni 3750 Magic

3 X-8

Physical View

Processor 200 MHz ARM9 32-bit

RISC processor

29 MHz ARM7

processor

CPU 16-bit, optional

cryptographic co-

processor

32-bit RISC processor

with 32-bit memory

access

32 bit ARM9

processor

32-bit microprocessor Main processor: 32 bit

ARM9 microprocessor

200 MHz, MMU:

Secure processor 32

bit microprocessor

Memory 3 MB – dial only

6 MB (4 MB of Flash, 2

MB of SRAM)

2MB RAM /

4 or 8MB Flash

1MB SRAM (up to

2MB) 4MB Flash (up to

8MB)

4MB Flash, 8MB

SDRAM (standard)

and 512 KB battery-

backed SDRAM

RAM 512 KB; 1 MB

optional, EPROM 32

KB

3, 4, or 6 MBytes 8 MBytes flash, 16

Mbytes SDRAM

Display 128 x 64 pixel

graphical LCD with

backlighting; supports

8 lines x 21 characters

Graphic 128 x 64 ,

Backlit Yellow/Green

128x64 backlit

graphics display,

64 x 128 pixels; LED

backlight

2 lines x 20 characters

test display standard, 4

lines x 20 characters

text display optional,

with backlight

128 x 64 pixel LCD

with backlighting;

supports 8 lines x 21

characters, including

graphics

128 x 64 pixel

graphical LCD with

backlighting Icon bar

Magnetic Card

Reader

Triple track (tracks 1,

2, 3), high coercivity,

bi-directional

Triple track (tracks 1,

2, 3)

Magnetic stripe and

chip card readers

Triple track (tracks 1,

2, 3)

Tracks 1, 2; Tracks 1,

2, 3 optional

Triple track (tracks 1,

2, 3), high coercivity,

bi-directional

Bi-directional magnetic

stripe

reader – ISO 1&2&3

Smart Card

Reader

[optional] ISO 7816,

1.8V, 3V, 5V; EMV

Level 1 and 2 Type

approved

1 smart card reader Accept a range of

smart cards including

EMV chip cards

EMV4.0 Level 1 and 2

certified; ISO 7816;

ISO 7816, EMV-

compliant, non-captive

ISO 7816, 3V, or 5V;

EMV Level 1 and 2

type-approved

Smartcard reader EMV

4.0 certified

SAM Card Reader [optional] 3 Security

Access Modules

(SAMs)

up to 3 Security

Access Modules

(SAMs)

[optional] Upgradeable

up to 4 SAM's

3 SAM sockets 4 SAMs 2 or 4 SAMs optional SAM readers: 4 SIM

format, 3 SIM

format+1Full (optional)

EDC Transaction Mechanism

14

1

Network

Connection

NAC Host Bank

Mandiri

2

3

4

8

VISA Net

NAC Host Bank

Lain

Network

Connection

Jaringan Bank Lain

5

6

7

10

Bank

Copy

Merchant

Copy

Customer

Copy PIN: XXXXXX

9

Question?

15