ESTRATEGIA 13 PUNTUACIÓN Y ENTONACIÓN 148

In essence, the abovementioned PBI addresses the following items: The minimum requirements for IT implementation in banks are: i.

Active supervision by the Board of Commissioners and 1)

Directors;

Adequate IT Operational Policy and Procedure; 2)

Adequate process in identifying, measuring, monitoring, and 3)

controlling IT risks; and

Internal control system for IT implementation. 4)

According to the BI regulation on IT risk management, banks are required to ii.

implement risk management consisting of the identification, measurement, monitoring, and control of the risks associated with the use of IT. In the development of risk-based management system for IT implementation, attention should be paid to:

The function of the IT Steering Committee in giving recommendation 1)

to the Board of Directors in regard to the strategic planning for IT development and implementation in order to ensure the IT implementation plan is aligned to the overall business plan of the bank;

The establishment of IT policy and standard operating procedures that 2)

contain at least the aspects of management, development and purchasing, IT operations, communication network, information security, and outsourcing;

The existence of Business Continuity Plan and Disaster Recovery Plan 3)

that has been tested at least annually;

The protection of information to ensure confidentiality, integrity, and 4)

availability of the information. This includes the aspects of technology, human resources and processes in the use of IT, and covers bank asset management related to information, human resources policy, physical security, access security, operational security, and other aspects of IT implementation.

The conduct of periodical IT internal or external audit. In the case of 5)

limitation of the ability of internal auditors, banks are allowed to hire external auditors.

In the case of outsourcing: iii.

Banks can implement an in-house system and/or outsource the IT services 1)

to an IT vendor provided they comply with the following requirements: Bank is still responsible for the application of the risk-based a)

management;

The IT vendor can guarantee the security of the information, b)

including the privacy of the banking and customer/client’s data; The IT vendor is providing access to the information for internal c)

auditors, external auditors and Bank Indonesia supervisors;

The IT vendor is willing to accept early termination of the service d)

contract if is later found that the service contract is causing difficulties in the conduct of banking supervision by Bank Indonesia.

93

Banks should permit the internal auditors, external auditors, and auditors 2)

from Bank Indonesia to have access to data and information, whenever needed. This should be done in a timely manner for current and past data.

Outsourced Data Center (DC) and Disaster Recovery Center (DRC) are 3)

required to be located in Indonesia. If they are not located in Indonesia, Bank Indonesia’s pre-approval is necessary, and the banks have to fulfill the abovementioned requirements for outsourcing as well as additional requirements.

The outsourcing of the process for IT-supported transactions can only be 4)

carried out with pre-approval from Bank Indonesia. The bank is required to comply with the abovementioned outsourcing requirements as well as meet additional requirements:

The activities outsourced are not inherent banking function a)

activities;

The supporting documents of the transactions done in Indonesia b)

have to be maintained in the bank office located in Indonesia; The bank’s business plan indicates that the bank is making effort to c)

expand its role in the development of Indonesia’s economy. Electronic Banking (e-banking)

iv.

Banks launching an e-banking product entailing financial transactions are required to include the implementation plan in the bank’s business plan, and the documents are to be submitted to Bank Indonesia two months before the product launch. The submission has to be accompanied by a product assessment to be performed by an independent reviewer in regard to the product characteristics and the adequacy of the IT security. Banks are also required to furnish a product educational programme for educating their customers on the e-banking product and its security features.

Figure 15

Status of IT Supervisory Framework

Regarding IT supervisory framework, 

No. Item Yes/No

1 Is IT Implementation reported regularly? Yes

2 Is IT audit conducted? Yes

By bank/IT supervisors from supervisory authority Yes

Off-site Yes

On-site Yes

By internal or external (third party) auditors (on-

site) Yes

Special IT audit/examination outside regular

examination (on-site) Yes

3 Does the formal framework exist? Yes

4 If yes, is it stipulated in a regulation? Yes

5 Is there minimum requirement in IT Implementation? Yes 6 Are the following items implemented:

Active supervision by Top Management (IT

Steering Committee) Yes

IT Policy and Standard Operating Procedure Yes IT risk is included in the risk-based management Yes System development life cycle Yes

All layers of IT system Yes

Internal control system for IT Implementation Yes Business Continuity Plan and Disaster Recovery

Plan Yes

Periodical IT audit (internal/external) _Yes 7 _{Because it involves supervision procedure, is IT}

outsourcing especially regulated? Yes

8 _{Because it involves consumer protection, is e-banking}

products especially regulated? _Yes

9 _{Are any IT-related laws (cyber law, e-commerce,}

95

5.3 References / Orientation for the Prevailing Supervisory Framework