Loading...
Loading...
Independent, examiner-grade Data Centre, Network and Threat-and-Vulnerability Risk Assessments aligned to Bank Negara Malaysia's Risk Management in Technology (RMiT) Policy Document, including the 2023 revision's outsourcing and data-centre operations expectations.
The RMiT Policy Document is the binding regulatory standard for technology and cyber risk at every licensed financial institution under BNM supervision. The 2023 revision tightened expectations on outsourcing and on the resilience of data-centre and infrastructure-hosting arrangements, with paragraph 10.51 onwards governing material outsourcing and the corresponding risk-management treatment that must follow. In practice, BNM examiners look for documented, independent risk assessment of every facility that holds the FI's production workloads — primary, secondary and DR — across the full physical-to-cyber stack.
That assurance is what Data Centre Risk Assessment, Network Risk Assessment and Threat-and-Vulnerability Risk Assessment exist to produce. They are not interchangeable: DCRA is the holistic facility view, NRA is the network-resilience deep-dive, and TVRA is the threat-actor-and-residual-risk quantification that MAS-regulated workloads (and increasingly BNM workloads with cross-border data flows) require alongside DCRA.
We deliver the three as a packaged programme or individually. The deliverables are written for two audiences in parallel: the FI's board risk committee and the BNM examiner. References map to specific RMiT clauses so the audit-trail is one-step.
Physical security, electrical / mechanical resilience, fire suppression, environmental controls, BCP, operations, cyber posture at the facility, supplier review. Maps to TIA-942, Uptime Tier framework, ISO 27001 Annex A.11, MS ISO/IEC 27017 (cloud), BNM RMiT 10.51 outsourcing.
Logical and physical network architecture, segmentation, inter-site connectivity, telco diversity, BGP and routing hygiene, DDoS posture, lawful-intercept readiness. Often run alongside DCRA when active-active or geographically split workloads are in scope.
Named threat-actor library, vulnerability enumeration, control mapping, residual-risk quantification. Required where workloads cross MAS supervision, NCII workloads under the Cyber Security Act 2024 are co-located, or where the FI's own threat model demands the formal methodology.
Joint scoping with the FI's CISO and the data-centre operator. Document review: site topology, electrical and mechanical schematics, BCP, operations runbooks, prior audit reports, RMiT-relevant policy mapping.
Multi-day on-site at primary and secondary facilities. Physical walk-through, controls observation, interviews with operations, security, NOC and facilities teams. Photographic and configuration evidence pack.
External and internal network posture review, segmentation validation, DDoS-posture review, supplier/telco diversity check, perimeter and core cyber controls. Where in scope, light-touch active testing under controlled change windows.
Findings consolidated, mapped to TIA-942 / Uptime / ISO 27001 / RMiT clause references. Residual risk scored with the FI's own risk methodology so it lands cleanly in the existing risk register.
Examiner-ready report, executive summary, 12-month remediation roadmap. Presented to the board risk committee with a Q&A pack pre-built for the next BNM thematic examination.
Data Centre Risk Assessment (DCRA) is the holistic, facility-level review of a data centre supporting BNM-regulated workloads. Under the Risk Management in Technology (RMiT) policy document, financial institutions must satisfy themselves — and demonstrate to the regulator on examination — that their primary, secondary and disaster-recovery sites manage a defined set of physical, environmental, operational and cyber risks. DCRA is the assurance vehicle most Malaysian FIs and their colocation providers use to evidence that. The 2023 RMiT revision formalised the expectation that outsourced technology service providers under paragraph 10.51 onwards are subject to equivalent risk-management treatment as in-house data centres.
BNM does not prescribe a fixed cadence in the RMiT document, but expects frequency to reflect the criticality of workloads and the rate of change in the facility. In practice we see Tier-III and Tier-IV operators commission a full DCRA every 24 months, with a delta review on any material change (new tenant, significant electrical work, change of operator, change of segregation model). For FIs running active-active across two facilities, both sites are in scope of the cycle.
DCRA (Data Centre Risk Assessment) is facility-level — physical security, electrical and mechanical resilience, fire suppression, environmental controls, BCP, operations, and cyber controls at the perimeter and core. NRA (Network Risk Assessment) zooms into the logical and physical network — segmentation, inter-site connectivity, DDoS posture, BGP and routing hygiene, telco diversity. TVRA (Threat, Vulnerability and Risk Assessment) is the formal MAS-style methodology that names threat actors, enumerates vulnerabilities, and quantifies residual risk after controls — often required when the facility hosts both BNM and MAS workloads, or NCII workloads under the Cyber Security Act 2024.
Three buyer profiles. (1) Licensed banks, insurers, takaful operators and DFIs running their own data centres or contracting colocation. (2) Colocation and hyperscale operators preparing to host FSI tenants — DCRA is increasingly a customer pre-condition. (3) Cloud-region buildouts and managed service providers consolidating customer workloads. Independent of operator, the assessor must be free of conflict with the operator and the FI tenant.
A typical DCRA report covers: facility classification (TIA-942 / Uptime Tier mapping), physical security review (CPTED, access control, CCTV, intrusion), electrical and mechanical resilience (N+1 / 2N analysis, single-points-of-failure), fire suppression and environmental controls, network and cyber posture at the facility, operational maturity (change management, incident management, BCP, DR drills), supplier and outsourcing review under RMiT 10.51, residual risk register, executive summary mapped to RMiT clause references, and a 12-month remediation roadmap. We package the deliverable so it is examiner-ready for both BNM and the FI's internal audit.
Scoping calls take 30 minutes. A full DCRA across primary plus DR sites typically runs 4-8 weeks from kickoff, with the board readout in week 9.
Get a Scope