PBI 9/15/PBI/2007

New PBI TSI Review and Implementation Services

Veda Praxis: Introduction

Who are we? PT Veda Praxis is your business partner in risk

& control advisory. Formed in October 2005 by experienced and

dedicated professional who are internationally certified and have wide experiences in variety of industries and professional services in multinational consulting firm and started its business operations in December 2005

“Veda” is originally from Sanskrit language means “Knowledge”.

“Praxis” is originally from an ancient European language means “Practicing”.

Our Vision & Mission Vision

become your partner in establishing effective business control

Mission Deliver value services at full disclosure to our

clients Participate on ever-increasing business

consciousness in control awareness Build a strong and on-going relationship with our

clients in regards to continuous control implementation

Our Value We help you better understand and manage

your business risk We assist you improve your business process We assist you improve your operating

efficiency We assure the validity of your business

information We deliver “down to earth” recommendations

and assist you with the implementation We provide cost effective solutions for you

Our Services Risk Management Information Technology Governance Internal Audit Business Process Improvement

Why Veda Praxis We have internationally certified professionals We deliver results according to world class

quality standard and based on world class knowledge and methodology combine with local values

Extensive knowledge and experience in delivering Control and Risk Based services

Committed to work on the basis of knowledge transfer for the clients long term investment instead of creating dependencies from clients to consultants

Background and Point of View

Background Information technology development enables banks

to improve operational activities efficiency and services quality to customer.

The use of IT in bank’s operational activities exposes new risks to the bank, therefore an effective IT Risk Management is needed

IT is a valuable asset to the bank, the management of IT is not just the responsibility of IT working unit, however it is the responsibility of all related parties

The IT infrastructure needs to be adequate in terms of Basel II implementation

A set of regulations covering the Implementation of Risk Management on the Utilization of Information Technology is needed

Structure of PBI and Guidelines

PBI No. 9/15/PBI/2007

9 Bab• 1. Ketentuan Umum• 2. Ruang Lingkup Manajemen Risiko

Teknologi Informasi• 3. Penerapan Manajemen Risiko Dalam

Penggunaan Teknologi Informasi• Terdiri dari 4 bagian

• 4. Penyelenggaraan Teknologi Informasi Oleh Pihak Penyedia Jasa Teknologi Informasi

• 5. Electronic Banking• 6. Pelaporan• 7. Sanksi• 8. Ketentuan Peralihan• 9. Ketentuan Penutup

Pedoman Penggunaan Teknologi Sistem Informasi oleh Bank

10 Bab• I. Manajemen• II. Pengembangan dan Akuisisi Sistem• III. Aktivitas Operasional Teknologi

Informasi• IV. Jaringan Komunikasi• V. Pengamanan Informasi• VI. Business Continuity Plan• VII. End User Computing• VIII. Electronic Banking• IX. Audit Intern Teknologi Informasi• X. Panduan Penggunaan Pihak

Penyedia Jasa Teknologi Informasi

Our Point of View to PBI

• Every bank has different risk exposure. Therefore, implementation of control is different for each bank and preliminary risk analysis is needed.

• Every bank has different organizational structure, information technology complexities and business needs. Therefore there is no standard that can be applied equally

• By complying with a standard or regulation, bank can obtain benefits that support the achievement of business goals

Why?

Map II

Review

Our Enhanced Approach

Map I

Current Maturity

Identify & Score

BENEFIT

RISK

Analyze

Inherent Risk

Covered Risk

PBI

Gap AnalysisResidual Risk

PBI

Scored Benefits

Target Maturit

yMaturity

Gap

Implementation Implementation

Monitoring

Risk Tolerance

Current Condition

General Approach Types Related to Control Selection

Bottom-Up

•Identify control compatibility between PBI TSI with existing control

Risk Driven

•Identify business risk•Risk mapping according PBI TSI control•Identify control according to mapping result

Top-Down

•Identify IT and business goals•IT goals mapping according PBI TSI control•Identify existing control according mapping result

Combination of Top-Down and Risk Driven Approach (Optimum Benefit)

Reasons

• Top-Down approach will provide results driven by business and IT goals, not by current IT priorities and capabilities.

• Risk-Driven approach provide results focusing on risk level (high, medium and low).

• Combining the two approaches can achieve two objectives: achieve business and IT goals and also mitigate risks related to utilization of IT.

Our Services Related to PBI TSI

Review/Assess Service

Quick Scan

High Level Review

Full Scope Review

By Area Review

Implementation Services

Full Scope Implementation

By Area Implementation

Type of Review Service

Quick Scan Review

Definition

• Quick scan review will provide a simple portrait on the compliance of your bank against the PBI. A list of controls derived from the PBI will be given values of “comply” or “not comply” solely based on interviews. A quick scan review is estimated to be done within two weeks, depending on the interview schedule.

Main Activity

• Performs interviews with related PIC to set values to our PBI Compliance Checklist

Deliverables

• Conclusion• Executive Summary• Compliance Checklist

Estimated Man Days

• 20 – 30 man days

High Level Review

Definition

• High level review will provide the bank with it’s compliance state against the PBI and recommendations on how to fill the compliance gaps. The service will be performed through interviews, high level documentation reviews and inspections.

Main Activity

• Perform interviews, high level documentation reviews, inspections to assess bank’s control design effectiveness

Deliverables

• Conclusion• Executive Summary• Findings And Recommendations• Compliance Checklist

Estimated Man Days

• 70 – 130 man days

Full Scope Review

Definition

• Full scope review is performed using the Veda Praxis Optimum Benefits Methodology. Our service will provide gap analysis between existing control maturity level and required control maturity level for each control. Full scope review is a tailored complete review solution.

Main Activity

• Perform risk and benefit analysis, Identify required maturity level, identify current maturity level, gap analysis.

Deliverables

• Conclusion• Executive Summary• Required Maturity Level, Current Maturity Level, Gap Analysis• Findings And Recommendations• Compliance Checklist

Estimated Man Days

• 300 – 500 man days

By Area Review

Definition

• By area review is performed using the Veda Praxis Optimum Benefits Methodology. Our service will provide gap analysis between existing control maturity level and required control maturity level for each control. Bank may choose to use our service on specific area based on PBI.

Main Activity

• Perform risk and benefit analysis, Identify required maturity level, identify current maturity level, gap analysis.

Deliverables

• Conclusion• Executive Summary• Required Maturity Level, Current Maturity Level, Gap Analysis• Findings And Recommendations• Compliance Checklist

Estimated Man Days

• Estimated man days may vary from 35 to 110 man days depending on the review area

Type of Implementation Service

Full Scope Implementation

Definition

• A Full Scope implementation is our complete solution using the Veda Praxis Optimum Benefits methodology. Based on the gap analysis made in our Full Scope review service, an implementation plan is made and executed to close the gaps. A Full Scope review service on is a prerequisite.

Main Activity

• Develop IT Plan, Implement IT Plan, Evaluate Implementation Result

Deliverables (Depends on the gaps)

• Executive summary• IT Plan• Standards, policies and procedures• Technology architecture• Post implementation review document• Other deliverables

Estimated Man Days

• To be determined

By Area Implementation Definition

• A By Area Implementation are the next step of our Optimum Benefits methodology. Based on the gap analysis made in our By Area Review service, an implementation plan is made and executed to close the gaps. A By Area review service on the same area is a prerequisite.

Main Activity

• Develop IT Plan, Implement IT Plan, Evaluate Implementation Result

Deliverables (Depends On The Gap & Area)

• Executive summary• IT Plan• Standards, policies and procedures• Technology architecture• Post implementation review document• Other deliverables

Estimated Man Days

• To b determined

Review Services Methodology

Review Methodology

Quick Scan

High Level

Full Scope/ By Area

Identify PICPerform

InterviewsCompliance Gap

Identify review scope

Identify Benefits

Identify Risks

Determine Required Maturity

Schedule Interview

Perform Detail Review

Executive Summary

Findings & Recommendation

Maturity Gap

Identify IT Environment

Analyze IT Complexities

Perform High Level Review

Required Maturity

Existing Maturity

Define Analyze Review Deliverables

Management Presentation

Determine Existing

Maturity

Detail Review Methodology

Quick Scan - Define

Identify PIC Persons in charge for every review area is

identified. Identify PIC is needed to obtain review information effectively by interviewing the responsible person.

Schedule Interview An interview schedule is made for every PIC.

The interview schedule is made with respect to the PIC’s responsibilities. Timeliness plays an important role since the result of Quick Scan Review is expected in such short time.


Quick Scan - Analyze

Identify IT Environment The identification of Bank’s IT environment is

performed to gain a high level understanding about the current condition of Bank’s IT. This phase help us to obtain information for interview process in next phase. Identifying the IT environment may include : Vision and Mission. Bank Management and Organization. Business Strategy and IT Plan. IT Standard, Policy and Procedures. IT Processes. IT Architecture. (applications, hardwares, network, etc)


Quick Scan - Review

Perform Interviews Bank’s compliance towards PBI is reviewed using

our compliance checklist tools developed based on the “Konsep Pedoman Penggunaan TSI oleh Bank” issued by the Central Bank of Indonesia. The tool will assist the review process to be performed effectively and efficiently.

The review is performed solely to obtain a “comply/not comply” information for each control related to the area. The information is obtained only through interviews with related PIC.



Quick Scan - Deliver

Executive Summary Result of all activities in three phase before will be

summarized and reported in Executive summary. Compliance Gap

A completed compliance checklist is prepared based on the review compliance in previous the phase.

Management Presentation The report will be presented to the management.

High Level - Define

The “Define” phase in the High Level Review service has the same activities as those in the Quick Scan services (Identify PIC, Schedule Interview) with the following additional activity: Identify Review Scope

Identify scope of PBI TSI high level review. This identification will determine scope of our project review, such as scope of bank’s branches, organizations, processes, procedures, etc.


High Level - Analyze

The “Analyze” phase in the High Level Review service has the same activities as those in the Quick Scan services (Identify IT Environment) with the following additional activity: Analyze IT Complexities

Based on the IT Environment identified, the IT complexities will be assessed. The assessment result is used to determine the review areas of focus.


High Level - Review

The “Review” phase in the High Level Review service has the same activities as those in the Quick Scan services (Perform Interviews) with the following additional activity: Perform High Level Review

A high level review is performed using more than interview techniques. Documentation reviews, walkthroughs, observations and inspections is done in a high level approach. A high level review will assess bank’s control design effectiveness. How effective a control is implemented will not be assessed.


High Level - Deliver

The “Deliver” phase in the High Level Review service has the same deliverables as those in the Quick Scan services (Executive Summary, Compliance Gap, Management Presentation) with the following additional deliverable: Findings & Recommendation

Based on the review, a list of findings and recommendations is prepared. The executive summary will also include a findings and recommendation summary.


Define

The “Define” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Identify PIC, Schedule Interview, Identify Review Scope) with the following additional activities: Identify Risks

A set of risks (may be provided by the bank) is scored using out tools. The scoring process is performed through workshops with management.

Identify Benefits A set of benefits (may be provided by the bank) is scored

based on the bank’s business and IT goals. The scoring process is performed through workshops with management.


Analyze

The “Analyze” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Identify IT Environment, Analyze IT Complexities) with the following additional activity:

Determine Required Maturity The required maturity for each control stated in the

“Konsep Pedoman Penggunaan TSI oleh Bank” is set. The process is done through the mapping of each control towards each risk and and benefit.


Analyze

The “Review” phase in the By Area/Full Scope Review service has the same activities as those in the Quick Scan plus the High Level services (Perform Interviews, Perform High Level Review) with the following additional activities: Perform Detail Review

A Detail Review is performed using the same techniques as the high level review but on a different depth. The review is done up to the level of determining the control implementation effectiveness.

Determine Existing Maturity Existing control maturity level is determined for each

control based on the detail review.


Deliver

The “Deliver” phase in the By Area/Full Scope Review service has the same deliverables as those in the Quick Scan plus the High Level services (Executive Summary, Compliance Checklist, Management Presentation, Findings & Recommendation) with the following additional deliverables: Existing Maturity

A report document describing the bank’s current control maturity

Required Maturity A report document describing the bank’s required control

maturity Maturity Gap

Based on the existing and required maturity level, a gap analysis is performed.


Detail Implementation Methodology

Implementation MethodologyPeople Process Technology

Gap Analysis

Develop IT Plan

Design Standards, Policies, and Procedures

Implement Standards, Policies,

and Procedures

Align IT Organization

Implement IT Organization

Design Technology Architecture

Implement Systems Improvement

Develop/Acquire New Systems

OPERATE

Monitor and Evaluate

Maintain and Improve

PLAN

DO

CHECK

ACT

Plan : Develop IT Plan

Based on the gap analysis, an IT plan is developed. The plan contains projects to improve the IT in the area of people, process and technology. The project does not necessarily divided by these areas (people, process and technology). A project may involve improvement on all of the areas.

PLAN

DO

CHECK

ACT

Do : People

Align IT Organization: A design of the IT organization is developed based on the

gap analysis. The design is not limited to organization structure and job description, but also committees and other improvements that has significant effect on the aspect of organization (people). The design may include the following: IT Steering Committee Information Security Incident Response Team IT Strategic Plan Training and recruitment plan

Implement IT Organization: The IT organization design is implemented. The activities

may involve but not limited to recruitment, socialization, training and management meetings. Our services in this phase is limited to assist the bank the new IT Organization socialization.

PLAN

DO

CHECK

ACT

Do : Process Design Standards, Policies, and Procedures

Standards, policies and procedures are designed based on the PBI. The activities may involve further interviews to the process owner to obtain accurate information on the process.

Deliver Standards, Policies, and Procedures The standards, policies and procedures are

socialized. The activities may involve: Training and workshops Socializations through emails, banners, etcOur services in this phase is limited to assist the bank in

socializing the standards, policies and procedures.

PLAN

DO

CHECK

ACT

Do : Technology Design Technology Architecture

A future technology architecture is developed as guidelines on improving the technology of the organization. The future architecture will cover all technology aspects; applications, network, information, hardware.

Develop/Acquire New System & Implement System Improvement Based on the future technology architecture,

improvements are made and new systems are acquired or developed. Our role in this activities is to help the bank to make sure that improvements and new systems are made as required and done using the correct change management framework. We will also perform a Post Implementation Review at the end of each implementation.

PLAN

DO

CHECK

ACT

Check Once the implementation is finished and

has gone to operation, the bank should monitor and evaluate the operation to Ensure the operational effectiveness of control as required based on the “required control maturity level”.

PLAN

DO

CHECK

ACT

Act Based on the improvement plan, bank

will perform improvements on required areas. We do not provide any services at this stage.

PLAN

DO

CHECK

ACT

Questions and Answers