← Frameworks / MAS TRM / Control Mappings

MAS Technology Risk Management Guidelines

Mandatory technology risk management guidelines for financial institutions regulated by the Monetary Authority of Singapore. Covers 15 domains including technology risk governance, IT resilience, access control, cryptography, data and infrastructure security, cyber security operations, and IT audit.

Controls: 118
Total Mappings: 139
Publisher: Monetary Authority of Singapore Version: 2021
MAS TRM → SP 800-53 SP 800-53 → MAS TRM Coverage Analysis
AC (25) AU (2) CA (3) CM (6) CP (13) IA (12) IR (1) MP (7) PL (1) PM (8) PS (1) RA (6) SA (11) SC (12) SI (6) SR (4)

AC Access Control

Control Name MAS TRM References
AC-01 Access Control Policies and Procedures
9
AC-02 Account Management
9
AC-03 Access Enforcement
159
AC-04 Information Flow Enforcement
9
AC-05 Separation Of Duties
9
AC-06 Least Privilege
9
AC-07 Unsuccessful Login Attempts
9
AC-08 System Use Notification
9
AC-09 Previous Logon Notification
9
AC-10 Concurrent Session Control
9
AC-11 Session Lock
9
AC-12 Session Termination
9
AC-13 Supervision And Review -- Access Control
9
AC-14 Permitted Actions Without Identification Or Authentication
9
AC-15 Automated Marking
9
AC-16 Automated Labeling
9
AC-17 Remote Access
149
AC-18 Wireless Access Restrictions
9
AC-19 Access Control For Portable And Mobile Devices
9
AC-20 Use Of External Information Systems
9
AC-21 Information Sharing
9
AC-22 Publicly Accessible Content
9
AC-23 Data Mining Protection
9
AC-24 Access Control Decisions
9
AC-25 Reference Monitor
9

AU Audit and Accountability

Control Name MAS TRM References
AU-02 Auditable Events
15
AU-06 Audit Monitoring, Analysis, And Reporting
12

CA Security Assessment and Authorization

Control Name MAS TRM References
CA-02 Security Assessments
13
CA-07 Continuous Monitoring
127
CA-08 Penetration Testing
13

CM Configuration Management

Control Name MAS TRM References
CM-02 Baseline Configuration
11
CM-03 Configuration Change Control
7
CM-06 Configuration Settings
11
CM-07 Least Functionality
11
CM-12 Information Location
11
CM-14 Signed Components
6

CP Contingency Planning

Control Name MAS TRM References
CP-01 Contingency Planning Policy And Procedures
8
CP-02 Contingency Plan
8
CP-03 Contingency Training
8
CP-04 Contingency Plan Testing And Exercises
8
CP-05 Contingency Plan Update
8
CP-06 Alternate Storage Site
8
CP-07 Alternate Processing Site
8
CP-08 Telecommunications Services
8
CP-09 Information System Backup
8
CP-10 Information System Recovery And Reconstitution
8
CP-11 Alternate Communications Protocols
8
CP-12 Safe Mode
8
CP-13 Alternative Security Mechanisms
8

IA Identification and Authentication

Control Name MAS TRM References
IA-01 Identification And Authentication Policy And Procedures
9
IA-02 User Identification And Authentication
149
IA-03 Device Identification And Authentication
9
IA-04 Identifier Management
9
IA-05 Authenticator Management
9
IA-06 Authenticator Feedback
9
IA-07 Cryptographic Module Authentication
9
IA-08 Identification and Authentication (Non-Organizational Users)
9
IA-09 Service Identification and Authentication
9
IA-10 Adaptive Authentication
9
IA-11 Re-authentication
9
IA-12 Identity Proofing
9

IR Incident Response

Control Name MAS TRM References
IR-04 Incident Handling
127

MP Media Protection

Control Name MAS TRM References
MP-01 Media Protection Policy And Procedures
11
MP-02 Media Access
11
MP-03 Media Labeling
11
MP-04 Media Storage
11
MP-05 Media Transport
11
MP-06 Media Sanitization And Disposal
11
MP-07 Media Use
11

PL Planning

Control Name MAS TRM References
PL-09 Central Management
4

PM Program Management

Control Name MAS TRM References
PM-01 Information Security Program Plan
34
PM-02 Information Security Program Leadership Role
3
PM-03 Information Security and Privacy Resources
3
PM-07 Enterprise Architecture
5
PM-09 Risk Management Strategy
34
PM-14 Testing, Training, and Monitoring
13
PM-16 Threat Awareness Program
12
PM-28 Risk Framing
4

PS Personnel Security

Control Name MAS TRM References
PS-09 Position Descriptions
3

RA Risk Assessment

Control Name MAS TRM References
RA-01 Risk Assessment Policy And Procedures
4
RA-03 Risk Assessment
4
RA-05 Vulnerability Scanning
13
RA-07 Risk Response
4
RA-09 Criticality Analysis
134
RA-10 Threat Hunting
12

SA System and Services Acquisition

Control Name MAS TRM References
SA-03 Life Cycle Support
56
SA-04 Acquisitions
165
SA-08 Security Engineering Principles
56
SA-09 External Information System Services
16
SA-10 Developer Configuration Management
6
SA-11 Developer Security Testing
6
SA-15 Development Process, Standards, and Tools
56
SA-16 Developer-Provided Training
6
SA-17 Developer Security and Privacy Architecture and Design
56
SA-20 Customized Development of Critical Components
56
SA-21 Developer Screening
166

SC System and Communications Protection

Control Name MAS TRM References
SC-07 Boundary Protection
111415
SC-08 Transmission Integrity
1014
SC-12 Cryptographic Key Establishment And Management
10
SC-13 Use Of Cryptography
1014
SC-23 Session Authenticity
14
SC-24 Fail in Known State
8
SC-26 Decoys
12
SC-28 Protection of Information at Rest
1015
SC-40 Wireless Link Protection
10
SC-41 Port and I/O Device Access
11
SC-44 Detonation Chambers
12
SC-45 System Time Synchronization
14

SI System and Information Integrity

Control Name MAS TRM References
SI-02 Flaw Remediation
7
SI-03 Malicious Code Protection
11
SI-04 Information System Monitoring Tools And Techniques
1112
SI-13 Predictable Failure Prevention
7
SI-16 Memory Protection
11
SI-17 Fail-safe Procedures
8

SR Supply Chain Risk Management

Control Name MAS TRM References
SR-01 Policy and Procedures
16
SR-02 Supply Chain Risk Management Plan
16
SR-03 Supply Chain Controls and Processes
16
SR-06 Supplier Assessments and Reviews
16