|
 With
the announcement that conformance to the Basel II Capital Accord
must be achieved by 2006, the banking industry now has a defined
timeline for regulatory compliance. IT systems will have a crucial
role to play in achieving this. In response digital security consultancy
@stake has launched a Basel II information security model - the
‘5x5 Blueprint’ to support the commensurate digital
risk management needs.
Like in Y2K, banks are presented with a calendar
goal as a target for adherence. Unlike Y2K, however, compliance
is mandatory if institutions are to continue trading. And, according
to @stakes’ director of strategic solutions, Samir Kapuria,
“The challenge is greater in other areas. Where Y2K was a
surge of IT activity oriented just around ensuring information system
availability, Basel II’s operational risk requirements have
to include not just information availability but confidentiality
and integrity too.”
The Basel II Capital Accord is an amended regulatory
framework that has been developed by the Bank of International Settlements
that requires all internationally active banks, at every tier within
the banking economy, to adopt similar or consistent risk-management
practices for tracking and publicly reporting exposure to operational,
credit and market risks. As such, banks need to plan, implement
and maintain a comprehensive program of risk prevention, detection,
analysis and management.
The @stake Basel II team believes that the
right digital risk approach will deliver on the measures required;
Basel II provides a unique opportunity for financial services organisations
to build an enterprise in which business systems are truly connected,
available and secure. But in order to do so requires a rigorous
step-by-step approach.
“The key task is to be able to move from
ignorance through negligence and onto compliance in what are now
very tight timescales,” adds Kapuria.
@stake’s 5x5 Blueprint –
Basel II
In order to prepare for digital information security conformance,
@stake’s has prepared the 5x5 Blueprint for achieving a successful
compliance implementation once the requirements presented by Basel
II are clearly understood by the institution.
1. Identification –
the scope of corporate compliance and risk management
* Identify individual operational processes, people and technology.
* Identify critical technology infrastructure that enables corporate
operations
* Identify areas of operational risk – for instance, digital
assets and information.
* Identify business dependencies on digital assets.
* Identify 3rd party relationships – those who control, access
or manage digital assets and/or operational responsibilities.
2. Assessment – defining
a current state
* Assess legal requirements – domestic and international compliance
requirements, service level agreements, client contracts.
* Assess business requirements – information privacy, availability
and integrity.
* Assess operational capabilities – employee skillset, existing
infrastructure and processes.
* Assess risk tolerances – corporate risk posture, compliance
adherence goals.
* Assess threats and vulnerabilities in the existing IT environment
- including applications, networks, operational procedures and policies.
3. Development – producing
a taxonomy for evaluation and prioritisation
* Rank business functions and requirements based on information-type,
reliance and criticality.
* Conduct gap analyses - map the organisation’s capabilities
against compliance goals.
* Map critical business functions to results from risk assessments.
* Identify short term and long term goals, based on prioritisation
results
* Highlight areas that have high levels of risk and are critical
to the corporate operations identified these as urgent and addressed
them first.
4. Compartmentalisation –
develop clear risk zones and return on risk management
* Utilise the previously defined taxonomy as a skeleton for architecting
risk-zones based on information criticality and threats.
* Compartmentalise information into zones, thereby localising exposures
and diluting the effects of a breach.
* Use zone architectures to enable the organisation to focus its
risk management efforts and expenditures by reducing the scope of
remediation to areas of need and so reduce the scope of required
capital set-asides.
* Employ the zone architecture to balance risk prevention, detection,
response and management requirements.
* Decide whether a zone contains critical information and requires
a portfolio of comprehensive prevention, detection, response and
management or whether a zones is of low criticality and might only
require detection and response postures.
5. Management
* Use new risk-detection capabilities for ongoing monitoring.
* Provision risk logging to meet reporting requirements.
* Maintain ongoing information security feeds to monitor evolving
risks and future threats.
* Establish and test incident readiness capabilities.
* Conduct regular reviews of operational risk management posture,
incorporating external and internal changes with the organisation.
For instance, change management, patch management processes
“Many facets influence an industry’s
digital risk management needs. Considerations of the commercial
environment, intellectual property protection, data privacy, and
reputation preservation are several elements that determine the
extent and type of risk associated with a particular corporate profile.
In the financial services market all of these elements and more
are critical, which has led to a relatively mature understanding
of the need for effective risk management within the sector.
“As such, the financial services sector
is closely monitored as a model for other verticals to manage risk.
The processes and outcomes to achieve compliance to the Basel II
Accord will undoubtedly act as a framework for the risk management
in other industries and the lessons for the management of risk and
information security professionals should be learned now,“
added Kapuria.
www.atstake.com
•Date:
30th January 2004 •Region: Worldwide •Type:
Article •Topic:
Operational risk
Rate
this article or make a comment - click
here
|
