¡§Think Y2K information availability challenge with added confidentiality and integrity requirements¡¨
With the announcement that conformance to the Basel II Capital Accord must be achieved by 2006, the Banking industry has a defined finally a timeline for regulatory compliance. IT systems will have a crucial role to play in ensuring achieving this. In response to this and with an increasing number of financial institutions that are struggling to meet the requirements of Basel II compliance against deadline @stake, the digital security consultancy has launched a Basel II Information Security model - the 5x5 Blueprint to support the commensurate digital risk management needs.
Like in Y2K, banks are presented with a calendar goal as a target for adherence and a significant challenge. Unlike Y2K, however, compliance is mandatory if institutions are to continue trading. And, according to @stakes¡¦s director of strategic solutions, Samir Kapuria, ¡§The challenge is greater in other areas. Where Y2K was a surge of IT activity oriented just around ensuring information system availability, Basel II¡¦s operational risk requirements have to include not just information availability but confidentiality and integrity too.¡¨
The Basel II Capital Accord is an amended regulatory framework that has been developed by the Bank of International Settlements that requires all internationally active banks, at every tier within the banking economy, to adopt similar or consistent risk-management practices for tracking and publicly reporting exposure to operational, credit and market risks. As such banks need to plan, implement and maintain a comprehensive program of risk prevention, detection, analysis and management.
The @stake Basel II team believes that with the right digital risk approach delivering on the measures required; Basel II provides a unique opportunity for financial services organisations to build an enterprise in which business systems are truly connected, available and secure. But in order to do so requires a rigorous step-by-step approach.
¡§The key task is to be able to move from ignorance through negligence and onto compliance in what are now very tight timescales,¡¨ adds Kapuria.
@stake¡¦s 5x5 Blueprint ¡V Basel II
In order to prepare for digital information security conformance, @stake¡¦s has prepared the 5x5 Blueprint for achieving a successful compliance implementation once the requirements presented by Basel II are clearly understood by the institution.
1. Identification ¡Vthe scope of corporate compliance and risk management
„X Identify individual operational processes, people and technology.
„X Identify critical technology infrastructure that enables corporate operations
„X Identify areas of operational risk ¡V for instance, digital assets and information.
„X Identify business dependencies on digital assets.
„X Identify 3rd party relationships ¡V those who control, access or manage digital assets and/or operational responsibilities.
2. Assessment ¡V defining a current state
„X Assess legal requirements ¡V domestic and international compliance requirements, service level agreements, client contracts.
„X Assess business requirements ¡V information privacy, availability and integrity.
„X Assess operational capabilities ¡V employee skillset, existing infrastructure and processes.
„X Assess risk tolerances ¡V corporate risk posture, compliance adherence goals.
„X Assess threats and vulnerabilities in the existing IT environment - including applications, networks, operational procedures and policies.
3. Development ¡V producing a taxonomy for evaluation and prioritisation
„X Rank business functions and requirements based on information-type, reliance and criticality.
„X Conduct gap analyses - map the organisation¡¦s capabilities against compliance goals.
„X Map critical business functions to results from risk assessments.
„X Identify short term and long term goals, based on prioritisation results
„X Highlight areas that have high levels of risk and are critical to the corporate operations identified these as urgent and addressed them first.
4. Compartmentalisation ¡V develop clear risk zones and return on risk management
„X Utilise the previously defined taxonomy as a skeleton for architecting risk-zones based on information criticality and threats.
„X Compartmentalise information into zones, thereby localising exposures and diluting the effects of a breach.
„X Use zone architectures to enable the organisation to focus its risk management efforts and expenditures by reducing the scope of remediation to areas of need and so reduce the scope of required capital set-asides.
„X Employ the zone architecture to balance risk prevention, detection, response and management requirements.
„X Decide whether a zone contains critical information and requires a portfolio of comprehensive prevention, detection, response and management or whether a zones is of low criticality and might only require detection and response postures.
„X Use new risk-detection capabilities for ongoing monitoring.
„X Provision risk logging to meet reporting requirements.
„X Maintain ongoing information security feeds to monitor evolving risks and future threats.
„X Establish and test incident readiness capabilities.
„X Conduct regular reviews of operational risk management posture, incorporating external and internal changes with the organisation. For instance. change management, patch management processes
¡§Many facets influence an industry¡¦s digital risk management needs. Considerations of the commercial environment, intellectual property protection, data privacy, and reputation preservation are several elements that determine the extent and type of risk associated with a particular corporate profile. In the financial services market all of these elements and more are critical, which has led to a relatively mature understanding of the need for effective risk management within the sector.
¡§As such, the financial services sector is closely monitored as a model for other verticals to manage risk. The processes and outcomes to achieve compliance to the Basel II Accord will undoubtedly act as a framework for the risk management in other industries and the lessons for the management of risk and information security professionals should be learned now, ¡§ added Kapuria
About @stake, Inc.
@stake, Inc., the premier digital security consulting firm, provides security services and award-winning products to assess and manage risk in complex enterprise environments. @stake clients include six of the world¡¦s top ten financial institutions, four of the world¡¦s top ten independent software companies and seven of the world¡¦s top ten telecommunication carriers. Headquartered in Cambridge, MA, @stake has offices in Chicago, London, New York, Raleigh, San Francisco, and Seattle. For more information, go to www.atstake.com.
For further information please contact:
Tel: 0207 298 7063
Tel: 0207 298 7113
This press release was distributed by ResponseSource Press Release Wire on behalf of Pleon in the following categories: Consumer Technology, Personal Finance, Business & Finance, Computing & Telecoms, for more information visit https://pressreleasewire.responsesource.com/about.