Compliances

Objectives
- The organization manages information system accounts, including authorizing, establishing, activating, modifying, reviewing, disabling, and removing accounts;
- The organization defines in the security plan, explicitly or by reference, the frequency of information system account reviews and the frequency is at least annually;
- The organization reviews information system accounts in accordance with organization-defined frequency; and
- The organization initiates required actions on information system accounts based on the review.

Download free IT Security Governance Implementation Strategy Checklist:
1. Define and enumerate the desired outcomes for the information security program

2. Determine the objectives necessary to achieve those outcomes

3. Describe the attributes and characteristics of the desired state of security

Download free Information Security Memorandum of Understanding (MOU) / Memorandum of Agreement (MOA). The purpose of this memorandum is to establish a management agreement between "Organization A" and "Organization B" regarding the development, management, operation, and security of a connection between "System A," owned by Organization A, and "System B," owned by Organization B. This agreement will govern the relationship between Organization A and Organization B, including designated managerial and technical staff, in the absence of a common management authority.

Security Incidents:

Effective risk management and control
• Banks must meet a series of qualitative standards, including: the existence of an independent risk control and audit function, effective use of risk reporting systems, active involvement of board of directors and senior management, and appropriate documentation of risk management systems.
• Banks must establish an independent operational risk management and control process, which covers the design, implementation and review of its operational risk measurement methodology. Responsibilities include establishing the framework for the measurement of operational risk and control over the construction of the operational risk methodology and key inputs.
• Banks. internal audit groups must conduct regular reviews of the operational risk management process and measurement methodology.

Measurement and validation
• Banks must have appropriate risk reporting systems to generate data used in the calculation of a capital charge and the ability to construct management reporting based on the results.
• Banks must begin to systematically track relevant operational risk data by business line across the firm. It should be noted that the ability to monitor loss events and effectively gather loss data is a basic step for operational risk measurement and management and is a pre-requisite for movement to the more advanced regulatory approach.
• Banks will have to develop specific, documented criteria for mapping current business lines and activities into the standardised framework. In addition, a bank should regularly review the framework and adjust for new or changing business activities and risks as appropriate.

In line with other banking risks, conceptually a capital charge for operational risk should cover unexpected losses due to operational risk. Provisions should cover expected losses. However, accounting rules in many countries do not appear to allow a robust, comprehensive and clear approach to setting provisions, especially for operational risk. Rather, these rules appear to allow for provisions only for future obligations related to events that have already occurred. In particular, accounting standards generally require measurable estimation tests be met and losses be probable before provisions or contingencies are actually booked.

In general, provisions set up under such accounting standards bear only a very small relation to the concept of expected operational losses. Regulators are interested in a more forward-looking concept of provisions.

There are cases where contingent reserves may be provided that relate to operational risk matters. An example is costs related to lawsuits arising from a control breakdown. Also, there are certain types of high frequency/low severity losses, such as those related to credit card fraud, that appear to be deducted from income as they occur. However, provisions are generally not set up in advance for these.