Risk Management

Massachusetts Privacy Law Security Standards:
- Written information security program
- Passwords, encryption for laptops
- Risk assessments
- Security policies around records retention
- Policies and procedures to prevent terminated employees from gaining access
- Physical access control policies and procedures
- Security incident response policies
- Monitoring for unauthorized access
- Encryption of PII on laptops and other portable devices
- Encryption of PII data in transmission

Effective: 1 January 2009

Download Free Service Level Agreement Contract for Internet Protocol Virtual Private Network Dedicated

Service Level Agreement
Network Availability Guarantee
The Network Availability Guarantee will apply to each dedicated Internet access connection in the contiguous United States ordered as part of IP VPN service, provided that references in that Network Availability Guarantee to credits calculated on the basis of a monthly fee shall mean the monthly fee for the dedicated Internet access connection for which that Network Availability Guarantee was not met—not the entire monthly fee for the IP VPN service.

Network Latency Guarantee
The U.S. Network Latency Guarantee will apply to each dedicated Internet access connection in the contiguous United States ordered as part of IP VPN service, provided that references in that Network Latency Guarantee to credits calculated on the basis of a monthly fee shall mean the monthly fee for the dedicated Internet access connection for which that Network Latency Guarantee was not met, not the entire monthly fee for the IP VPN service.

Outage Reporting Guarantee
The Outage Reporting Guarantee will apply to each dedicated Internet access connection in the contiguous United States ordered as part of the IP VPN service, provided that references in that Outage Reporting Guarantee to credits calculated on the basis of a monthly fee shall mean the monthly fee for the dedicated Internet access connection for which that Outage Reporting Guarantee was not met, not the entire monthly fee for the IP VPN service.

Download Free Information Security Strategic Plan Objective

- Minimize risks to systems and information
- Minimize impact to costs
- Minimize impact to schedules
- Assist in meeting contractual requirements

Download Free Risk Assessment Training Framework

Phase 1. Needs Assessment
Step 1. Characterize IT Environment

Effective risk management and control
• Banks must meet a series of qualitative standards, including: the existence of an independent risk control and audit function, effective use of risk reporting systems, active involvement of board of directors and senior management, and appropriate documentation of risk management systems.
• Banks must establish an independent operational risk management and control process, which covers the design, implementation and review of its operational risk measurement methodology. Responsibilities include establishing the framework for the measurement of operational risk and control over the construction of the operational risk methodology and key inputs.
• Banks. internal audit groups must conduct regular reviews of the operational risk management process and measurement methodology.

Measurement and validation
• Banks must have appropriate risk reporting systems to generate data used in the calculation of a capital charge and the ability to construct management reporting based on the results.
• Banks must begin to systematically track relevant operational risk data by business line across the firm. It should be noted that the ability to monitor loss events and effectively gather loss data is a basic step for operational risk measurement and management and is a pre-requisite for movement to the more advanced regulatory approach.
• Banks will have to develop specific, documented criteria for mapping current business lines and activities into the standardised framework. In addition, a bank should regularly review the framework and adjust for new or changing business activities and risks as appropriate.