Saturday, 14 June 2014

Key Selected Financial Services IT Regulatory Requirements

Below is an incomplete list of key selected financial services IT regulatory requirements that should be considered when developing an IT risk and controls or assessing IT risks and controls. This list is by no means complete and I am working on a more comprehensive list and associated mappings that I will share in due course. I thought I'd share as I developed the list and I hope this is found to be useful. If anyone has any feedback or additional regulatory requirements they'd like to see in this list please let me know. This may be used as guidance but you should do your due diligence to ensure that you've looked at all the relevant regulations for your particular organisation.

Key IT risk and control regulations and associated guidance as at June 2014

  • Sarbanes Oxley Act 2002 Section 404 (SOX 404)
    • States management responsibility for establishing and maintaing “adequate” and “effective” internal controls and this being independently attested to annually. The controls in scope were historically derived from the guidance from PCAOB AS2 which has now been superseded by AS5 (see PCAOB in this article)
  • Gramm-Leach-Bliley Act of 1999 (GLBA)
    • Section 6801 and section 6805 in Title 15 of the US Code applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies.
    • Section 501(a) of the GLBA sets out the “Privacy obligation policy” which requires that financial institutions have an obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ nonpublic personal information.
    • Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information
    • Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501 expectations
  • FFIEC IT Examination Handbooks
    • The FFIEC IT Examination Handbooks cover examinations of IT controls pertaining to Audit, Business Continuity Planning, Development and Acquisition, E-Banking, Information Security, Management, Operations, Outsourcing Technology Services, Retail Payment Systems, Supervision of Technology Service Providers (TSP) and Wholesale Payment Systems.
    • These handbooks define a number of IT controls along with supplementary guidance such as referencing Cobit and ISO 27002 as external guidance in the IT Handbook for Information Security.
  • FINRA Rule 1230(b)(6) stipulates that senior management or their designated persons are responsible for covered operations which includes:
    • At Rule 1230(b)(6)(xiii) definition and approval of sales and trading systems and other systems related to FINRA covered functions and validation that these systems meet the defined and approved business requirements.
    • At Rule 1230(b)(6)(xiv) definition and approval of business security requirements and policies for information technology, including, but not limited to, systems and data, related to covered functions; and
    • At Rule 1230(b)(6)(xv) definition and approval of information entitlement policies relating to covered functions;
  • PCAOB Auditing Standard 5 “An Audit of Internal Control Over Financial Reporting That Is Integrated with An Audit of Financial Statements”
    • Provides guidance to auditors in attesting to a companies internal controls including IT specifically recommending the auditor should understand how IT affects the company's flow of transactions and apply paragraph 29 and Appendix B of Auditing Standard No. 12, Identifying and Assessing Risks of Material Misstatement. These standards are primary standards used in undertaking assessments of internal controls in the US.
  • Office of the Comptroller for the Currency Bulletins (OCC)
    • OCC Bulletin 2013-29 (October 2013) provides risks management guidance with respect to third party relationships including coverage of the topics of information security, management of information systems and reslience. The OCC “expects” that banks monitor third parties as an ongoing process and that this should include “information technology used for the management of information systems” and “the ability to respond to and recover from service disruptions or degradations and meet business resilience expectations”
    • OCC Bulletin 2006-39 requires that information security and data protection be maintained for Automated Clearing Houses (ACHs)
    • OCC Bulletin 2008-16 (May 2008) “expands” on the FFIEC Handbook on Information Security and Development and Acquisition by “reminding” banks and their technology service providers that all applications whether internally developed, vendor acquired or contracted for, should be subject to appropriate security assessment and mitigation processes. The key factors this issuance outlines that should be considered are:
      • Accessibility of the application via the internet
      • Whether the application processes or provides access to sensitive data
      • How the application is developed (in-house, vendor acquired or contracted for)
      • Extent that security practices are used in the application's development process
      • Existence of an effective on-going vulnerability management process
      • Existence of periodic independent application security assurance
  • Federal Reserve Guidance on Managing Outsourcing Risk (December 2013)
  • Health Insurance Portability and Accountability Act 1996 (HIPAA) requires that a person who maintains or transmits health information is required to maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of that information.
  • Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) Stress Tests (DFASTs) and the Federal Reserve's Comprehensive Capital Analysis and Review (CCAR) stress tests. The Dodd-Frank Act and Federal Reserve Board requires that effective systems and controls are maintained to provide accurate and reliable reporting required for these annual stress tests returns.
    • Section 165(i)(2) of the Dodd-Frank Act requires national banks and federal savings associations with total consolidated assets of over $10b to conduct an annual stress test. The stress test rule 12 CFR 46
    • The FRB also requires annual CCAR Stress Tests

  • Combined FCA and PRA Prudential Handbook
    • PRIN 2.1 Principle 2 - Skill, care and diligence: A firm must conduct its business with due skill, care and diligence.
    • PRIN 2.1 Principle 3 - Management and control: A firm must take reasonable care to organise and control its affairs responsibly and effectively, with adequate risk management systems.
    • Rule SYSC 3.1.1 R requires that a firm must take reasonable care to establish and maintain such systems and controls as are appropriate to its business and that per guidance 3.1.2 G (2) the firm should regularly review these systems and controls.
    • Rule SYSC 3.1.6 R requires a firm take reasonable care to establish and maintain effective systems and controls for compliance with applicable requirements and standards under the regulatory system and for countering the risk that the firm might be used to further financial crime. Furthermore rule 3.2.6C R requires these systems and controls are regularly reviewed.
    • SYSC 3.2.5 G states that where it is made possible and appropriate by the nature, scale and complexity of its business, a firm should segregate the duties of individuals and departments in such a way as to reduce opportunities for financial crime or contravention of requirements and standards under the regulatory system. For example, the duties of front-office and back-office staff should be segregated so as to prevent a single individual initiating, processing and controlling transactions.
    • SYSC 3.2.7 G (1) states that depending on the nature, scale and complexity of its business, it may be appropriate for a firm to have a separate compliance function. The organisation and responsibilities of a compliance function should be documented. A compliance function should be staffed by an appropriate number of competent staff who are sufficiently independent to perform their duties objectively. It should be adequately resourced and should have unrestricted access to the firm's relevant records as well as ultimate recourse to its governing body.
    • SYSC 3.2.11A G (2) outlines risks of regulatory concern being those that relate to the fair treatment of the firm's customers, to the protection of consumers, to effective competition and to the integrity of the UK financial system. Risks which are relevant to the integrity of the UK financial system include risks which relate to its soundness, stability and resilience and to the use of the system in connection with financial crime.
    • SYSC 3.2.15 G sates that a firm should have an audit committee
    • SYSC 3.2.19 G sates that a firm should have appropriate business continuity arrangements in place
    • Rule SYSC 3.2.20 R (1) requires that a firm take reasonable care to make and retain adequate records of matters and dealings (including accounting records) which are the subject of requirements and standards under the regulatory system. Guidance at 3.2.21 G states A firm should have appropriate systems and controls in place to fulfil the firm's regulatory and statutory obligations with respect to adequacy, access, periods of retention and security of records. The general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
    • Rule SYSC 4.1.1 R (1) requires that a (1) A firm must have robust governance arrangements, which include a clear organisational structure with well defined, transparent and consistent lines of responsibility, effective processes to identify, manage, monitor and report the risks it is or might be exposed to, and internal control mechanisms, including sound administrative and accounting procedures and effective control and safeguard arrangements for information processing systems.
    • SYSC 4.1.4 R requires that a firm must, taking into account the nature, scale and complexity of the business of the firm, and the nature and range of the financial services and activities undertaken in the course of that business. The rule goes on to include governance and management reporting and internal controls for all areas of the firm (that includes IT).
    • SYSC 4.1.5 R requires that a MiFID investment firm and a management company must establish, implement and maintain systems and procedures that are adequate to safeguard the security, integrity and confidentiality of information, taking into account the nature of the information in question.
    • SYSC 4.1.6 R requires that a common platform firm must take reasonable steps to ensure continuity and regularity in the performance of its regulated activities. To this end the common platform firm must employ appropriate and proportionate systems, resources and procedures.
    • SYSC 4.1.7 R requires that a common platform firm and a management company must establish, implement and maintain an adequate business continuity policy aimed at ensuring, in the case of an interruption to its systems and procedures, that any losses are limited, the preservation of essential data and functions, and the maintenance of its regulated activities, or, in the case of a management company, its collective portfolio management activities, or, where that is not possible, the timely recovery of such data and functions and the timely resumption of those activities.
    • SYSC 4.1.7A G guidance states that other firms should take account of the business continuity rules (SYSC 4.1.6 R and 4.1.7 R) as if they were guidance (and as if "should" appeared in those rules instead of "must") as explained in SYSC 1 Annex 1.3.3 G. Guidance at SYSC 4.1.8 G highlights that systems and IT process would be included in the requirements of SYSC 4.1.7 R.
    • SYSC 4.1.9 R requires the timely delivery of accounting reports including financial statements compliant with accounting standards. This necessarily requires availability of accounting information systems.
    • SYSC 4.1.10 R requires that A common platform firm and a management company7 must monitor and, on a regular basis, evaluate the adequacy and effectiveness of its systems, internal control mechanisms and arrangements established in accordance with SYSC 4.1.4 R to SYSC 4.1.9 R and take appropriate measures to address any deficiencies.
    • SYSC 4.1.13 G states that firms should also consider the additional guidance on risk-centric governance arrangements for effective risk management contained in SYSC 21 G SYSC 21.1 provides guidance on risk governance and control arrangements.
    • SYSC 13 provides rules and guidance for insurers on operational risk systems and controls. Specifically, SYSC 13.7.6 G states that a firm should establish and maintain appropriate systems and controls for the management of its IT system risks.
    • SYSC 14 provides further guidance for insurers with respect to he establishment and maintenance of systems and controls for the management of a firm's prudential risks
    • SYSC 6.1.1 R and SYSC 6.1.2 R require that a firm must establish, implement and maintain adequate policies and procedures sufficient to ensure compliance of the firm including its managers, employees and appointed representatives (or where applicable, tied agents) with its obligations under the regulatory system and for countering the risk that the firm might be used to further financial crime.
    • 6.2.1 R requires firms to setup an independent internal audit function responsible for evaluating the adequacy and effectiveness of internal controls
    • SYSC 7.1.2 R requires that common platform firms implement risk management policies and procedures including effective risk assessment procedures to identify risks relating to activities, processes and systems. SYSC 7.2.3 G advises that other firms should also apply SYSC 7.1.2 R.
    • SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R require a common platform firm to monitor the adequacy, effectiveness and compliance level for its internal controls along with any remediation to achieve adequacy, effectiveness and compliance.
    • SYSC 7.1.7A G advises that the SYSC 7.1.5 R, SYSC 7.1.6 R and SYSC 7.1.7 R should apply to all firms.
    • 7.1.16 R requires that a BIPRU firm must implement policies and processes to evaluate and manage the exposure to operational risk, including to low-frequency high severity events. Without prejudice to the definition of operational risk, BIPRU firms must articulate what constitutes operational risk for the purposes of those policies and procedures.
    • 7.1.17 R, 7.1.18 R and 7.1.21 R require that a CRR firm establish a risk management function, framework and committee.
    • SYSC 8.1 stipulates requirements and guidance for managing risks associated with outsourcing. This section also makes it clear that the firm remains fully responsible for discharging all of its obligations under the regulatory system.
    • 9.1.1 R A firm must arrange for orderly records to be kept of its business and internal organisation, including all services and transactions undertaken by it, which must be sufficient to enable the appropriate regulator or any other relevant competent authority under MiFID or the UCITS Directive3 to monitor the firm's compliance with the requirements under the regulatory system, and in particular to ascertain that the firm has complied with all obligations with respect to clients.
    • 9.1.2 R A common platform firm 4must retain all records kept by it under this chapter in relation to its MiFID business for a period of at least five years.
    • 9.1.3 R In relation to its MiFID business, a common platform firm must retain records in a medium that allows the storage of information in a way accessible for future reference by the appropriate regulator or any other relevant competent authority under MiFID, and so that the following conditions are met:
      • (1) the appropriate regulator or any other relevant competent authority under MiFID must be able to access them readily and to reconstitute each key stage of the processing of each transaction;
      • (2) it must be possible for any corrections or other amendments, and the contents of the records prior to such corrections and amendments, to be easily ascertained;
      • (3) it must not be possible for the records otherwise to be manipulated or altered.
    • SYSC 9.1.5 G In relation to the retention of records for non-MiFID business, a firm should have appropriate systems and controls in place with respect to the adequacy of, access to, and the security of its records so that the firm may fulfil its regulatory and statutory obligations. With respect to retention periods, the general principle is that records should be retained for as long as is relevant for the purposes for which they are made.
  • Data Protection Act 1998 requires that organisations keep personal information confidential and apply the 8 data protection principles. Particularly principle 7 requires that appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

European Union
  • EU Data Protection Directive 95/46/EC (proposed to be superseded in 2014 by the General Data Protection Regulation)
  • Directive 2002/95/EC (issued 2003) on the Restriction of the use of certain Hazardous Substances in electrical and electronic equipment (RoHs). This rlates to the use and disposal of certain IT infrastructure that contains hazardous substances.
  • MiFID (Directive 2004/39/EC) Article 13 Operational Requirements require that an investments firm establish and maintain an effective governance and controls relating to its operations including information processing and ensure effective controls and safeguard arrangements for information processing systems.
  • Directive 2006/73/EC implements the 2004 MiFID directive and with Article 5 – General Organisational Requirements (1)(c) stating that “Member States shall require investment firms to comply with the following requirements: to establish, implement and maintain adequate internal control mechanisms designed to secure compliance with decisions and procedures at all levels of the investment firm”. Additionally (5) states “Member States shall require investment firms to monitor and, on a regular basis, to evaluate the adequacy and effectiveness of their systems, internal control mechanisms and arrangements established in accordance with paragraphs 1 to 4, and to take appropriate measures to address any deficiencies.”

  • Financial Instruments and Exchange Act 2006 (J-SOX)
    • Article 24-4-4(1) Requires an internal control report to be provided
  • Part 5 of the Japan FSA “Inspection Manual for Financial Instruments Business Operators” deals specifically with a company's IT Risk Management System. The scope of this guidance is IT risk management policy development specifically mentioning information security policy and IT outsourcing policy development. IT also pertains to IT operations and systems development or acquisition.

  • Bill 198 2002 (C-SOX) enforced by the Canadian Securities Administrators (CSA) and Multilateral Instrument MI 52-109. MI 52-109 requires the CEO and CFO personally certify that they have designed, or supervised the design of, internal controls and that those controls provide reasonable assurance that the financial statements are fairly presented and comply with generally accepted accounting principles (GAAP) and that these were operating effectively over the relevant reporting period.

  • CLERP9 2004
  • Privacy Act requires that personally identifying information be kept confidential by organisations processing such information.
  • Office of the Australian Information Commissioner defines a set of Australian Privacy Principles (APPs) that should be complied with

  • Monetary Authority of Singapore (MAS) “Technology Risk Management Notices” outlined in the MAS TRM Notices FAQ A1
    • MAS Technology Risk Management guidelines 21 June 2013 and associated checklist

Hong Kong
  • HKMA Supervisory Policy Manual module “General Principles for Technology Risk Management”
  • HKMA Supervisory Policy Manual module “Supervision of E-Banking”
  • HKMA Supervisory Policy Manual module “Business Continuity Planning”
  • SFC (16 March 2010 Circular)
  • Personal Data (Privacy) Ordinance

International Guidance
  • COSO Internal Control - Integrated Framework May 2013 defines Internal control as consisting of five integrated components that apply to the “operations, reporting and compliance” objectives for the four levels within the organisation “Entity level, Division, Operating Unit and Function”. These are:
    • Control Environment – covers setting up control structures, responsibilities and accountabilities
    • Risk Assessment – covers ensuring the is an adequate and effective risk management system
    • Control Activities – has a specific objective 11 that states: “The organization selects and develops general control activities over technology to support the achievement of objectives.” and at objective 12 “The organization deploys control activities through policies that establish what is expected and procedures that put policies into action.”
    • Information and Communication – relates to ensuring that there is information captured to report on the adequacy and effectiveness of internal control and that this is communicated to appropriate management
    • Monitoring Activities – provides guidance that organisations will monitor their internal controls to ensure they are “present and functioning” and that deficiencies are remediated appropriately
  • COSO Enterprise Risk Management (ERM) 2014
  • Cobit 5 is an umbrella IT Risk and Control Framework that encompasses almost all the regulatory requirements and better practices relating to IT. Cobit 5 consists of 1,111 control activities that map to 210 control practices that map to 37 control processes split under 5 control domains. The five domains are:
    • EDM – Evaluate, Direct and Monitor – This comprises the governance activities
    • APO – Align, Plan and Organise – This comprises higher level IT management activities
    • BAI – Build, Acquire and Implement – This comprises systems acquisition and development activities
    • DSS – Deliver, Service and Support – This comprises it service management activities
    • MEA – Monitor, Evaluate and Assess – This comprises risk and control activities
  • ITIL v3 published in 2011 consists of 5 core areas:
    • Service Strategy
      • IT service management
      • Service portfolio management
      • Financial management for IT services
      • Demand management
      • Business relationship management
    • Service Design
      • Design coordination
      • Service Catalogue management
      • Service level management
      • Availability management
      • Capacity Management
      • IT service continuity management
      • Information security management system
      • Supplier management
    • Service Transition
      • Transition planning and support
      • Change management
      • Service asset and configuration management
      • Release and deployment management
      • Service validation and testing
      • Change evaluation
      • Knowledge management
    • Service Operation
      • Event management
      • Incident management
      • Request fulfilment
      • Problem management
      • Identity management
    • Continual Service Improvement
      • Identify the strategy for improvement
      • Define what you will measure
      • Gather the data
      • Process the data
      • Analyse the information and data
      • Present and use the information
      • Implement improvement
  • ISO 27002:2005 – Code of Practice for Information Security Management
    • Contains 39 control objectives and further guidance for the following security domains:
      • (a) security policy
      • (b) organisation of information security
      • (c) asset management
      • (d) human resources security
      • (e) physical and environmental security
      • (f) communications and operations management
      • (g) access control
      • (h) information systems acquisition, development and maintenance
      • (i) information security incident management
      • (j) business continuity management; and
      • (k) compliance
  • ISO 27001:2005 – Information Security Management System Requirements
    • Established the “Plan-Do-Act-Check” model to establish, maintain, montior and improve the Information Security Management System (ISMS)
  • ISO 15408 – Evaluation Criteria for Information Technology Security
    • Sets out the “Common Criteria” for providing security assurance. Assurance criteria are categorised into the following classes:
      • ACM – Configuration management
      • ADO – Delivery and operation
      • ADV – Development
      • AGD – Guidance documents
      • ALC – Life cycle support
      • ATE – Tests
      • AVA – Vulnerability assessment
  • ISO 38500 – Corporate Governance of IT is based on 6 principles that each have an “Evaluate”, “Direct” and “Monitor” dimension as with the Cobit 5 EDM processes:
    • Responsibility
    • Strategy
    • Acquisition
    • Performance
    • Conformance
    • Human behaviour
  • ISO 90003:2004 – Software Engineering – Guidelines for the application of ISO 9001:2000 to computer software sets the standard for maintaining a software development quality management systems to ensure that software is developed to required quality standards.
  • Payment Card Industry Data Security Standard (PCI DSS) developed by the Payment Cards Industry Standards Council (including American Express, Visa, Mastercard, Discover and JCB). The “PCI DSS Requirements and Security Assessment Procedures” published November 2013 contains the requirements and associated test procedures and guidance.
    • The standard consists of 12 requirements categorised under the following 6 areas:
      • (1) Build and maintain a secure network
      • (2) Protect cardholder data
      • (3) Maintain a vulnerability management program
      • (4) Implement strong access control measures
      • (5) Regularly monitor and test networks
      • (6) Maintain and information security policy
  • International Standard on Auditing 315 (ISA 315) - Identifying and assessing the risks of material misstatement through understanding the entity and its environment requires an auditor in signing off the financial statements requires that the auditor identify and assess the risks of material misstatement, whether due to fraud or error, at the financial statement and assertion levels, through understanding the entity and its environment, including the entity’s internal control. This assessment is to include the information systems and technology involved in producing the financial reporting and associated balances.

I am currently working on a mapping document (which includes further expansion of these jurisdictions and adding some others) that would provide the baseline controls required to meet these regulatory obligations and then also identify the further industry practice controls that would be considered better practice. Please let me know if you know of further regulations to add to this list and I will research these and add them where appropriate. Watch this space...

Sunday, 8 June 2014

Book Review: The Meaning of Things - A. C. Grayling

Title: The Meaning of Things: Applying Philosophy to Life
Author: A. C. Grayling
Publisher: Phoenix 2002
ISBN: 0-75381-359-9

I've recently finished reading this book and thought I'd give a brief review to let others know about such an interesting read:

Grayling has presented an eclectic yet related set of important topics in an easy to read and reference form. He ranges from "Virtues and Attributes", "Foes and Fallacies" and "Amenities and Goods". Grayling covers topics under "Virtues and Attributes" such as moralising, tolerance, civility, love and happiness. Under "Foes and Fallacies he covers such topical subjects as nationalism, racism, hate, revenge, faith, poverty and capitalism. Grayling finally ends the book by discussing points on reason, education, ambition, health, reading, memory, history and family under the heading of "Amenities and Goods".

Grayling has approached the subject drawing from and citing many sources while still providing his own take on these matters. Grayling is opinionated (in a positive sense) and writes with a liveliness and wit that makes what he's saying spring from the page. Well worth the read if only to get you thinking on the subjects he's presented.

Wednesday, 28 May 2014

The importance of COSO and COBIT and some thoughts on implementation

The US Securities and Exchange Commission in its final rule relating to "Management's Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports" available at: states:

"The COSO Framework satisfies our criteria and may be used as an evaluation framework for purposes of management's annual internal control evaluation and disclosure requirements. However, the final rules do not mandate use of a particular framework, such as the COSO Framework, in recognition of the fact that other evaluation standards exist outside of the United States,67 and that frameworks other than COSO may be developed within the United States in the future, that satisfy the intent of the statute without diminishing the benefits to investors"

 In May 2013 COSO updated the COSO Framework with the SEC recognising this and subsequently advising at

"The staff indicated that the longer issuers continue to use the 1992 framework, the more likely they are to receive questions from the staff about whether the issuer’s use of the 1992 framework satisfies the SEC's requirement to use a suitable, recognised framework"

This guidance essentially states that users of the 1992 version of the framework will have to justify why they are using this instead of the 2013 Framework. This guidance also establishes COSO as the most recognised framework for internal control hence the reason why this framework has been adopted by most SEC filers.

The 2013 COSO Framework was developed in combination with ISACA as a member of the COSO Advisory Council. ISACA maintain and publish the COBIT Framework (Control Objectives for IT) and have also published guidance that links the new May 2013 COSO Framework covering enterprise control to the new COBIT5 Framework covering IT control.

So what does this mean? It means that for SEC filers internal and external auditors will likely use COSO and COBIT guidance to assess the adequacy of the filer's control environment and effectiveness of its controls. In my experience and the experience of a number of audit, risk and regulatory compliance professionals I have found this to be the case in practice.

In practice I have not seen an organisation try and adopt the whole COSO or COBIT framework as it is, but rather I have seen that organisations have used these frameworks to undertake gap analyses of their respective current control environments and looked to COSO and COBIT for guidance as to how to fill these gaps.

I have seen internal and external assurance professionals use COSO and COBIT as the basis for their assessments of the adequacy and effectiveness of organsisations' internal controls.

Any control implementation or assurance activity based on these frameworks needs to be mindful that these frameworks are guidance and are purposely built to be generic. The key is understanding your organisation's value chain to your customer, regulatory environment and the risks to delivering this value or not complying with regulations and cultural norms and mores, then implementing a control framework that responds to these risks.

Friday, 23 May 2014

ICO Report: Protecting personal data in online services

A useful report from the ICO on data breaches drawn from their experience:

"The Information Commissioner’s Office (ICO) has published a new security report highlighting eight of the most common IT security vulnerabilities that have resulted in organisations failing to keep people’s information secure."

 ICO Report

The ICO have highlighted the key eight areas that they have found result in data leakage:

  • Software updates 
  • SQL injection 
  • Unnecessary services 
  • Decommissioning of software or services 
  • Password storage 
  • Configuration of SSL and TLS 
  • Inappropriate locations for processing data 
  • Default credentials
Appendix B also contains some interesting information on how long it takes to crack varying length and complexity passwords.

An extract is:

Wednesday, 23 April 2014

Risk Management: Finding agreement on risk and controls

One of the primary activities of a risk management professional is to have conversations with organisation stakeholders to understand risks and what needs to be done to manage these risks.

These conversations can involve trying to reach agreement on the existence of risks and then subsequent risk management activity required. Recognising a risk and working out what to do about it requires, at times, considerable effort that could otherwise go into delivery of mission critical projects and business as usual activity that stakeholders' performance is measured against. Why would a stakeholder spend time on activities they are not measured against?

As a risk management professional, you need to answer this "Why?" question in a compelling way. To answer this question you need to understand the organisation's objectives. You then need to couch your risk analysis and articulation of the risk and impact in terms of how these will impact the organisation's objectives. When I talk about organisation objectives, these may be top level or lower level objectives from the top level organisation or a single department within the organisation. Selection of the appropriate objectives depends on your stakeholder. You need to identify an objective as close as possible to your stakeholder. This is easier if you have a mandatory policy framework that has been approved at the highest levels and that all staff must comply with, but becomes challenging where this doesn't exist or is evolving. If you have a mandatory policy it will generally have an objective that everyone must support. If this doesn't exist or is evolving you need to outline what the objective is and link it to the stakeholder's objective in a clear, compelling and self evident way. This is where good risk articulation is important and understanding that risk is the effect of uncertainty on objectives, comes into play.

Understanding this, the conversation needs be be preceded with youself understanding the relevant objectives, articulating a baseline risk that makes it very clear what the effect on the objectives might be; and as much as possible quantify this with relevant facts such as estimated loss or frequency of similar risks materialising in the organisation or industry. This helps to paint the picture for the stakeholder.

One thing you need to remember is not to ne wedded to your initial risk articulation. Your conversations with stakeholders will provide you with valuable insights that need to be incorporated into your risk analysis and associated risk articulation. Your stakeholders will also likely have pragmatic and valuable suggestions for controlling the risks they deal with day to day. You need to seriously consider this. One of the biggest causes of disagreement I have seen in my experience is risk professionals swooping in with theoretical notions of risk and controls without considering what happens on the ground already to address risks or suggesting best practice controls while not considering pragmatism and sizing.

You need to work side by side with your stakeholders to understand their objectives and how these tie into the objective of the organisation to manage risks. You need to understand their business and how they may already be managing their risks and try to leverage this where feasible. And finally, keep the conversations going to identify any gaps as they arise and opportunities to make risk management more efficient and effective, alongside your stakeholders.

Failing all of the above, if you find yourself dealing with an intransigent stakeholder, sometimes the best way to advance is to escalate your case and follow the same approach with the next level up. If you have the support of a broader risk management function then use this also as good working relationships may already exist at your management's level.

Friday, 18 April 2014

Review of Wealth of Nations - Part 1

Title: Wealth of Nations (Wordsworth Classics of World Literature)
Author: Adam Smith
Pages: 1008 pages
Publisher: Wordsworth Editions Ltd.; Classic World Literature edition (5 July 2012)
Language: English
ISBN-10: 1840226889
ISBN-13: 978-1840226881

The Wealth of Nations is composed of five books each with a number of chapters. I figured I'd share what I've learned from my reading of the book as I go. So here it is for the first 7 chapters which set the scene before some of the more detailed text.

Overall, Smith has a fairly easy turn of phrase and the language used in the book is not archaic even though it was published in the 1700s. It is easy enough to follow and dwells on the fundamentals to ensure that the reader has fully grasped these prior to moving on in the book. I thought I'd try to summarise what each chapter is trying to say in this review to give an idea of how Smith has developed this work.

Book 1 - Introduction and Chapter 1:

Smith establishes labour as the fundamental basis of national economic output (commodities). Smith advises that the national economic output will be regulated by a) the way in labour is applied, and b) the level of employment. Smith highlights how specialisation and the division of labour has enabled the production of many of the commodities of life (such as glazed windows) which would not have been possible for any one person to produce for themselves within their lifetime to the same standard.

Book 1 - Chapter 2:

Smith recognises people's "almost constant occasion for the help of his bretheren". He recognises that people's ability to "truck, barter and exchange" goods and services to satisfy their needs and wants, enables the division of labour described in the first chapter to be useful to those specialising in the production of one sort of good or service.

Book 1 - Chapter 3:

Smith draws the conclusion that the division of labour is limited by the extent of the market for goods and services. He highlights that denser population centres will give rise to greater specialisation and division of labour than less dense centres. For example, the market for nails for building work in a dense population centre is greater in that centre and would give rise to specialised nail-makers mass producing nails. In a remote rural region with very low population density and difficulty or prohibitive expense in importing mass produced nails, making nails may be done by a blacksmith who also makes all manner of other metal objects (less specialisation and division of labour).

Book 1 - Chapter 4: 

This chapter looks at money and how this evolved as a way to usefully and conveniently facilitate trade. It talks about trade was initially facilitated through exchange of weights of precious metals such as gold and silver for goods and services. Smith goes on to describe how the uniform goodness of precious metals was attested through stamping a quality mark on it with this giving rise to coinage. Smith also recognises that coinage was debased at the expense of national subjects by sovereign states and princes by gradually reducing the amount of gold and silver in the coin over time in order to create more money from this skimmed precious metal. This chapter introduces the concept of "value in exchange" and outlines how the "real" value of exchanged commodities is composed. 

Book 1 - Chapter 5:

Smith expands upon the concept of "real" value and compares it to "nominal" value. Real value is that which is given up to produce a commodity and nominal value is the money price of that commodity. These values are not always that same with a tendency for a commodity with a nominal value under or over its real value to move towards the real value. This chapter revisits the topic of the value of money in terms of the quantity of gold and silver in coins. Interestingly, he suggests that government regulation making silver and gold the legal tender except for small change would stop the "discreditable" conduct of banks in counting out pennies to depositors calling for their deposits in a bank run. He adds that this regulation would require banks to hold more cash in reserve which would be a considerable security to the banks creditors (including depositors). This suggestion of government regulation and reserve requirements is a feature of the banking system today. 

Book 1 - Chapter 6:

 In this chapter Smith breaks down the price of any good or service into either one or more of three parts:
    - The wages of labour
    - The profits of stock
    - The rent of land

A common thread with all of this, as outlined in the introduction to his book, is that the stock cannot turn a profit and rent cannot be provided without labour. Another interesting anecdote Smith makes in this chapter is that of Smith likening the charging of rent by landlords who annexed the commons as "reaping where they never sowed".

Book 1 - Chapter 7:

This chapter essentially introduces the basic economic concepts of demand, supply and equilibrium price. It also talks on the spectrum of perfect competition and oligopolies and monopolies and the effect of this on the price that is charged versus the "natural" price. An insightful quote from this chapter is:

"The exclusive privileges of corporations, statutes of apprenticeship, and all those laws which restrain, in particular employments, the competition to a smaller number than might otherwise go into them, have the same tendency, though in a less degree. They are a sort of enlarged monopolies, and may frequently, for ages together, and in whole classes of employments, keep up the market price of particular commodities above the natural price, and maintain both the wages of the labour and the profits of the stock employed about them somewhat above their natural rate.

Such enhancements of the market price may last as long as the regulations of policy which give occasion to them."

My conclusion ... so far

My main takeaways from this are that Smith has done a good job at linking economic prosperity to "useful" employment of labour. He also logically and systematically creates a basis for his economic principles based on empirical evidence available to him at the time and from his experiences. He makes it clear that the economic principles are subject to reality and that they may not always hold depending on other factors. Importantly Smith recognises the importance of society and everyone contributing what they are able to progress it. Through induction and a couple of statements Smith also recognises the role of regulation in the economy to ensure it operates in the best interests of society (e.g. reserve requirements and anti-trust / monopoly regulation). There are two ways to read an interesting quote Smith made in Chapter 7  as reproduced above. One is to infer that the exclusive privileges relates to preferential treatment of certain corporations by governments and sovereigns such as the East India Compony while the other is more general and relates to the general privileges enjoyed by corporations, namely, limited liability and a higher barrier to entry into this structure by those with greater resources than those without such resources.

Overall, my own reading of the text has changed the way in which I have thought of Adam Smith. I see in the words of the author and the ideas espoused, someone trying to create a model by which to better understand economics. The economics espoused in this text is that based on hard work (labour) being the prime mover in economic performance with the real value of things being that which is given up by those who perform the labour. He does include stock and land as secondary elements but these can only be utilised through labour. Sounds to me so far that true capitalism is based on "useful labour" rather than playing around with the money supply or having hoards of unused stock and land.

More to come in Part 2 (just need to finish reading more chapters).

Friday, 11 April 2014

Money : whence it came, where it went: A review

Title: Money : whence it came, where it went
Author: John Kenneth Galbraith
Pages: 335 pages
Publisher: Bantam (1976)
Language: English
ISBN-10: 0553026887
ISBN-13: 978-0553026887


In terms of content, Galbraith has done good job of providing a fairly representative round-up of the early days of money and the various ways in which is was managed or abused, He then continues into a more US focused history of money and looks at the effectiveness of monetary policy in dealing with periods of recession. He provides a very candid account of his and his contemporaries and near contemporaries role in economic policy making. He concludes with six points which essentially point out the failings of monetary policy as a sole lever in the economy and highlights the importance of combining monetary policy with fiscal policy to effect desired outcomes in the economy. Galbraith made the point that monetary policy may make available more money through banks by reducing official interest rates and loosening reserve requirements but fiscal policy was needed to encourage people to actually use this extra money made available.

In terms of style, Galbraith has used a conversational style with amusing anecdotes and opinions interspersed. sometimes though, you find yourself back tracking to get some of his points due to some of the sidelines and witty quips. Overall not impenetrable.

I would recommend reading this book. Textbooks I studied while studying various economics subjects lack the same colour and courage in discussing the subject matter and for the most part take monetary policy as gospel. This book gives a more balanced view.

Wednesday, 26 March 2014

What is privileged access? - A definition of privileged access from review of US financial institution regulation and ISO 27002

Why is it important to understand what privileged access is? Highlighting some examples of what can happen when privileged access is not managed appropriately demonstrates it is something that needs to be understood:

  • March 2002 – It was reported that Roger Duronio brought down 2,000 business critical servers, including trading servers, with a logic bomb in UBS costing $3.1m in restoration costs and unknown business loses during the downtimei.
  • January 2008 - It was reported that Jérôme Kerviel lost Société Générale €4.9bn in trades purportedly utilising privileged access accumulated from his previous and last roles in the bankii.
  • January 2009 - It was reported that Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb that could have lost Fannie Mae “many millions of dollars” with his privileged accessiii.

From this, the impacts of not understanding and appropriately controlling privileged access are significant. The primary challenge with implementing privileged access policies and controls is a lack of a clear definition of what privileged access is.

Fortunately, US financial institutions regulation and the International Standards Organisation provide a starting point.

US Financial Institutions Regulation

The Board of Governors of the Federal Reserve System (the Board) implements the Federal Reserve Act and other laws pertaining to banking and financial activities. The Board implements those laws, in part, through its regulations A through to YY, which are codified in Title 12, Chapter II, of the Code of Federal Regulations within the US Code (USC)iv.

Section 6801 and section 6805 in Title 15 of the USC applies the Gramm-Leach-Bliley Act of 1999 (GLBA) to financial institutions including Bank holding companies. Section 501(b) of the GLBA introduced the “Financial Institutions Safeguards” requirement that requires financial institutions implement administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer informationv.

Further guidance as to how to establish these safeguards is provided by CFR Regulation Y - Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards. These guidelines were developed by the Member agencies of the Federal Financial Institutions Examination Council (FFIEC). The FFIEC published examination handbooks that apply to the examination of a financial institution's operations and all related data, and serves as a supplement to the agencies' GLBA 501(b) expectations.

Page 19 of the Federal Financial Institution Examination Council (FFIEC) Information Security Examination Handbook defines privileged access asvi:

the ability to override system or application controls”

A key point to note in this definition is the distinction between systems and applications. This distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

International Standards Organisation

The FFIEC Information Security Examination Handbook definition is aligned to the international standard ISO 27002 Information technology - Security techniques - Code of practice for information security management (ISO 27002).

Specifically, page 61 of ISO 27002 defines privileged access rights, as thosevii:

access rights which allow users to override system controls”

How this definition differs from the FFIEC definition is that is refers to access rights and these applying only to system controls rather than both system and application controls. This ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of their “access rights”.

Additionally page 62 of ISO 27002 defines system administration privileges asviii:

any feature or facility of an information system that enables the user to override system or application controls”

The last part of this definition is identical to the FFIEC wording “override system or application controls”. This additional ISO guidance suggests that the FFIEC definition’s “ability” is that ability conferred to a “user” by virtue of “any feature or facility of an information system”. As per the FFIEC definition, a key point to note in this definition is the distinction between systems and applications. As with the FFIEC definition, this distinction means that privileged access may exist at an application level as well as at the underlying infrastructure system level.

Finally, further guidance is available at page 56 of ISO 27002 which defines privileged operations asix:

use of privileged accounts, e.g. supervisor, root, administrator; system start-up and stop; [and] I/O device attachment/detachment”

While not a definition of privileged access it does provide useful interpretation guidance in what is commonly considered to be the operations of those with privileged access, and from this, what constitutes privileged access. In this case, operating system or database system administrator accounts such as “root”, “administrator” and “supervisor”. By extension, similar access to the access level of these accounts would be considered privileged access. This definition also describes the ability to execute system start-up; and stop and I/O device attachment/detachment, system level services generally accessible via service or system accounts.

Conclusion - A Working Definition of Privileged Access

From these sources we can develop a working definition of privileged access that is aligned to US regulatory requirements and international standards.

From the FFIEC definition, the working definition needs to cover both applications and systems. Expanding the FFIEC definition’s use of the term “ability” using ISO guidance, would result in the following definition:

Privileged access is the ability to override system or application controls, conferred to a user by virtue of their access rights or any feature or facility of an information system. This includes the ability to use system administration and service accounts.”

From this working definition, we can better understand what ability is considered privileged and that a user with this access would be considered to have privileged access. Policy making and controls based on this definition will ensure alignment with the US regulators and international standards hopefully resulting in better risk and control assessments to implement the necessary administrative, technical, and physical safeguards to ensure the confidentially, security and integrity of customer information.


i Gaudin, S., Ex-UBS Systems Admin Sentenced To 97 Months In Jail, United States of America, 2006. Available at: (Accessed 6 March 2014).

ii Tarzy, B., Revoke legacy privileged accounts – or pay the consequences, United Kingdom, 2012. Available at: (Accessed 6 March 2014).

iii Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, 2009. Available at: (Accessed 6 March 2014).

iv Government Printing Office, Electronic Code of Federal Regulations, United States of America, 2012. Available at: (Accessed 6 March 2014).

v Government Printing Office, GRAMM–LEACH–BLILEY ACT, United States of America, 1999. Available at: (Accessed 6 March 2014).

vi Federal Financial Institution Examination Council, The FFIEC Information Security IT Examination Handbook, United States of America, 2006. Available at: (Accessed 6 March 2014).

vii International Organisation for Standardization (ISO), ISO 27002:2005, Information technology - Security techniques - Code of practice for information security management, Switzerland, 2005

viii Ibid

ix Ibid

PS: This is also published in the IT Risk Practitioner

Monday, 24 March 2014

Would Recommend Code::Blocks IDE for C++ Development

I normally use a Linux host for my development work (Eclipse and Netbeans) but have today decided to look at Windows again. I was looking around for a no-nonsense IDE with version control, syntax highlighting, compiling and running of programs in the one intuitive interface. I finally found a good IDE that fits the bill: Code::Blocks (see home page at This IDE installs easily and without any issues from a single downloaded binary (albeit 100mb in size. Download the one at: and can build and run C++ application code straight out of the box. I was very impressed. I didn't have to setup cygwin or MinGW it set this up for me (i.e MinGW was installed alongside the IDE and GCC).

It's looking good so far but we'll see how it goes when I start to exercise it a bit more.

Tuesday, 11 March 2014

Financial services systems change failures and how to control them

When it comes to systems change there are a number of notable failures in the financial services industry:

January 2009: - It was reported that IT systems engineer Rajendrasinh B. Makwana almost brought down 4,000 critical servers with a logic bomb, embedded in developed scripts, which could have lost Fannie Mae “many millions of dollars” that was only discovered by chance by another engineeri.

January 2010: It was reported that a HSBC Mainframe upgrade shut down cash machines and online banking for HSBC customers as part of upgrade to One HSBC platformii. This was in addition to a similar outage in June 2009 a further telephone banking outage in February 2008 due to “coding” changesiii.

September 2010: It was reported that J.P. Morgan’s online banking service was offline for 3 days due to third party database software “corrupting the login process” impacting 16 million customersiv. It was reported that J.P. Morgan appeared not to have a roll-back plan so they could recover while continuing business as normalv.

June 2012: It was reported that the Royal Bank of Scotland to pay £125 million in costs related to a glitch in the CA7 batch process scheduler as part of systems maintenance activity that resulted in 12 million customer accounts being frozen for almost a weekvi.

August 2012: It was reported that Knight Capital Group lost $440 million in 30 minutes and wiped 62% of its stock price, due to a trading software algorithm glitch that generated erratic trades and that bought high and sold low for nearly 150 stocksvii. The glitch resulted in 4 million additional trades in 550 million shares that would not have occurred otherwiseviii.

August 2013: It was reported that Goldman Sachs lost $100 million due to an automated trading systems glitch that caused a number of incorrect options trades that disrupted US exchange trading affecting shares with listing symbols starting with the letter H through Lix. The glitch caused automated trading systems to accidentally send indications of interest as real orders to be filled at the US exchanges. The cause was reported to be due to inadequate software testingx.

September 2013: It was reported that Clydesdale Bank was fined £8.9 million by the Financial Conduct Authority for failing to inform customers of their rights after a software glitch caused the miscalculation of repayments on over 42,500 mortgagesxi.

Risk and associated controls

A good, actionable risk statement that captures these events is:

Customer data leakage, corruption or system unavailability caused by defective or malicious system changes resulting in financial losses of UK £100 million, customer churn of 6.4 percentxii and regulatory sanction by the Financial Conduct Authority and Information Commissioner’s Office.”

This risk statement is a lower level risk that contributes to the organisational level risk of for example:

Loss of market share caused by eroded customer confidence in the organisation’s information security resulting in net revenue reduction to the order of hundreds of millions and bank share value reduced from loss of market confidence in operational management.”

From the lower level risk statement we can then identify the risk causes that need to be controlled. In this case we need to control defective or malicious systems changes that might result in customer data leakage, corruption or systems unavailability.

To take these in turn, we’d need to implement a change quality testing process to ensure that system changes are adequately tested which may include activities such as code quality reviews, unit, functional, systems, integration and regression testing. An additional step for business supporting systems would be user acceptance testing by the business that also includes tests for boundary conditions and invalid data inputs to the system data input interfaces.

We’d then need to implement a change control strategy that uses technical and administrative controls to restrict the ability to make changes to production or critical systems unless these changes are approved. The approval should not be a simple tick in the box but should require appropriately senior stakeholder approval of changes with high risk changes signed off at senior executive levels within the IT and business areas. Part of this sign-off should be that they have assured themselves that the change has been adequately tested and is fit for purpose.

There is a further control required to make these two controls work. This control is to ensure there is a technically enforced separation of duties so that those making changes cannot implement these changes in the target environment.

In order to ensure these controls are adequately and effectively implemented there needs to be clearly articulated and enforceable policies, standards, procedures and guidelines in place. The policies and standards need to be clear and unambiguous, have an owner and describe the enforcement actions that will be taken if the policy or standard is not complied with. These enforcement actions must then be applied for all cases of non-compliance. Where a non-compliance is expected this needs to be pre-approved with the policy owner and clearly highlighted to the system senior stakeholders and approved at the appropriate senior executive level within the technology and business areas involved in the change.


i Keizer, G., Ex-Fannie Mae engineer pleads innocent to server bomb charge, United States of America, January 2009. Available at: (Accessed 6 March 2014).
ii, HSBC mainframe outage causes major HSBC network crash, United States, January 2010. Available at: (Accessed on 11 March 2014).
iii Ibid
v Ibid
vi Flinders, K., RBS computer problem costs £125m, United States, August 2012. Available at:
vii Philips, M., Knight Shows How to Lose $440 Million in 30 Minutes, United States, August 2012. Available at:
viii Ibid
ix Holley, E., Goldman Sachs trading error is “a warning to all”, United States, August 2013. Available at:
x Ibid
xi Nguyen, A., Clydesdale Bank fined £8.9m over mortgage system problem, United Kingdom, September 2013. Available at: (Accessed 11 March 2014).
xii Figure of 6.4% customer churn comes from: Ponemon Institute, 2011 Cost of Data Breach Study: United Kingdom, United Kingdom, March 2012.