Comments
Description
Transcript
P a g e 1
Page |1 International Association of Risk and Compliance Professionals (IARCP) 1200 G Street NW Suite 800 Washington, DC 20005-6705 USA Tel: 202-449-9750 www.risk-compliance-association.com Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next Dear Member, Cyberbullying refers to practice of using technology to harass, or bully, someone else. Bullies used to be restricted to methods such as physical intimidation, postal mail, or the telephone. Now, developments in electronic media offer forums such as email, instant messaging, web pages, and digital photos to add to the arsenal. Computers, cell phones, and PDAs are current tools that are being used to conduct an old practice. Forms of cyberbullying can range in severity from cruel or embarrassing rumors to threats, harassment, or stalking. It can affect any age group; however, teenagers and young adults are common victims, and cyberbullying is a growing problem in schools. This is part of Security Tip (ST06-005), Dealing with Cyberbullies, from the Department of Homeland Security's US Computer Emergency Readiness _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |2 Team (US-CERT), that leads efforts to improve cybersecurity posture, coordinate cyber information sharing, and proactively manage cyber risks. Let's continue: "Why has cyberbullying become such a problem? The relative anonymity of the internet is appealing for bullies because it enhances the intimidation and makes tracing the activity more difficult. Some bullies also find it easier to be more vicious because there is no personal contact. Unfortunately, the internet and email can also increase the visibility of the activity. Information or pictures posted online or forwarded in mass emails can reach a larger audience faster than more traditional methods, causing more damage to the victims. And because of the amount of personal information available online, bullies may be able to arbitrarily choose their victims. Cyberbullying may also indicate a tendency toward more serious behavior. While bullying has always been an unfortunate reality, most bullies grow out of it. Cyberbullying has not existed long enough to have solid research, but there is evidence that it may be an early warning for more violent behavior." You will find more about cyberbullying at: https://www.us-cert.gov/ncas/tips/ST06-005 You will find excellent tips for your organization and your home at: https://www.us-cert.gov/ncas/tips Another example, taken from the US-CERT tips: "Although free email services have many benefits, you should not use them to send sensitive information. Because you are not paying for the account, the organization may not have a strong commitment to protecting you from various threats or to offering you the best service. Some of the elements you risk are: Security. If your login, password, or messages are sent in plain text, they may easily be intercepted. If a service provider offers SSL encryption, you should use it. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |3 You can find out whether this is available by looking for a "secure mode" or by replacing the "http:" in the URL with "https:" (see Protecting Your Privacy for more information). Privacy. You aren't paying for your email account, but the service provider has to find some way to recover the costs of providing the service. One way of generating revenue is to sell advertising space, but another is to sell or trade information. Make sure to read the service provider's privacy policy or terms of use to see if your name, your email address, the email addresses in your address book, or any of the information in your profile has the potential of being given to other organizations (see Protecting Your Privacy for more information). If you are considering forwarding your work email to a free email account, check with your employer first. You do not want to violate any established security policies. Reliability. Although you may be able to access your account from any computer, you need to make sure that the account is going to be available when you want to access it. Familiarize yourself with the service provider's terms of service so that you know exactly what they have committed to providing you. For example, if the service ends or your account disappears, can you retrieve your messages? Does the service provider give you the ability to download messages that you want to archive onto your machine? Also, if you happen to be in a different time zone than the provider, you may find that their server maintenance interferes with your normal email routine." You will find more at: https://www.us-cert.gov/ncas/tips/ST05-009 Another example: "A rootkit is a piece of software that can be installed and hidden on your computer without your knowledge. It may be included in a larger software package or installed by an attacker who has been able to _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |4 take advantage of a vulnerability on your computer or has convinced you to download it." "Rootkits are not necessarily malicious, but they may hide malicious activities. Attackers may be able to access information, monitor your actions, modify programs, or perform other functions on your computer without being detected. Botnet is a term derived from the idea of bot networks. In its most basic form, a bot is simply an automated computer program, or robot. In the context of botnets, bots refer to computers that are able to be controlled by one, or many, outside sources. An attacker usually gains control by infecting the computers with a virus or other malicious code that gives the attacker access. Your computer may be part of a botnet even though it appears to be operating normally. Botnets are often used to conduct a range of activities, from distributing spam and viruses to conducting denial-of-service attacks" Read more at Number 6 and 7 below. Welcome to the Top 10 list. Best Regards, George Lekatis President of the IARCP General Manager, Compliance LLC 1200 G Street NW Suite 800, Washington DC 20005, USA Tel: (202) 449-9750 Email: [email protected] Web: www.risk-compliance-association.com HQ: 1220 N. Market Street Suite 804, Wilmington DE 19801, USA Tel: (302) 342-8828 _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |5 Revisions to the Standardised Approach for credit risk - second consultative document December 2015 The second consultative document on Revisions to the Standardised Approach for credit risk forms part of the Committee's broader review of the capital framework to balance simplicity and risk sensitivity, and to promote comparability by reducing variability in risk-weighted assets across banks and jurisdictions. These proposals differ in several ways from an initial set of proposals published by the Committee in December 2014. That earlier proposal set out an approach that removed all references to external credit ratings and assigned risk weights based on a limited number of alternative risk drivers. Respondents to the first consultative document expressed concerns, suggesting that the complete removal of references to ratings was unnecessary and undesirable. The Committee has decided to reintroduce the use of ratings, in a non-mechanistic manner, for exposures to banks and corporates. PCAOB Standard-Setting Update Jay D. Hanson, Board Member AICPA Conference on Current SEC and PCAOB Developments, Washington DC "Behind the scenes, much work is in progress to refine the process by which projects get added to our agenda, how they get prioritized and how the work flows from start to finish. While many aspects of these changes may not be visible to most of you in the room, I hope the result is better decisions about what gets on our agenda, informed by appropriate research." _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |6 NIST Seeks Comments on Cybersecurity Framework Use, Potential Updates and Future Management The National Institute of Standards and Technology (NIST) is seeking information on how its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” is being used, as well as feedback on possible changes to the Framework and its future management. Developed in response to a 2013 Executive Order, the Framework consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches. “The process to develop the Framework brought together both private and public sector organizations and resulted in a document that is being used by a wide variety of organizations,” said Adam Sedgewick, NIST senior information technology policy advisor. “We’re looking forward to receiving feedback on specific questions about its use and how it might be improved.” ENISA welcomes the agreement of EU Institutions on the first EU wide cybersecurity Directive and Agency’s extended role Following extensive negotiations the EU institutions have reached an agreement, which will support Member States in achieving a high level of network & information security that is coherent across the EU and which will pave the way for more collaboration among them. The Directive foresees significant new tasks for ENISA, strengthening its role. ENISA considers this agreement as an important step forward for securing ICT infrastructure across the EU. ENISA welcomes the agreement on the upcoming NIS Directive, which is a significant step towards further improvements in NIS across the EU. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |7 New challenges for a new era Luis M Linde, Governor of the Bank of Spain, at the 8th Santander International Banking Conference, Madrid "The first edition took place in the autumn of 2008, right after the fall of Lehman Brothers and just before the G20 leaders agreed to launch the financial regulatory reform in an unprecedented globally coordinated action. The objective was clear and so was the mandate given to the Financial Stability Board and the Basel Committee on Banking Supervision: to build a stronger and more resilient financial system. Since then, the main pillars of the reform have been put in place. The list of new measures implemented is long and, I would say, impressive. I will not review the list, which is very clearly and well explained in the latest progress reports published by the Financial Stability Board and the Basel Committee." US-CERT, Security Tip Before You Connect a New Computer to the Internet Why Should I Care About Computer Security? Computers help us maintain our financial, social, and professional relationships. We use them for banking and bill paying, online shopping, connecting with our friends and family through email and social networking sites, researching data posted on the Internet, and so much more. We rely heavily on our computers to provide these services, yet we sometimes overlook our need to secure them. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |8 US-CERT, Security Tip Securing Your Home Network How are routers used in your home network? Home routers have become an integral part of our global communications footprint as use of the Internet has grown to include home-based businesses, telework, schoolwork, social networking, entertainment, and personal financial management. Routers facilitate this broadened connectivity. Most of these devices are preconfigured at the factory and are Internet-ready for immediate use. After installing routers, users often connect immediately to the Internet without performing any additional configuration. Users may be unwilling to add configuration safeguards because configuration seems too difficult or users are reluctant to spend the time with advanced configuration settings. Unfortunately, the default configuration of most home routers offers little security and leaves home networks vulnerable to attack. Small businesses and organizations often use these same home routers to connect to the Internet without implementing additional security precautions and expose their organizations to attack. NISTIR 7987 Revision 1 Policy Machine: Features, Architecture, and Specification David Ferraiolo Serban Gavrila Wayne Jansen Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) Page |9 Who are non-banks and why are they important for us? Marius Jurgilas, Member of the Board of the Bank of Lithuania, at the conference "Non-banks in Payment Market: Challenges and Opportunities", organised by the Bank of Lithuania and the Sveriges Riksbank, Vilnius "In 2007 Federal Reserve Bank of Kansas City hosted a similarly titled conference. It was the time when Europe was still debating the modalities of the upcoming PSD and Steve Jobs just introduced the first iPhone to the world. Now we have iPhone 6 and PSD2 and because of the another innovation by Apple over that time - ApplePay the link between the two is relevant more than ever." The current situation in Japan's financial system and macroprudential policy Haruhiko Kuroda, Governor of the Bank of Japan, at the Paris EUROPLACE Financial Forum, Tokyo "It is a great honor to have this opportunity to speak before the Paris Europlace Financial Forum today. Before I begin, I would like to offer my deepest condolences to the victims of the recent terrorist attacks in Paris. Since the global financial crisis, the "macroprudential" perspective has become widely recognized. Underlying the macroprudential framework is the view that, to ensure financial stability, it is necessary to devise institutional designs and policy measures to prevent systemic risk from materializing, based on analyses and assessments of risks in the financial system as a whole, taking into account the interconnectedness of the real economy, financial markets, and financial institutions' behavior." _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 10 Revisions to the Standardised Approach for credit risk - second consultative document December 2015 The second consultative document on Revisions to the Standardised Approach for credit risk forms part of the Committee's broader review of the capital framework to balance simplicity and risk sensitivity, and to promote comparability by reducing variability in risk-weighted assets across banks and jurisdictions. These proposals differ in several ways from an initial set of proposals published by the Committee in December 2014. That earlier proposal set out an approach that removed all references to external credit ratings and assigned risk weights based on a limited number of alternative risk drivers. Respondents to the first consultative document expressed concerns, suggesting that the complete removal of references to ratings was unnecessary and undesirable. The Committee has decided to reintroduce the use of ratings, in a non-mechanistic manner, for exposures to banks and corporates. The revised proposal also includes alternative approaches for jurisdictions that do not allow the use of external ratings for regulatory purposes. The proposed risk weighting of real estate loans has also been modified, with the loan-to-value ratio as the main risk driver. The Committee has decided not to use a debt service coverage ratio as a risk driver given the challenges of defining and calibrating a global measure that can be consistently applied across jurisdictions. The Committee instead proposes requiring the assessment of a borrower's ability to pay as a key underwriting criterion. It also proposes to categorise all exposures related to real estate, including specialised lending exposures, under the same asset class, and apply higher risk weights to real estate exposures where repayment is materially _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 11 dependent on the cash flows generated by the property securing the exposure. This consultative document also includes proposals for exposures to multilateral development banks, retail and defaulted exposures, and off-balance sheet items. The credit risk standardised approach treatment for sovereigns, central banks and public sector entities are not within the scope of these proposals. The Committee is considering these exposures as part of a broader and holistic review of sovereign-related risks. The Committee welcomes comments on all aspects of this consultative document and the proposed standards text. Comments on the proposals should be uploaded here by Friday 11 March 2016. All comments will be published on the website of the Bank for International Settlements unless a respondent specifically requests confidential treatment. To read more: http://www.bis.org/bcbs/publ/d347.pdf _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 12 PCAOB Standard-Setting Update Jay D. Hanson, Board Member AICPA Conference on Current SEC and PCAOB Developments, Washington DC Good Afternoon, Thank you for the privilege to speak again at this conference. As I am completing my fifth year as a Board member of the Public Company Accounting Oversight Board ("PCAOB" or "Board"), this is still one of my favorite conferences to learn about current developments, as well as interact with many of you to hear your suggestions and concerns. You already heard from a number of other PCAOB speakers during this conference. We each provide our own unique insights and, as you have heard others say before me, the views I express today are my personal views and do not necessarily reflect the views of the Board, any other Board member, or the staff of the PCAOB. In the brief time I will take today, I will comment on a few aspects of our standard setting activities, share some opinions on topics others have raised, and comment on our project on audit quality indicators. Standard Setting PCAOB Chief Auditor Marty Baumann just provided an update about some of our standard-setting projects. Several representatives from the Securities and Exchange Commission ("SEC") also commented at this conference on our work to improve our standard setting process. Behind the scenes, much work is in progress to refine the process by which projects get added to our agenda, how they get prioritized and how the work flows from start to finish. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 13 While many aspects of these changes may not be visible to most of you in the room, I hope the result is better decisions about what gets on our agenda, informed by appropriate research. I also hope that we end up with a better definition of the problem we are trying to solve, broad consideration of alternatives to solve the problem, and ultimately, if rulemaking is necessary, a solution that addresses the problem in a timely and cost effective way. I will comment on a few of the projects Marty discussed. We received significant feedback on the auditor reporting model project after we proposed it in 2013. A number of commenters expressed concern about the broad scope of what the auditor would have to consider in identifying critical audit matters ("CAMs") to report. Commenters also expressed concerns that CAMs would sometimes address matters that are immaterial or that would reveal company information not otherwise required to be disclosed under applicable securities laws and regulations. I am optimistic that our reproposal will address these important concerns and result in a meaningful, operational standard. Another overarching concern from preparers is whether we should proceed with a project like this at all, as opposed to letting the SEC mandate any needed improvements to management's disclosures. A similar theme among the comments was the question of whether the CAMs would substantially duplicate other disclosures, including management's discussion of critical accounting estimates. One benefit of the passage of time since our 2013 proposal is that we have had an opportunity to monitor developments in other countries, including the United Kingdom ("UK"). We are closely watching the results of the expanded audit or reporting that has been in place there for several years. We are also benefitting from new academic studies that are beginning to focus on the value of the auditor disclosures, how much duplication may be occurring with management disclosures and whether investors value – and act on – the information. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 14 The feedback from the consultation papers our staff issued on fair value, estimates and specialists have been informative. I encourage preparers to follow these projects closely since the ultimate result may require auditors to perform more work and therefore may affect the amount of time preparers spend gathering information for their auditors. The specialist consultation paper includes some provocative questions about whether all information that management provides to the auditor should be treated the same, regardless of whether it was prepared by accountants employed by the company or by a specialist, such as an actuary, who relies on historical data provided by the company, along with assumptions about the future. The Board's decisions on the appropriate degree of scrutiny by auditors of this type of information could have significant effects on many aspects of an audit. I personally hope we end up in a place that would enhance the current standards for the auditor's use of the work of a specialist, but not go as far as certain of the ideas raised in the consultation paper might suggest. Preparer Feedback Marty mentioned the feedback we have received from the U.S. Chamber of Commerce regarding the work auditors are performing in the area of internal controls over financial reporting. Several other speakers at the conference, including SEC Chair White, as well a panel yesterday afternoon that included my fellow PCAOB Board Member Jeanette Franzel, discussed the importance of internal controls. I personally have participated in meetings with many preparers and members of organizations representing financial management. I have also had many meetings with audit committee members over the past year. I welcome the feedback about the practical consequence of our regulation of auditors. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 15 In many respects, hearing directly from those on the receiving end of an audit how rigorous and challenging the audit is today is good news. On the other hand, it is troubling to hear stories of auditors focusing too much on immaterial items and doing "defensive auditing." And as you all know, if you focus too much on the small items, you may miss big picture. Our inspection activities show that all engagement teams do not execute required audit procedures equally well. Many firms have developed tools, checklists and templates to drive more consistent execution. While these tools overall are successful, they are not substitutes for an auditor's understanding of the business, the controls and why specified audit procedures are necessary. I was pleased with the panel discussion yesterday, which brought out many of the issues we have discussed with firms and preparers in recent months. A big take-away from the panel was that good communication between management and the audit team is essential. In that context, let me emphasize again some comments I made recently at another conference. Many of the concerns I have heard about ICFR from preparers is that they believe their management review controls are effective in detecting potential material misstatements, because they know what actions they and their team take to review a monthly reporting package, and they know that their staff will follow up on questions raised during this process. The auditors, however, are telling preparers that they cannot accept their sign-off as evidence of the control's effectiveness. And in fact, while auditors may be able to accept a sign-off when testing a simple process level control that does not involve much judgment (like matching a purchase order, shipping document and invoice), that does not suffice for management review controls. The applicable auditing standard, AS 5, specifically states that inquiry alone does not provide sufficient evidence to support a conclusion about the effectiveness of a control. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 16 The actual procedures needed for a particular management review control will depend on, among other things, the nature of the control, the risk associated with the control, the information used in the control, and the evidence of the control's operation. AS 5 gives examples such as observation, inspection of relevant documentation, and re-performance of a control. One of my mentors early in my career frequently said "you can't just audit by conversation, you need to audit the support for what management tells you." Those words from over 30 years ago apply today to controls testing. I look forward to continuing our discussions with preparers and auditors on these important topics and many others. Audit Quality Indicators Yesterday, Cindy Fornelli from the Center for Audit Quality ("CAQ") described the CAQ efforts around audit quality indicators. Chief Accountant Jim Schnurr and others also have mentioned the PCAOB project in this area. I commend the CAQ for the work they have done and what they have shared with us. Collectively, we are advancing thought in this important area and driving improvements in audits. The Board issued a concept release in June 2015 on audit quality indicators. Prior to the issuance of the concept release, we had several discussions over multiple meetings with our Standing Advisory and Investor Advisory Groups. Since the issuance, we had further discussions with both groups. I personally have discussed the concepts with multiple preparers, audit committees and others. Overall, we have received substantial helpful input. The overwhelming feedback has been that exploring audit quality indicators is a worthwhile effort. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 17 However, there is sharp divergence on the role of the PCAOB in this area, questions about how AQIs should be used, and varying views about appropriate next steps. Some advocate that the PCAOB should move quickly to require the use of certain defined indicators by audit firms and individual engagement teams and that such indicators be made publically available for all investors to consider. Many others have argued that best use of audit quality indicators is in a discussion between the engagement team and audit committee, focusing on indicators that best capture the relevant considerations for that audit. Some of these commenters suggested that the PCAOB refrain from mandating any specific indicators at this time. Rather, these commenters believe that the Board should let auditor and audit committee practice develop on a voluntary basis before considering whether rulemaking is necessary. We received very little feedback on the specific AQIs discussed in the concept release. Many commenters believed that those engagement level AQIs that are focused on the availability and competence of engagement personnel are most valuable. Some of my one-on-one conversations with audit committee members emphasized the importance of the qualitative aspects of the relationship with the engagement partner, and no quantitative metric would capture that. With regard to next steps, my personal opinion is that we need to further our efforts to validate which AQIs have the strongest correlation to high quality audits. I believe we should refine the list of 28 indicators included in the concept release to 10 or fewer and make that list public, along with clear definitions for each indicator to encourage consistency in their use. We should continue to collect and analyze information, through our inspection process and other outreach, about what indicators audit _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 18 committees and engagement teams find most valuable and provide transparency about our findings and conclusions. After a few years, we can reassess the need, if any, for rulemaking to mandate the use, discussion or disclosure of quality indicators. I also believe we should encourage the firms' efforts in publishing audit quality reports to make as much relevant information available to investors as possible. Relevant to this approach, I was interested to see that the UK Financial Reporting Council ("FRC") recently published its 2016-19 strategy. One aspect of the FRC plan is something I agree with: Place greater emphasis on best practice, education and other non-regulatory approaches to help secure continuous improvement in the quality of information and behaviour, including through our corporate reporting and audit quality review activities." The FRC's regulatory mandate is broader than the PCAOB's, but the principles apply equally to us. Audit quality indicators is one project where we can experiment with driving improvements in audit quality by providing information and encouraging voluntary compliance and disclosure, before we determine whether regulation is needed. Stay tuned. Inspection Findings Tomorrow, you will hear about our recent inspection findings from Helen Munter, PCAOB Director of Registration and Inspections. I won't go into any details of what she will discuss, but I want to highlight a couple of points from our recent general purpose report on observations of the Risk Assessment Standards. This report provides information regarding the implementation of, and compliance with, the Risk Assessment Standards from the PCAOB's 2012-2014 inspections of registered public accounting firms. The report expresses the Board's concern about the number and significance of deficiencies related to the Risk Assessment Standards. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 19 It is important to understand that the procedures required by these standards underlie the entire audit process and drive decisions about the scope and nature of the procedures that the auditor ultimately performs to support the opinion expressed in the auditor's report. Summarizing our inspectors' conclusions about potential causes of the deficiencies, the report provides examples, including the following, among others: · "The firm did not have an adequate understanding of the issuer and its processes and related internal control over financial reporting." · "The firm did not adequately design and perform audit procedures to address identified and assessed risks of material misstatement." · "Senior members of the engagement team, including the engagement partner, may not devote sufficient attention to the performance of risk assessment procedures or the supervision, including review of the work of engagement team members." · "Some firm professionals may not exercise due care, including professional skepticism (e.g., overreliance upon management assertions, reliance on perceived knowledge of the issuer, and insufficient evaluation of contradictory evidence)." The Canadian Public Accountability Board ("CPAB") is Canada's audit regulator responsible for the oversight of public accounting firms that audit Canadian reporting issuers. CPAB recently issued a report that discusses the 2015 annual inspection findings for Canada's four largest public accounting firms, and I noted that several observations in CPAB's report are consistent with our recent report. For example, that report states: · "Auditors must make sure that procedures are appropriately designed and executed. If fundamental audit areas are delegated to more junior staff, the firm must see to it that staff have the appropriate training to perform their assigned procedures and that their work is appropriately supervised and reviewed." · "An insufficient understanding of the client's business is the root cause behind many of the audit findings we identified. To assess risk of error and ultimately determine an effective audit strategy, the auditor needs a sound understanding of the company's business, operations, and nature and flow _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 20 of accounting transactions. Otherwise, it is difficult to plan and execute an effective audit." · "Areas requiring the most professional judgment and skepticism continued to feature prominently in our 2015 inspection findings. Participation of senior engagement leaders at both the planning and issues resolution stages remains the best way to deal with these matters. To address audit team inexperience and to support the delivery of a quality audit, the timely and appropriate involvement of engagement leadership is essential." As I think about my (now dated) experience as an auditor and consider issues relating to the appropriate scope ICRF audit work, the most important AQIs, and PCAOB inspectors' observations about potential causes of inspection findings, I find that there is a common theme that comes up again and again: The best audits are those that are conducted by the right people, with the right skills, doing things at the right time and in the right order, properly supervised, with a skeptical mindset and communicating effectively throughout the process. Simple, right? With that, let me thank you again for listening, and I will take questions during the session at the end of the day. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 21 NIST Seeks Comments on Cybersecurity Framework Use, Potential Updates and Future Management The National Institute of Standards and Technology (NIST) is seeking information on how its voluntary “Framework for Improving Critical Infrastructure Cybersecurity” is being used, as well as feedback on possible changes to the Framework and its future management. A preview copy of the Request for Information (RFI) was posted to the Federal Register at: https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on -the-framework-for-improving-critical-infrastructure-cybersecurity The comment period opened Friday, Dec. 11, 2015, and closes Feb. 9, 2016. Developed in response to a 2013 Executive Order, the Framework consists of standards, guidelines and practices that help organizations address cyber risks by aligning policy, business and technological approaches. “The process to develop the Framework brought together both private and public sector organizations and resulted in a document that is being used by a wide variety of organizations,” said Adam Sedgewick, NIST senior information technology policy advisor. “We’re looking forward to receiving feedback on specific questions about its use and how it might be improved.” The Framework was released in February 2014, after a year-long, open process that included input from industry, academia and government agencies at the federal and state levels. An increasing number of organizations that are part of the nation’s critical infrastructure, including the energy and financial sectors, as well as other private and public organizations, have been using the Framework to improve their management of cyber risks. To fulfill its responsibilities under the Cyber Security Enhancement Act of 2014, NIST is committed to maintaining an inclusive approach that incorporates the views of a wide array of individuals, organizations and sectors. In the RFI, NIST asks specific questions about: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 22 • the variety of ways in which the Framework is being used to improve cybersecurity risk management, • how best practices for using the Framework are being shared, • the relative value of different parts of the Framework, • the possible need for an update of the Framework, and • options for the long-term management of the Framework. Responses to this RFI—which will be posted publicly—will inform NIST's planning and decision-making about how to further advance the Framework so that the nation’s critical infrastructure is more secure and resilient. For more information and a form for submitting comments on the RFI, visit the Framework website at: http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm Feedback gathered from the RFI also will assist in developing the agenda for a workshop on the Framework being planned for April 6 and 7, 2016, at NIST’s Gaithersburg, Md., campus. Specifics about the workshop will be announced at a later date. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 23 ENISA welcomes the agreement of EU Institutions on the first EU wide cybersecurity Directive and Agency’s extended role Following extensive negotiations the EU institutions have reached an agreement, which will support Member States in achieving a high level of network & information security that is coherent across the EU and which will pave the way for more collaboration among them. The Directive foresees significant new tasks for ENISA, strengthening its role. ENISA considers this agreement as an important step forward for securing ICT infrastructure across the EU. ENISA welcomes the agreement on the upcoming NIS Directive, which is a significant step towards further improvements in NIS across the EU. To find more about the agreement: http://www.europarl.europa.eu/news/en/news-room/20151207IPR06449 /MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity The NIS Directive foresees a number of concrete measures to make this happen, the most fundamental of which are two co-operation mechanisms among Member States, namely the network of Computer Security Incident Response Teams (CSIRT Network), to be coordinated by ENISA, and the “Cooperation group”, consisting of members of national competent authorities, the EU Commission and ENISA. Member States also have to appoint a competent national authority dealing with NIS matters. Other important measures include the requirement to produce a national cybersecurity strategy and the obligation for companies working in critical sectors such as energy, transport, finance and others to inform national authorities about incidents of significant impact. The Executive Director of ENISA, Udo Helmbrecht, commented on this agreement: “Ensuring the availability, integrity and confidentiality of critical and digital infrastructures is a challenging task for public and private stakeholders. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 24 ENISA welcomes the new tasks associated with the implementation of the NIS Directive and will continue to assist the EU Member States and the private sector in improving cybersecurity capabilities and cooperation towards the implementation of the NIS Directive and in line with the objectives of the DSM.” Background The Network and Information Services (NIS) Directive was the main legislative proposal under the 2013 EU Cybersecurity Strategy. EU’s cyber security strategy is a policy document published by the European Commission (EC), explaining a number of steps the EC will undertake, in cooperation with the Member States, public and private stakeholders and other relevant actors, in the area of cyber security. Parliament is expected to approve the agreed text on December 17 and Council the following day. EU countries will then have 21 months in which to transpose the directive into national law. CSIRT network: Since 2005 ENISA is already operating a network of national and governmental CSIRTs that is used to establish trust and enable information sharing. ENISA assists EU public and private cybersecurity experts in preventing and reacting to future crises. In particular, ENISA organises regular crisis exercises with hundreds of participants to train experts, foster cooperation amongst them and provide guidance on best practices. The Agency also provides expert trainings on crisis management, crisis planning or exercise development, conducted several studies and organised international conferences on the topic of cyber crisis cooperation. ENISA’s Cyber Security Training material was introduced in 2008, and was complemented ever since. The material contains essential material for success in the CSIRT community and in the field of operational security. Exercises: Since 2010 ENISA organises the bi-yearly pan-European cyber exercise Cyber Europe; the next major event will happen in 2016. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 25 Article 13a, ICS-SCADA, NCSS: ENISA’s assisted national competent authorities to implement a harmonised approach to incident reporting for Telecoms (known as article 13a of the Telecom Package) and Trust Service Providers (article 19 of eIDAS). The Agency also assists EU Member States to develop National Cyber Security Strategies. ENISA has also developed good practices for several critical sectors and services (e.g. smart grids, ICS-SCADA, cloud, eHealth, IoT). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 26 New challenges for a new era Luis M Linde, Governor of the Bank of Spain, at the 8th Santander International Banking Conference, Madrid 1. Introduction Good morning. First, I would like to thank Banco Santander for inviting me to participate in this new edition of your International Banking Conference. The first edition took place in the autumn of 2008, right after the fall of Lehman Brothers and just before the G20 leaders agreed to launch the financial regulatory reform in an unprecedented globally coordinated action. The objective was clear and so was the mandate given to the Financial Stability Board and the Basel Committee on Banking Supervision: to build a stronger and more resilient financial system. Since then, the main pillars of the reform have been put in place. The list of new measures implemented is long and, I would say, impressive. I will not review the list, which is very clearly and well explained in the latest progress reports published by the Financial Stability Board and the Basel Committee. I will focus my remarks on three different aspects of the global post-crisis reform that I find particularly relevant for the topic of this Conference: First of all, the finalisation, next year, of the Basel III framework. Second, the new total-loss-absorbing-capacity (TLAC) standard, developed by the Financial Stability Board and recently endorsed by the G20 leaders. To finalise, I will briefly refer to a line of work that the Financial Stability Board is coordinating to address the systemic risks associated with misconduct in financial institutions and markets. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 27 2. The completion of Basel III When the crisis started, the global banking system had built up several vulnerabilities: - Many banks were highly leveraged. - Capital proved to be insufficient and its quality was low. - There was an excessive exposure to liquidity risk. - The measurement of risk had major shortcomings. - And there was a lack of awareness of the dangers associated with systemic risk stemming from complex, opaque and highly interconnected global financial markets. Basel III is the regulatory response to address these vulnerabilities and, as such, it is one of the main elements of the global banking prudential reform. With Basel III the Basel Committee has: - Raised the level and quality of capital, especially core Equity Tier 1 capital. - Introduced additional requirements in order to reduce systemic risk, such as those imposed on systemically important banks, or the countercyclical capital buffers. - Introduced two new liquidity ratios to mitigate liquidity risk. - Introduced a new leverage ratio to limit leverage and reinforce risk-based requirements. - Developed a large-exposures framework to limit the maximum loss in case of counterparty's failure. - Last, but not least, the Basel Committee has improved the effectiveness of supervision by upgrading its Core Principles and by strengthening the supervision of systemically important banks. Many of these new rules are now in place and we can say that banks are more resilient now than in 2009. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 28 But different weaknesses persist. For this reason, the Basel Committee is undertaking a review of the capital framework that will be finalised by the end of 2016. In particular, the methodologies used to measure banks' risks are being reviewed, both under the standardised approaches and under internal models. The standardised approaches are being revised to incorporate the lessons learned from the crisis so as to increase their risk sensitivity without, however, making them unduly complex. Regarding the internal models, they have been criticised because of their lack of comparability, the variability of the resulting risk-weighted assets, and their complexity and lack of transparency. These, let's say, "faults" have undermined the credibility of capital ratios. Therefore, the Basel Committee is considering including several constraints on internal models in order to strike a better balance between simplicity, comparability and risk sensitivity. The other remaining major challenge is calibration. Basel III has changed the prudential setting quite significantly. The days when there was a single metric (the risk-weighted capital ratio) are over. We now have several prudential measures that will most probably be interacting in different ways. Banks will have to comply with a risk-weighted capital ratio (including additional buffers); a leverage ratio; two liquidity ratios and the large exposure limits. Additionally, banks that apply internal models will most likely face capital floors based on standardised approaches. Finally, some systemic banks will have to hold additional capital to meet global-systemically-important-bank (GSIB) buffer and total-loss-absorbing-capacity (TLAC) requirements. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 29 Applying different metrics will make the framework more resilient because some metrics will avoid the limitations of others. For instance, floors based on standardised approaches are meant to be a kind of control or safeguard on internal model risk calculations. Therefore, during 2016 the Basel Committee will be quite busy deciding on the constraints on internal models, calibrating the risk-weighted assets under standardised approaches (as well as the floors to be based on such standardised approaches) and performing a review of the calibration of the leverage ratio. I would like to underline that this calibration process will build upon the information provided by banks in the context of the next Quantitative Impact Study (QIS) exercises that will be undertaken by the Committee. As always when quantitative issues are involved, the quality of the data will be a main driver for success in the calibration process. It is therefore very important that banks provide accurate data to these impact studies. Of course, any constructive feedback on the Committee's consultative documents will also be very helpful in order to improve the whole exercise. 3. The new TLAC framework The agreement on total-loss-absorbing-capacity, which was published on 9th November and endorsed by the G20 leaders, is an example of cooperation at global level towards ending the too-big-to-fail problem. This new TLAC standard guarantees that global – systemically – important - banks (GSIBs) will have a sufficient (and well distributed) amount of loss absorbing capacity to ensure the continuity of their critical functions at the point of resolution, avoiding the use of public funds. As such, it will contribute to the credibility of bail-in as an effective resolution tool. The TLAC requirement establishes that a banking group will have to issue (and maintain) a minimum amount of capital and debt liabilities to absorb losses first in case of resolution. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 30 The minimum external TLAC requirement would be placed at each "resolution entity" within the group (that is, the legal entity where resolution actions would take place). G-SIBs must comply with the TLAC minimum standard from 1st January 2019, subject to a phase-in. This minimum requirement will be calculated as the higher of 16 % of the risk weighted assets associated to the consolidated balance sheet of the resolution group and 6% of the denominator of the Basel III leverage ratio. As of 1st January 2022, these minimum requirements will rise up to 18 % and 6.75 % respectively. The TLAC will be required alongside minimum Basel III capital requirements, and the extra capital buffers (systemic, conservation and countercyclical) will sit on top of the TLAC risk-weighted metric. In addition, in order to ensure that there is enough recapitalisation capacity in resolution, one-third of the minimum TLAC requirement is expected to be covered with instruments other than CET1 (that is, debt). It is important to bear in mind that the TLAC establishes a common minimum global requirement and that national authorities have the right at any time to apply higher requirements in their jurisdictions. The TLAC is a new prudential requirement that has different objectives than the capital ratio. Regulatory capital is mainly to absorb losses in a going-concern situation, whereas TLAC is meant to ensure loss absorption in gone-concern situations (that is, beyond the point of non-viability). I should add that, in a resolution context, the location of loss absorbing resources becomes very important and, for this reason, the TLAC standard gives guidance on how these resources should be distributed within the banking group. This highlights another important difference between the capital framework and TLAC: the location of resources. While the former is required on a consolidated basis for the group as a whole, TLAC is required where resolution takes effect and where critical functions are performed. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 31 One of the most complex issues in the design of the TLAC was the need to ensure consistency between the two main banking resolution strategies: the Single Point of Entry and the Multiple Point of Entry. Under a Single Point of Entry strategy, resolution actions will be taken in a single legal entity that is basically the parent company of the group, which will have to hold sufficient external TLAC. Additionally, a certain amount of loss-absorbing capacity should be pre-positioned in all material subsidiaries. This would ensure that losses are up-streamed to the resolution entity, thus avoiding putting the material subsidiary into resolution. By contrast, under a Multiple Point of Entry strategy, the application of resolution tools to different parts of the group is allowed under the assumption of limited interconnections between them. Therefore, in this model, loss-absorption capacity is primarily located in each resolution entity (subsidiaries and the parent company). This is the resolution model chosen by the global Spanish banks as it is a better fit with their business model. As I said, one of the most complex issues in the design of the TLAC standard was to find the correct balance between taking into account the particularities of each resolution strategy and ensuring consistent treatment between them. In this respect, the Bank of Spain welcomes the inclusion of certain elements that go in the correct direction towards achieving regulatory consistency between resolution strategies. Let me stress, when mentioning consistency, that it is important that different jurisdictions also strive to achieve this objective when introducing the TLAC standard into their regulations. Crisis Management Groups (CMGs) will also play a crucial role in ensuring consistency. Therefore, coordination between the different national authorities participating in these CMGs will be relevant in the application of TLAC. Some examples of these key decisions are: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 32 (1) determining adjustments for Multiple Point of Entry groups regarding the location of deductions and requirements; (2) identifying material subsidiaries and resolution entities; and (3) discussions as to whether the minimum TLAC is sufficient to ensure orderly resolution or whether additional firm-specific requirements are needed. TLAC is quite a demanding new standard. The estimated increase in issuances of TLAC debt is not negligible, if we consider the impact assessment performed by the Financial Stability Board and the Basel Committee: the aggregate shortfall for G-SIBs under the low calibration represents 16.9 % of the €4.5 trillion G-SIBs unsecured debt market. Compliance will be facilitated by the agreed phase-in for TLAC and the replacement of unsecured liabilities maturing in coming years which will be an important source of TLAC eligible instruments. However, the success of both the roll-over and the issuance of new TLAC-eligible instruments will depend on the absorption capacity of financial markets. In any event, we should monitor compliance with the requirements and any potential unintended impact during the transition period. 4. The plan to address misconduct risks With the publication of the TLAC term sheet, the Financial Stability Board has virtually completed its work to address the too-big-to-fail problem in the banking sector. But there are other important areas where the FSB is working to fulfil the G20 mandate. In particular, the Financial Stability Board has claimed that the problems of misconduct in some financial institutions have the potential to create systemic risks, considering the scale of the associated fines and sanctions which could run into the millions and also the negative impact on confidence. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 33 This is a serious threat that must be properly addressed. The banking business is about trust; if confidence in the financial institutions and markets is lost, the potential for finance to serve the real economy and foster growth will be undermined. In response to this threat, a new area of FSB-coordinated work has been set up. An action plan has been launched which, among other measures, explores the pivotal role played by compensation structures and, more generally, corporate governance frameworks in preventing and mitigating bad practice. The FSB is examining whether the reforms already in place, mainly as a result of principles and standards issued by the OECD, the Basel Committee and the FSB itself, have proven effective or if, on the contrary, more preventive measures are required. 5. Closing remarks Let me conclude. Back in 2009 the FSB and other standard-setting bodies (such as the Basel Committee) received a mandate from the G20 to restore the resilience of the financial markets and make future financial crises less frequent and costly. Most of the agreed post-crisis measures are now in place and have already begun to deliver benefits in terms of bank resilience and financial stability. The Basel Committee intends to finalise the Basel III framework in 2016. In this respect the two main challenges are: (i) to find a solution to measure risks in a sensitive, simple and comparable way; and (ii) to provide calibration of the capital floors and leverage ratio. A key driver for success in this calibration exercise will be having access to accurate data. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 34 I have outlined the main strategic aspects of the new TLAC standard, designed to provide a first line of defence in a gone concern situations. Meeting TLAC and Basel III requirements will pose a challenge for banks. One of these challenges has to do with the potential systemic impact of misconduct risks, which can undermine confidence. Having in place adequate compensation structures and sound corporate governance frameworks is the best way to tackle this. The Financial Stability Board is leading the work to determine if and when more measures might be needed to ensure a strong culture in the finance industry, so that confidence is preserved and financial markets can continue to serve the real economy. Thank you for your attention. I wish you a fruitful and interesting discussion in the rest of the Conference. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 35 US-CERT, Security Tip Before You Connect a New Computer to the Internet Why Should I Care About Computer Security? Computers help us maintain our financial, social, and professional relationships. We use them for banking and bill paying, online shopping, connecting with our friends and family through email and social networking sites, researching data posted on the Internet, and so much more. We rely heavily on our computers to provide these services, yet we sometimes overlook our need to secure them. Because our computers play such critical roles in our lives, and we input and view so much personally identifiable information (PII) on them, it’s imperative to maintain computer security that ensures the safe processing and storage of our information. How Do I Improve the Security of My Home Computer? Following are important steps you should consider to make your home computer more secure. While no individual step will eliminate your risk, together these defense-in-depth practices will make your home computer’s defense stronger and minimize the threat of malicious exploit. Connect to a Secure Network Once your computer is connected to the Internet, it’s also connected to millions of other computers, which could allow attackers access to your computer. Information flows from the Internet to your home network by first coming into your modem, then into your router and finally into your computer. Although cable modem, digital subscriber line (DSL), and internet service providers (ISP) purport some level of security monitoring, it’s crucial to secure your router—the first securable device that receives information from the Internet. Be sure to secure it before you connect to the Internet to improve your computer’s security (SeeSecuring Your Home Network for more information). _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 36 Enable and Configure a Firewall A firewall is a device that controls the flow of information between your computer and the Internet, similar to a router. Most modern operating systems include a software firewall. In addition to the operating system’s firewall, the majority of home routers have a firewall built in. Refer to your user’s guide for instructions on how to enable your firewall. Once your firewall is enabled, consult the user’s guide to learn how to configure the security settings and set a strong password to protect it against unwanted changes. (See Understanding Firewalls for more information.) Install and Use Antivirus and Antispyware Software Installing an antivirus and antispyware software program and keeping it up to date is a critical step in protecting your computer. Many types of antivirus and antispyware software can detect the possible presence of malware by looking for patterns in the files or memory of your computer. This software uses virus signatures provided by software vendors to look for malware. Antivirus vendors frequently create new signatures to keep their software effective against newly discovered malware. Many antivirus and antispyware programs offer automatic updating. Enable that feature so your software always has the most current signatures. If automatic updates aren’t offered, be sure to install the software from a reputable source, like the vendor’s website or a CD from the vendor. (SeeUnderstanding Anti-Virus Software.) Remove Unnecessary Software Intruders can attack your computer by exploiting software vulnerabilities (that is, flaws or weaknesses), so the less software you have installed, the fewer avenues for potential attack. Check the software installed on your computer. If you don’t know what a software program does and don’t use it, research it to determine whether it’s necessary. Remove any software you feel isn’t necessary after confirming it’s safe to remove the software. Back up important files and data before removing unnecessary software in case you accidentally remove software essential to the operating system. If possible, locate the installation media for the software in case you need to reinstall it. Modify Unnecessary Default Features Like removing unnecessary software and disabling nonessential services, modifying unnecessary default features eliminates opportunities for attack. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 37 Review the features that came enabled by default on your computer and disable or customize those you don’t need or plan on using. As with nonessential services, be sure to research these features before disabling or modifying them. Operate Under the Principle of Least Privilege In most instances of a malware infection, the malware can operate only under the rights of the logged-in user. To minimize the impact the malware can have if it successfully infects a computer, consider using a standard or restricted user account for day-to-day activities and only logging in with the administrator account (which has full operating privileges on the system) when you need to install or remove software or change system settings from the computer. Secure Your Web Browser Web browsers installed on new computers usually don’t have secure default settings. Securing your browser is another critical step in improving your computer’s security because an increasing number of attacks take advantage of web browsers. (See Securing Your Web Browser.) Apply Software Updates and Enable Future Automatic Updates Most software vendors release updates to patch or fix vulnerabilities, flaws, and weaknesses (bugs) in their software. Because intruders can exploit these bugs to attack your computer, keeping your software updated is important to help prevent infection. (See Understanding Patches.) When you set up a new computer (and after you have completed the previous practices), go to your software vendors’ websites to check for and install all available updates. Enable automatic updates if your vendors offer it; that will ensure your software is always updated, and you won’t have to remember to do it yourself. Many operating systems and software have options for automatic updates. As you’re setting up your new computer, be sure to enable these options if offered. Be cautious, however, because intruders can set up malicious websites that look nearly identical to legitimate sites. Only download software updates directly from a vendor’s website, from a reputable source, or through automatic updating. Use Good Security Practices _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 38 You can do some simple things to improve your computer’s security. Some of the most important are: Use caution with email attachments and untrusted links. Malware is commonly spread by people clicking on an email attachment or a link that launches the malware. Don’t open attachments or click on links unless you’re certain they’re safe, even if they come from a person you know. Some malware sends itself through an infected computer. While the email may appear to come from someone you know, it really came from a compromised computer. Be especially wary of attachments with sensational names, emails that contain misspellings, or emails that try to entice you into clicking on a link or attachment (for example, an email with a subject like that reads, “Hey, you won’t believe this picture of you I saw on the Internet!”). (See Using Caution with Email Attachments.) Use caution when providing sensitive information. Some email or web pages that appear to come from a legitimate source may actually be the work of an attacker. An example is an email claiming to be sent from a system administrator requesting your password or other sensitive information or directing you to a website requesting that information. While Internet service providers may request that you change your password, they will never specify what you should change it to or ask you what it is. (See Avoiding Social Engineering and Phishing Attacks.) Create strong passwords. Passwords that have eight or more characters, use a variety of uppercase and lowercase letters, and contain at least one symbol and number are best. Don’t use passwords that people can easily guess like your birthday or your child’s name. Password detection software can conduct dictionary attacks to try common words that may be used as passwords or conduct brute-force attacks where the login screen is pummeled with random attempts until it succeeds. The longer and more complex a password is, the harder these tools have to work to crack it. Also, when setting security verification questions, choose questions for which it is unlikely that an Internet search would yield the correct answer. (See Choosing and Protecting Passwords.) _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 39 US-CERT, Security Tip Securing Your Home Network How are routers used in your home network? Home routers have become an integral part of our global communications footprint as use of the Internet has grown to include home-based businesses, telework, schoolwork, social networking, entertainment, and personal financial management. Routers facilitate this broadened connectivity. Most of these devices are preconfigured at the factory and are Internet-ready for immediate use. After installing routers, users often connect immediately to the Internet without performing any additional configuration. Users may be unwilling to add configuration safeguards because configuration seems too difficult or users are reluctant to spend the time with advanced configuration settings. Unfortunately, the default configuration of most home routers offers little security and leaves home networks vulnerable to attack. Small businesses and organizations often use these same home routers to connect to the Internet without implementing additional security precautions and expose their organizations to attack. Why secure your home router? Home routers are directly accessible from the Internet, are easily discoverable, are usually continuously powered-on, and are frequently vulnerable because of their default configuration. These characteristics offer an intruder the perfect target to obtain a user’s personal or business data. The wireless features incorporated into many of these devices add another vulnerable target. How can you prevent unauthorized access to your home network? The preventive steps listed below are designed to increase the security of home routers and reduce the vulnerability of the internal network against attacks from external sources. Change the default username and password: These default usernames and passwords are readily available in different publications and are well known to attackers; therefore, they should be immediately changed during the initial router installation. It’s best to use a strong _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 40 password, consisting of letters, numbers, and special characters totaling at least 14 characters. Manufacturers set default usernames and passwords for these devices at the factory for their troubleshooting convenience. Furthermore, change passwords every 30 to 90 days. See Choosing and Protecting Passwords for more information on creating a strong router password. Change the default SSID: A service set identifier (SSID) is a unique name that identifies a particular wireless local area network (WLAN). All wireless devices on a WLAN must use the same SSID to communicate with each other. Manufacturers set a default SSID at the factory, and this SSID typically identifies the manufacturer or the actual device. An attacker can use the default SSID to identify the device and exploit any of its known vulnerabilities. Users sometimes set the SSID to a name that reveals their organization, their location, or their own name. This information makes it easier for the attacker to identify the specific business or home network based upon an SSID that explicitly displays the organization’s name, organization’s location, or an individual’s own name. For example, an SSID that broadcasts a company name is a more attractive target then an SSID broadcasting “ABC123.” Using default or well-known SSIDs also makes brute force attacks against WPA2 keys easier. When choosing an SSID, make the SSID unique, and not tied to your personal or business identity. Don’t stay logged in to the management website for your router: Routers usually provide a website for users to configure and manage the router. Do not stay logged into this website, as a defense against cross-site request forgery (CSRF) attacks. In this context, a CSRF attack would transmit unauthorized commands from an attacker to the router’s management website. Configure Wi-Fi Protected Access 2 (WPA2)-Advanced Encryption Standard (AES) for data confidentiality: Some home routers still use Wired Equivalent Privacy (WEP), which is not recommended. In fact, if your router or device supports only WEP, but not other encryption standards, you should upgrade your network device. One newer standard, WPA2-AES, encrypts the communication between the wireless router and the wireless computing device, providing stronger authentication and authorization between the devices. WPA2 incorporates the Advanced Encryption Standard (AES) 128-bit encryption that is encouraged by the National Institute of Standards and Technology (NIST). WPA2 with AES is the most secure _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 41 router configuration for home use. Immediately disable WPS: Wi-Fi Protected Setup (WPS) provides simplified mechanisms to configure moderately secure wireless networks. A design flaw that exists in the WPS specification for the PIN authentication significantly reduces the time required to brute force the entire PIN because it allows an attacker to know when the first half of the 8-digit PIN is correct. The lack of a proper lockout policy after a certain number of failed attempts to guess the PIN on many wireless routers makes a brute-force attack much more likely to occur. Limit WLAN signal emissions: WLAN signals frequently broadcast beyond the perimeters of your home or organization. This extended emission allows eavesdropping by intruders outside your network perimeter. Therefore, it’s important to consider antenna placement, antenna type, and transmission power levels. Local area networks (LANs) are inherently more secure than WLANs because they are protected by the physical structure in which they reside. Limit the broadcast coverage area when securing your WLAN. A centrally located, omnidirectional antenna is the most common type used. If possible, use a directional antenna to restrict WLAN coverage to only the areas needed. Experimenting with transmission levels and signal strength will also allow you to better control WLAN coverage. Note that a sensitive antenna may pick up signals from further away than expected, a motivated attacker may still be able to reach an access point that has limited coverage. Turn the network off when not in use: While it may be impractical to turn the devices off and on frequently, consider this approach during travel or extended offline periods. The ultimate in wireless security measures—shutting down the network—will definitely prevent outside attackers from being able to exploit your WLAN. Disable UPnP when not needed: Universal Plug and Play (UPnP) is a handy feature allowing networked devices to seamlessly discover and establish communication with each other on the network. Though the UPnP feature eases initial network configuration, it is also a security hazard. For example, malware within your network could use UPnP to open a hole in your router firewall to let intruders in. Therefore, disable UPnP unless you have a specific need for it. Upgrade firmware: Just like software on your computers, the router firmware (the software that operates it) must have current updates and _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 42 patches. Many of the updates address security vulnerabilities that could affect the network. When considering a router, check the manufacturer’s website to see if the website provides updates to address security vulnerabilities. Disable remote management: Disable this to keep intruders from establishing a connection with the router and its configuration through the wide area network (WAN) interface. Monitor for unknown device connections: Use your router’s management website to determine if any unauthorized devices have joined or attempted to join your network. If an unknown device is identified, a firewall or media access control (MAC) filtering rule can be applied on the router. For further information on how to apply these rules, see the literature provided by the manufacturer or the manufacturer’s website. Note: If you must use WEP, it should be configured with the 128-bit key option and the longest pre-shared key the router administrator can manage. Note that WEP at its "strongest" is still easily cracked. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 43 NISTIR 7987 Revision 1 Policy Machine: Features, Architecture, and Specification David Ferraiolo Serban Gavrila Wayne Jansen Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology. ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems. Note This version (Revision 1) of NISTIR 7987 revises the original publication (dated May 2014). Changes were made to reorganize and improve the content of the report, incorporate additional material, and bring the report into close alignment with the terminology and notation of the emerging NGAC-GOADS standard. This report, while aligned with NGAC-GOADS, provides additional details and background material that are intended to aid readers in understanding the function and operation of the access control model and provide insight into its implementation. Introduction Access control as it pertains to a computing environment is the ability to allow or prevent an entity from using a computing resource in some specific manner. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 44 A common example of resource use is reading a file. The access control has two distinct parts: policy definition where access authorizations to resources are specified, and policy enforcement where attempts to access resources are intercepted, and allowed or disallowed. An access control policy is a comprehensive set of access authorizations that govern the use of computing resources system wide. Controlling access to sensitive data in accordance with policy is perhaps the most fundamental security requirement that exists. Yet, despite more than four decades of security research, existing access control mechanisms have a limited ability to enforce a wide, comprehensive range of policies, and instead enforce a specific type of policy. Most, if not all, significant information systems employ some means of access control. The main reason is that without sufficient access control, the service being provisioned would likely be undermined. Many types of access control policies exist. An enforcement mechanism for a specific type of access control policy is normally inherent in any computing platform. Applications built upon a computing platform typically make use of the access control capabilities available in some way to suit its needs. An application may also institute its own distinct layer of access controls for the objects formed and manipulated at the level of abstraction it provides. A common example of an application abstraction layer is a database application that implements a role-based access control mechanism, while operating on a host computer that implements a more elementary discretionary access control mechanism. When composing different computing platforms to implement an information system, a policy mismatch can occur. A policy mismatch arises when the narrow range of policies supported by the various access control mechanisms involved have differences that make _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 45 them incompatible for meeting a specific need. In some cases, it is possible to work around limitations in the ability for all platforms to express a consistent access control policy, by mapping equivalences between the available access control constructs to effect the intended policy. For example, a traditional multi-level access control system that supports information flow policies has been demonstrated as capable of effecting role-based access control policies through carefully designed and administered configuration options. However, such mappings require that the correct semantic context is used consistently when administering policy, which can be mentally taxing and error inducing, and prevent the desired policy from being maintained correctly in the information system. NIST has devised a general-purpose access control framework, referred to as the Policy Machine (PM), which can express and enforce arbitrary, organization-specific, attribute-based access control policies through policy configuration settings. The PM is defined in terms of a fixed set of configurable data relations and a fixed set of functions that are generic to the specification and enforcement of combinations of a wide set of attribute-based access control policies. The PM offers a new perspective on access control in terms of a fundamental and reusable set of data abstractions and functions. The goal of the PM is to provide a unifying framework that supports commonly known and implemented access control policies, as well as combinations of common policies, and policies for which no access control mechanism presently exists. Access control policies typically span numerous systems and applications used by an organization. However, when users need to access resources that are protected under different control mechanisms, the differences in the type and range of policies supported by each mechanism can differ vastly, creating policy mismatches. If the PM framework was reified in every computing platform, obvious _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 46 benefits would be not only the elimination of policy mismatches, but also the ability to meet organizational security requirements readily, since a wider range of arbitrary policies could be expressed uniformly throughout the platforms that comprise an information system. The PM can arguably be viewed as a dramatic shift in the way policy can be specified and enforced. But more importantly, it can also be viewed as a way to develop applications more effectively by taking advantage of the control features offered by the PM and using them to meet the access control needs for objects within the layer of abstraction the application provides. That is, the PM framework affords applications a single generic facility that can not only enforce access control policies comprehensively across distributed and centralized operating environments, but also subsume aspects involving the characterization, distribution, and control of implemented capabilities, resulting in a dramatic alleviation of many of the administrative, policy enforcement, data interoperability, and usability challenges faced by enterprises today. Purpose and Scope The purpose of this Internal Report (IR) is to provide an overview of the PM and guidelines for its implementation. The report explains the basics of the PM framework and discusses the range of policies that can be specified and enacted. It also describes the architecture of the PM and the details of key functional components. The intended audience for this document includes the following categories of individuals: • Computer security researchers interested in access control and authorization frameworks • Security professionals, including security officers, security administrators, auditors, and others with responsibility for information technology security • Executives and technology officers involved in decisions about information technology security products _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 47 • Information technology program managers concerned with security measures for computing environments. This document, while technical in nature, provides background information to help readers understand the topics that are covered. The material presumes that readers have a basic understanding of computer security and possess fundamental operating system and networking expertise. Background Classical access control models and mechanisms are defined in terms of subjects (S), access rights (A), and named objects (O). Users represent individuals who directly interact with a system and have been authenticated and established their identities. A user identity is unique and maps to only one individual. A user is unable to access objects directly, and instead must perform accesses through a subject. A subject represents a user and any system process or entity that acts on behalf of a user. Subjects are the active entities of a system that can cause a flow of information between objects or change the security state of the system. Objects are system entities that must be protected. Each object has a unique system-wide identifier. The set of objects may pertain to processes, files, ports, and other system abstractions, as well as system resources such as printers. Subjects may also be included in the set of objects. In effect, this allows them to be governed by another subject. That is, the governing subject can administer the access of such subjects to objects under its control. The selection of entities included in the set of objects is determined by the _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 48 protection requirements of the system. Subjects operate autonomously and may interact with other subjects. Subjects may be permitted modes of access to objects that are different from those other subjects. When a subject attempts to access an object, a reference mediation function determines whether the subject’s assigned permissions adequately satisfy policy before allowing the access to take place. In addition to carrying out user accesses, a subject may maliciously (e.g., through a Trojan horse) or inadvertently (e.g., through a coding error) make requests that are unknown to and unwanted by its user. An access matrix provides a simple representation of the access modes to an object for which a subject is authorized [Lam71, Gra72, Har76]. Figure 1 provides a simple illustration of an access matrix. Each row of the matrix represents a subject, Si, while each column represents an object, Oi. Each entry, Ai,j, at the intersection of a row and column of the matrix, contains the set of access rights for the subject to the object. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 49 The access matrix model, while simple, can express a broad range of policies, because it is based on a general form of an access rule (i.e., subject, access mode, object), and imposes little restriction on the rule itself. Since, in most situations, subjects do not need access rights to most objects, the matrix is typically sparse. Several, more space-efficient representations have been proposed as alternatives. An authorization relation, for example, represents an access matrix as a list of triples of the form (Si, Ai,j, Oj). Each triple represents the access rights of a subject to an object and this representation is typically used in relational database systems. Access control and capability lists are two other forms of representation. An access control list (ACL) is associated with each object in the matrix and corresponds to a column of the access matrix. Each access entry in the ACL contains the pair (Si, Ai,j), which specifies the subjects that can access the object, along with each subject’s rights or modes of access to the object. ACLs are widely used in present-day operating systems. Similarly, a capability list is associated with each subject and corresponds to a row of the matrix. Each entry in a capability list is the pair (Ai,j, Oj), which specifies the objects the subject can access, along with its access rights to each object. A capability list can thus be thought of as the inverse of an access control list. Capability lists, when bound with the identity of the subject, have use in distributed systems. A key difference between the capability list and access control list is the subject’s ability to identify objects in the latter. With an access control list, a subject can identify any object in the system _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 50 and attempt access; the access control mechanism can then mediate the access attempt using the object’s access list to verify whether the subject is authorized the request mode of access. In a capability system, a subject can identify only those objects for which it holds a capability. Possessing a capability for the object is a requisite for the subject to attempt access to an object, which is then mediated by the reference mediation function. Both the contents of access control and capability lists, as well as the access control mechanism itself, must be protected from compromise to prevent unauthorized subjects from gaining access to an object. Access Control Models Discretionary models form a broad class of access control models. Discretionary in this context means that subjects, which represent users as opposed to administrators, are allowed some freedom to manipulate the authorizations of other subjects to access objects. Non- discretionary models are the complement of discretionary models, insofar as they require that access control policy decisions are regulated by a central authority, not by the individual owner of an object. That is, authorizations to objects can be changed only through the actions of subjects representing administrators, and not by those representing users. With non- discretionary models, subjects and objects are typically classified into or labeled with distinct categories. Category-sensitive access rules that are established through administration completely govern the access of a subject to an object and are not modifiable at the discretion of the subject. Many different access control models, both discretionary and non-discretionary, have been developed to suit a variety of purposes. Models are often developed or influenced by well- conceived organizational policies for controlling access to information, whose key properties are _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 51 generalized, abstracted, and described in some formal or semi-formal notation. Therefore, models typically differ from organizational policy in several ways. As mentioned, models deal with abstractions that involve a formal or semi-formal definition, from which the presence or lack of certain properties may be demonstrated. Organizational policy on the other hand is usually a more informally stated set of high-level guidelines that provide a rationale for the way accesses are to be controlled, and may also give decision rules about permitting or denying certain types of access. Policies may be also incomplete, include statements at variable levels of discourse, and contain self-contradictions, while models typically involve only essential conceptual artifacts, are composed at a uniform level of discourse, and provide a consistent set of logical rules for access control. Organizational objectives and policy for access control may not align well with those of a particular access control model. For example, some models enforce a strict policy that may too restrictive for some organizations to carry out their mission, but essential for others. Even if alignment between the two is strong, in general, the organizational access control policy may not be satisfied fully by the model. For example, different federal agencies can have different conformance directives regarding privacy that must be met, which affect the access control policy. Nevertheless, access control models can provide a strong baseline from which organizational policy can be satisfied. Well-known models include Discretionary Access Control, Mandatory Access Control, Role Based Access Control, One-directional Information Flow, Chinese Wall, Clark-Wilson, and N- person Control. Several of these models are discussed below to give an idea of the scope and variability between models. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 52 They are also used later in the report to demonstrate how seemingly different models can be expressed using the Policy Machine model. It is important to keep in mind that models are written at a high conceptual level, which stipulates concisely the scope of policy and the desired behavior between defined entities, but not the security mechanisms needed to reify the model for a specific computational environment, such as an operating system or database management system. While certain implementation aspects may be inferred from an access control model, such models are normally implementation free, insofar as they do not dictate how an implementation and its security mechanisms should be organized or constructed. These aspects of security are addressed through information assurance processes. Discretionary Access Control (DAC) The access matrix discussed in the previous section was originally envisioned as a discretionary access control (DAC) model. Many other DAC models have been derived from the access matrix and share common characteristics. The access matrix was later formalized as the now well-known HRU model and used to analyze the complexity of computing the safety properties of the model, which was found to be undecidable. DAC policies can be expressed in the HRU model, but DAC should not be equated to it, since the HRU model is policy neutral and can also be used to express access control policies that are non-discretionary. In addition to an administrator’s ability to manipulate a subject’s authorization to access objects, a DAC access matrix model leaves a certain amount of control to the discretion of the object's owner. Ownership of an object is typically conferred to the subject that created the object, along with the capabilities to read and write the object. For example, it is the owner of the file who can control other subjects' accesses to the file. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 53 Control then implies possession of administrative capabilities to create and modify access control entries associated with a set of other subjects, which pertain to owned objects. Control may also involve the transfer of ownership to other subjects. Only those subjects specified by the owner may have some combination of permissions to the owner’s files. DAC policy tends to be very flexible and is widely used in the commercial and government sectors. However, DAC potentially has two inherent weaknesses. The first is the inability for an owner to control access to an object, once permissions are passed on to another subject. For example, when one user grants another user read access to a file, nothing stops the recipient user from copying the contents of the file to an object under its exclusive control. The recipient user may now grant any other user access to the copy of the original file without the knowledge of the original file owner. Some DAC models have the ability to control the propagation of permissions. The second weakness is vulnerability to Trojan horse attacks, which is common weakness for all DAC models. In a Trojan horse attack, a process operating on behalf a user may contain malware that surreptitiously performs other actions unbeknownst to the user. Mandatory Access Control Mandatory Access Control (MAC) is a prime example of a non-discretionary access control model. MAC has its origins with military and civilian government security policy, where individuals are assigned clearances and messages, reports, and other forms of data are assigned classifications. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 54 The security level of user clearances and of data classifications govern whether an individual can gain access to data. For example, an individual can read a report, only if the security level of the report is classified at or below his or her level of clearance. Defining MAC for a computer system requires assignment of a security level to each subject and each object. Security levels form a strict hierarchy such that security level x dominates security level y, if and only if, x is greater than or equal to y within the hierarchy. The U.S. military security levels of Top Secret, Secret, Confidential, and Unclassified are a good example of a strict hierarchy. Access is determined based on assigned security levels to subjects and objects and the dominance relation between the subject’s and object’s assigned security. The security objective of MAC is to restrict the flow of information from an entity at one security level to an entity at a lesser security level. Two properties accomplish this. The simple security property specifies that a subject is permitted read access to an object only if the subject’s security level dominates the object’s security level. The é-property specifies that a subject is permitted write access to an object only if the object’s security level dominates the subject’s security level. Indirectly, the é-property, also referred to as the confinement property, prevents the transfer of data from an object of a higher level to an object of a lower classification and is required to maintain system security in an automated environment. These two properties are supplemented by the tranquility property, which can take either of two forms: strong and weak. Under the strong tranquility property, the security level of a subject or object does not change while the object is being referenced. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 55 The strong tranquility property serves two purposes. First, it associates a subject with a security level. Second, it prevents, a subject from reading data with a high security level, storing the data in memory, switching its level to a low security level, and writing the contents of its memory to an object at that lower level. Under the weak tranquility property labels are allowed to change, but never in a way that can violate the defined security policy. It allows a session to begin in the lowest security level, regardless of the user’s security level, and increased that level only if objects at higher security levels are accessed. Once increased, the session security level can never be reduced, and all objects created or modified take on the security level held by the session at the time when the object was created or modified, regardless of its initial security level. This is known as the high water mark principle. Because of the constraints placed on the flow of information, MAC models prevent software infected with Trojan horse from violating policy. Information can flow within the same security level or higher, preventing leakage to a lower level. However, information can pass through a covert channel in MAC, where information at a higher security level is deduced by inference, such as assembling and intelligently combining information of a lower security level. Chinese Wall The Chinese Wall policy evolved to address conflict-of-interest issues related to consulting activities within banking and other financial disciplines. The stated objective of the Chinese Wall policy and its associated model is to prevent illicit flows of information that can result in conflicts of interest. The Chinese Wall model is based on several key entities: subjects, objects, _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 56 and security labels. A security label designates the conflict-of-interest class and the company dataset of each object. The Chinese Wall policy is application-specific in that it applies to a narrow set of activities that are tied to specific business transactions. Consultants or advisors are naturally given access to proprietary information to provide a service for their clients. When a consultant gains access to the competitive practices of two banks, for instance, the consultant essentially obtains insider information that could be used to profit personally or to undermine the competitive advantage of one or both of the institutions. The Chinese Wall model establishes a set of access rules that comprises a firewall or barrier, which prevents a subject from accessing objects on the wrong side of the barrier. It relies on the consultant’s dataset to be logically organized such that each company dataset belongs to exactly one conflict of interest class, and each object belongs to exactly one company dataset or the dataset of sanitized objects within a specially designated, non-conflict-of-interest class. A subject can have access to at most one company dataset in each conflict of interest class. However, the choice of dataset is at the subject’s discretion. Once a subject accesses (i.e., reads or writes) an object in a company dataset, the only other objects accessible by that subject lie within the same dataset or within the datasets of a different conflict of interest class. In addition, a subject can write to a dataset only if it does not have read access to an object that contains unsanitized information (i.e., information not treated to prevent discovery of a corporation's identity) and is in a company dataset different from the one for which write access is requested. The following limitations in the formulation of the Chinese Wall model have been noted: a subject that has read objects from two or more company datasets cannot write at all, and a subject that has read objects from exactly one company dataset can write only to that dataset. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 57 These limitations occur because subjects include both users and processes acting on behalf of users, and can be resolved by interpreting the model differently to differentiate users from subjects. The policy rules of the model are also more restrictive than necessary to meet the stated conflict-of-interest avoidance objective. For instance, as already mentioned, once a subject has read objects from two or more company datasets, it can no longer write to any data set. However, if the datasets reside in different conflict-of-interest classes, no violation of the policy would result were the subject allowed to write to those objects. That is, while the policy rules are sufficient to preclude a conflict of interest from occurring, they are not necessary from a formal logic perspective, since actions that do not incur a conflict of interest are also prohibited by the rules. Role Based Access Control The Role Based Access Control (RBAC) model governs the access of a user to information through roles for which the user is authorized to perform. RBAC is a more recent access control model than those described above. It is based on several entities: users (U), roles (R), permissions (P), sessions (S), and objects (O). A user represents an individual or an autonomous entity of the system. A role represents a job function or job title that carries with it some connotation of the authority held by a members of the role. Access authorizations on objects are specified for roles, instead of users. A role is fundamentally a collection of permissions to use resources appropriate to conduct a particular job function, while a permission represents a mode of access to one or more objects of a system. Objects represent the protected resources of a system. Users are given authorization to operate in one or more roles, but must _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 58 utilize a session to gain access to a role. A user may invoke one or more sessions, and each session relates a user to one or more roles. The concept of a session within the RBAC model is equivalent to the more traditional notion of a subject discussed earlier. When a user operates within a role, it acquires the capabilities assigned to the role. Other roles authorized for the user, which have not been activated, remain dormant and the user does not acquire their associated capabilities. Through this role activation function, the RBAC model supports the principle of least privilege, which requires that a user be given no more privilege than necessary to perform a job. Another important feature RBAC is role hierarchies, whereby one role at a higher level can acquire the capabilities of another role at a lower level, through an explicit inheritance relation. A user assigned to a role at the top of a hierarchy, also is indirectly associated with the capabilities of roles lower in the hierarchy and acquires those capabilities as well as those assigned directly to the role. Standard RBAC also provides features to express policy constraints involving Separation of Duty (SoD) and cardinality. SoD is a security principle used to formulate multi-person control policies in which two or more roles are assigned responsibility for the completion of a sensitive transaction, but a single user is allowed to serve only in some distinct subset of those roles (e.g., not allowed to serve in more than one of two transaction- sensitive roles). Cardinality constraints that limit a role’s capacity to a fixed number of users, have been incorporated into SoD relations in standard RBAC. Two types of SoD relations exist: static separation of duty (SSD) and dynamic separation of duty (DSD). SSD relations place constraints on the assignments of users to roles, whereby membership in one role may prevent the user from being a _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 59 member of another role, and thereby presumably forcing the involvement of two or more users in performing a sensitive transaction that would involve the capabilities of both roles. Dynamic separation of duty relations, like SSD relations, limit the capabilities that are available to a user, while adding operational flexibility, by placing constraints on roles that can be activated within a user’s sessions. As such, a user may be a member of two roles in DSD, but unable to execute the capabilities that span both roles within a single session. Certain access control models may be simulated or represented by another. For example, MAC can simulate RBAC if the role hierarchy graph is restricted to a tree structure rather than a partially ordered set [Kuh98]. RBAC is also policy neutral, and sufficiently flexible and powerful enough to simulate both DAC and MAC. Prior to the development of RBAC, MAC and DAC were considered to be the only classes of models for access control; if a model was not MAC, it was considered to be a DAC model, and vice versa. Policy Machine Framework The policy machine (PM) is a redefinition of access control in terms of a standardized and generic set of relations and functions that are reusable in the expression and enforcement of policies. Its objective is to provide a unifying framework to support a wide range of policies and policy combinations through a single security model. An important characteristic of the PM framework is that it is inherently policy neutral. That is, no particular security policy is embodied in the PM model. Instead, the model serves a vehicle for expressing a wide range of security polices and enforcing them for a specific system through a precise specification of policy elements and relationships. The PM can be thought of as a logical ‘‘machine” comprised of a fixed set of relations and functions between policy elements, which are used to render _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 60 access control decisions. The relationships incorporated by the PM model are independent of the data used to populate it. Policy specifications are attribute based and capable of expressing and enforcing non- discretionary and discretionary policies [Fer05, Fer11]. Each of the access control security models discussed in the previous chapter can be represented in terms of the PM model’s data elements and relations, such that an access decision rendered by the PM framework would be the same decision as that rendered by the access control model. The simultaneous enforcement of multiple policies, including reconciliation of policy conflicts, is an inherent part of the PM framework. Policy elements of the PM represent not only the users and objects of a system, but also attributes of those elements that have an effect on access control decisions. Several key relations provide a frame of reference for defining and interpreting a system policy in terms of the policy elements specified. These relations include assignments that link together policy elements into a meaningful structure, associations that are used to define authorizations for classes of users, prohibitions that are used to define what essentially are negative authorizations, and obligations that are used to perform administrative actions automatically based on event triggers. Several key functions also aid in making access control decisions and enforcing expressed policies. The remaining sections of this chapter discuss in detail core policy elements, relations, and functions that comprise the PM model. Core Policy Elements The basic data elements of the PM include authorized users (U), processes (P), objects (O), user and object attributes (UA and OA), policy classes (PC), operations (Op), and access rights (AR). Users are individuals that have been authenticated by the system. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 61 A process is a system entity with memory, which operates on behalf of a user. Users submit access requests through processes. The PM treats users and processes as independent but related entities. Most other access control models use the term subject instead of process, while a few others use subject to mean both process and user. Processes can issue access requests, have exclusive access to their own memory, but none to that of any other process. Processes communicate and exchange data with other processes through some logical medium, such as the system clipboard or sockets. A user may be associated with one or more processes, while a process is always associated with just one user. The function Process_User(p) returns the user u ∈ U associated with process p ∈ P. A user may create and run various processes from within a session. The PM model permits only one session per user, however. Objects are system entities that are subject to control under one or more defined policies. Both users and objects have unique identifiers within the system. The set of objects reflect environment-specific entities needing protection, such as files, ports, clipboards, email messages, records, and fields. The selection of entities included in this set is based on the protection requirements of the system. By definition, every object is considered to be an object attribute within the PM model; i.e., O is a subset of OA. That is, the identifier of the object is treated not only as an object within PM relations, but may also be treated as an object attribute based on its context within a relation. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 62 User and object attributes are policy elements that represent important characteristics, which are used to organize and distinguish respectively between classes of users and objects. They can also be thought of as containers for users and objects respectively. Policy classes are another important type of element that plays a somewhat similar role to attributes. A policy class is used to organize and distinguish between distinct types of policy being expressed and enforced. A policy class can be thought of as a container for policy elements and relationships that pertain to a specific policy. The way in which policy elements can be assembled and used to represent policy is covered in later chapters. Operations denote actions that can be performed on the contents of objects that represent resources or on PM data elements and relations that represent policy. The entire set of generic operations, Op, are partitioned into two distinct, finite sets of operations: resource operations, ROp, and administrative operations, AOp. Common resource operations include read and write, for example. Resource operations can also be defined specifically for the environment in which the PM is implemented. Administrative operations on the other hand pertain only to the creation and deletion of PM data elements and relations, and are a stable part of the PM framework, regardless of the implementation environment. To be able to carry out an operation, the appropriate access rights are required. As with operations, the entire set of access rights, AR, are partitioned into two distinct, finite sets of access rights: resource access rights, RAR, and administrative access rights AAR. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 63 Normally a one-to-one mapping exists between ROP and RAR, but not necessarily between AOP and AAR. For instructive purposes, access to object resources are discussed separately from administrative access to policy expressions (i.e., data elements and relations comprising policy). Non- administrative resource operations and access rights are emphasized in this chapter, while the next chapter covers administrative operations and access rights in more detail. To read more: http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7987r1.pdf _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 64 Who are non-banks and why are they important for us? Marius Jurgilas, Member of the Board of the Bank of Lithuania, at the conference "Non-banks in Payment Market: Challenges and Opportunities", organised by the Bank of Lithuania and the Sveriges Riksbank, Vilnius It is a great pleasure for me to open the conference on non-banks in payment market. In 2007 Federal Reserve Bank of Kansas City hosted a similarly titled conference. It was the time when Europe was still debating the modalities of the upcoming PSD and Steve Jobs just introduced the first iPhone to the world. Now we have iPhone 6 and PSD2 and because of the another innovation by Apple over that time - ApplePay the link between the two is relevant more than ever. Let me briefly elaborate on two points: who non-banks are and why they are important for us. In general non-banks in the payment market mainly refer to the financial institutions that facilitate payment transactions for end-users. Sometimes the definition goes even further and includes those entities that provide technology for the banks to facilitate for those payments. Both groups are relevant as they deal with different problems. Overall these institutions do not engage in financial intermediation or credit risk taking, like shadow banks, which do. We could start the list of non-banks in payments with traditional post offices that have been more or less active in payment market for ages. Many have turned into banks or quasi banks by now. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 65 Then we have electronic money institutions and payment institutions that joined the club not long ago. Some of them tried to mimic banks' payments model and failed. A new wave of non-banks emerged in the age of smart phone. Equipped with the latest technology and out-of-box thinking they made a bald step - implemented new business models, in sectors where banks were slow to act. Nevertheless, many early initiatives are struggling for a number of reasons. Regulators as well as the industry need to understand what is still missing. Payment initiation services as defined in the PSD2 are a good bet. But the outlook is not all dark shades. Last year the Economist featured an article on the future of payments titled "Payments: the end of monopoly". The title speaks for itself - banks are losing the grip on payments market. But according to McKinsey 34% of global profits banking industry is making from payments. Therefore the question, raised by the Economist -why banking industry appears to be taking a back seat and just observing the new entrants come in droves? Is this just a clever distraction? I have been told once by a CEO of a major bank, half joking, that once they grow, we will buy them. There is some truth to this statement. A great number of non-bank payment initiatives ended up being provided either in collaboration with banks, via banks directly, or outright owned by banks. Therefore when we talk about increased competition that non-banks can bring into the field of payments we have to ask ourselves if that is just a wishful thinking or these new institutions really have a chance? I hope we will go deeper into this topic during the conference. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 66 Introduction of these disruptive technologies, like internet, smartphones, etc. are bound to lead to major innovations in payments. But technology is not the only ingredient for successful payment business. Network and trust are also of key importance. Moreover, often the main breakthroughs are made when market participants join forces together leading to standardization. Be it the promotion of a new and efficient payment scheme or setting up an underlying infrastructure. At the same time competition authorities become very uneasy, once they see market participants sitting around the table discussing future market arrangements. This is the reason why we need to find a healthy and comfortable format for these discussions to take place. Progress in technology is a powerful wind of change. But regulation can also lead to positive change if it is implemented with good timing and with an appropriate scope. I strongly believe that the right regulatory framework, that provides incentives and embraces new technology could modernize payment services and change the status-quo. I will stop here by saying that here at the central bank we have high expectations built on non-banks both for channeling innovations and for refreshing competition. Currently Lietuvos Bankas is working on a comprehensive National Payments Transformation Strategy and non-banks, I expect, will be one of the key players there. The main objective of this conference from our side is to hear the views of a wider audience and to learn what the near future is about to bring.I would like to thank Sveriges Riksbank for organising this event jointly with Lietuvos Bankas and for close cooperation during preparations and would like to invite Ms Cecilia Skingsley, Deputy Governor of Sveriges Riksbank, for the introductory presentation. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 67 The current situation in Japan's financial system and macroprudential policy Haruhiko Kuroda, Governor of the Bank of Japan, at the Paris EUROPLACE Financial Forum, Tokyo It is a great honor to have this opportunity to speak before the Paris Europlace Financial Forum today. Before I begin, I would like to offer my deepest condolences to the victims of the recent terrorist attacks in Paris. Since the global financial crisis, the "macroprudential" perspective has become widely recognized. Underlying the macroprudential framework is the view that, to ensure financial stability, it is necessary to devise institutional designs and policy measures to prevent systemic risk from materializing, based on analyses and assessments of risks in the financial system as a whole, taking into account the interconnectedness of the real economy, financial markets, and financial institutions' behavior. Today, I will start by providing an assessment of the current situation in Japan's financial system from a macroprudential perspective. I will then share with you my views on some of the issues regarding macroprudential policy. Assessment of the current situation in Japan's financial system Let me begin with an overview of the current situation in Japan's financial system. The Bank of Japan has been pursuing quantitative and qualitative monetary easing (QQE) since April 2013, and the policy has been steadily exerting its intended effects toward achieving the price stability target of 2 percent. It goes without saying that the financial system serves as an important transmission channel through which QQE produces its effects. Indeed, the following positive financial effects have been observed in the past two and a half years: _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 68 (1) stability of long-term interest rates at low levels and declines in credit risk premiums; (2) progress in portfolio rebalancing among financial institutions and institutional investors; and (3) a positive spillover to asset prices. Looking ahead, further enhancement of the financial intermediation function continues to be expected as financial institutions have secured robust capital bases. As such, the effects of QQE are gradually becoming evident on the financial front as well. From a macroprudential perspective, however, the more financial activity increases, the more important it becomes to be vigilant as to whether such effects of QQE would lead to financial excesses or imbalances. Under the current framework for the conduct of monetary policy, the Bank examines financial imbalances - from a longer-term perspective - as a risk that will significantly affect economic activity and prices. As part of the examination process, the Bank releases semiannually its Financial System Report. In this report, it makes a forward-looking assessment of the stability of the financial system from various angles - including analyses of the balance between financial institutions' risks and financial bases, macro stress testing, and the monitoring of risk indicators that suggest signs of financial imbalances - and presents tasks and challenges toward achieving financial stability. Taking the latest findings into account, significant financial imbalances are not observed at present. That said, the Bank will continue to examine developments without presumption. Macroprudential Policy I will now turn to macroprudential policy. In recent years, this area has seen various international discussions conducted and measures implemented worldwide. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 69 First, "structural measures" for enhancing the resilience of the financial system, including implementation of the Basel III requirements and responses to the "Too Big to Fail" problem, have been proceeding steadily. Second, many countries have been making use of macroprudential measures aimed at containing excessive financial cycles and the accumulation of imbalances. These are sometimes referred to as "time-varying macroprudential policy," thereby distinguishing them from structural measures. In what follows, I will touch upon some of the issues regarding macroprudential policy. First, let me discuss the selection and application of "time-varying" macroprudential tools. Many of the measures that have been adopted recently in various countries are ones with which to lean against financial cycles, by utilizing regulatory ratios such as the countercyclical capital buffer (CCB) and the loan-to-value (LTV) ratio. The introduction of the CCB regime is scheduled for 2016 in countries worldwide, including Japan. Among countries that already have proceeded with the activation of these measures, some have noted that the measures have been exerting their intended effects on such sectors as the housing market, where overheating has been observed. At the same time, some point to the considerable uncertainty surrounding the measures' effects and to difficulties that accompany their application, including the following. First, there is a lag after activation before the measures begin producing effects. Second, leakages of policy effects to unregulated sectors, such as shadow banking institutions, as well as to overseas, may well occur. And third, measures intended for specific sectors, such as housing, give rise to the issue of conflict with other governmental measures. In fact, the inability to employ these macroprudential tools in a timely fashion entails the risk of accelerating financial cycles. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 70 "Hard" measures, which involve the adjustment of regulatory ratios in a countercyclical manner, are relatively new. Given this, the ultimate challenge, including responses to the various others I have just mentioned, is how to carry out these measures in an accountable manner. One point I want to stress in relation to this is that, in dealing with financial imbalances, what is important and effective is supervisory guidance by central banks and financial authorities - namely, their "soft" approach, by which they issue advance warnings while providing guidance and advice to financial institutions based on assessments of financial system stability. Supervisory guidance for financial institutions is primarily regarded as a microprudential measure. By carrying them out from a macroprudential perspective in an industry-wide and collective manner, however, the soft approach is capable of producing effects as a form of macroprudential policy. Moreover, compared with hard approaches like the CCB, this approach allows for more forward-looking and flexible responses. Based on such understanding, the Bank's disclosure of the challenges and risks involved in ensuring financial stability, through the publication of the Financial System Report, and its responses to these issues, through on-site examinations and off-site monitoring, are considered part of macroprudential policy. Second, let me shift my focus to international financial regulations as a form of "structural" macroprudential policy. Reform of international financial regulation is entering its final stages. Basel III and responses to the issue of "Too Big to Fail," such as TLAC (Total Loss-Absorbing Capacity), are measures designed to substantially strengthen the resilience of the global financial system. Furthermore, it is important to acknowledge the fact that financial authorities and the financial industry worldwide have developed a common understanding on international regulation, overcoming differences in their views. This indicates a major step forward, in that we have created a foundation for international cooperation to tackle many issues and crises that could arise in the future. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 71 Having said this, I would like to mention several points with regard to the finalization and gradual implementation of the Basel III regulatory reforms. The first point is the importance of a comprehensive calibration of the framework in its finalization. Several of the remaining issues involve quite a number of calibrations based on the accumulation of very technical and expert considerations, such as the measurement of risk-weighted assets. The outcome of these considerations would have a significant impact on the determination of required macro capital and the risk-taking behavior of financial institutions. I would like to emphasize that the calibration should be finalized in such a way that the amount of risk-weighted assets and required capital as a whole would be maintained at an appropriate level, while taking a holistic approach in examining effects on the institutions. The second point is the necessity of a review of the effects and impacts of these regulatory reforms after their implementation. Reforms of international financial regulations to date have been drastic enough that it is no exaggeration to refer to them as a "fundamental re-design." Looking at individual countries, large-scale financial and structural reforms are underway, as typified by the Volcker rule in the U.S. The extent of the effects and impacts of these regulatory reforms on international financial intermediation and flow of funds in the financial sector as a whole remains unknown, and therefore requires close monitoring. From a long-term perspective, in order for the financial system to ensure stability and in turn contribute to sustainable economic growth, financial institutions need to be sufficiently profitable through active and innovative financial intermediation. In this regard, it is important to remove any regulatory excess, inconsistency among regulations, and uncertainty regarding the regulatory environment. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 72 Concluding Remarks That brings me toward the end of my speech. Topics for discussion regarding macroprudential policy go beyond those I have raised today. One such topic regards the effective institutional arrangements for macroprudential policy. Needless to say, there is no such thing as a universally optimal set of arrangements, as financial and economic structures as well as legal frameworks differ from country to country. Moreover, the desirable form of arrangements would vary depending on the kind of macroprudential measures each country intends to utilize. Looking at the recent developments in countries with multiple regulatory and supervisory authorities, there has been quite a number of movements to establish new bodies or councils in charge of macroprudential policy. In Japan, the Financial Services Agency (FSA) - which is legally authorized to conduct industry-wide supervision and inspections - and the Bank which contributes to financial system stability, such as through the "lender of last resort" function - are making joint efforts in carrying out macroprudential policy, fulfilling their respective functions. Furthermore, in June 2014, the two entities together established a task force with the aim of holding regular joint meetings, and they have been fostering further coordination. The Bank is determined to continue with its efforts to contribute to ensuring the stability of the financial system, making use of these arrangements. Thank you. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 73 Disclaimer The Association tries to enhance public access to information about risk and compliance management. Our goal is to keep this information timely and accurate. If errors are brought to our attention, we will try to correct them. This information: is of a general nature only and is not intended to address the specific circumstances of any particular individual or entity; should not be relied on in the particular context of enforcement or similar regulatory action; - is not necessarily comprehensive, complete, or up to date; is sometimes linked to external sites over which the Association has no control and for which the Association assumes no responsibility; is not professional or legal advice (if you need specific advice, you should always consult a suitably qualified professional); - is in no way constitutive of an interpretative document; does not prejudge the position that the relevant authorities might decide to take on the same matters if developments, including Court rulings, were to lead it to revise some of the views expressed here; does not prejudge the interpretation that the Courts might place on the matters at issue. Please note that it cannot be guaranteed that these information and documents exactly reproduce officially adopted texts. It is our goal to minimize disruption caused by technical errors. However some data or information may have been created or structured in files or formats that are not error-free and we cannot guarantee that our service will not be interrupted or otherwise affected by such problems. The Association accepts no responsibility with regard to such problems incurred as a result of using this site or any linked external sites. _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 74 The International Association of Risk and Compliance Professionals (IARCP) You can explore what we offer to our members: 1. Membership – Become a standard, premium or lifetime member. You may visit: www.risk-compliance-association.com/How_to_become_member.htm If you plan to continue to work as a risk and compliance management expert, officer or director throughout the rest of your career, it makes perfect sense to become a Life Member of the Association, and to continue your journey without interruption and without renewal worries. You will get a lifetime of benefits as well. You can check the benefits at: www.risk-compliance-association.com/Lifetime_Membership.htm 2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk and compliance management related news stories and world events that (for better or for worse) shaped the week's agenda, and what is next: http://forms.aweber.com/form/02/1254213302.htm 3. Training and Certification - Become a Certified Risk and Compliance Management Professional (CRCMP) or a Certified Information Systems Risk and Compliance Professional (CISRSP). The Certified Risk and Compliance Management Professional (CRCMP) training and certification program has become one of the most recognized programs in risk management and compliance. There are CRCMPs in 32 countries around the world. Companies and organizations like IBM, Accenture, American Express, USAA etc. consider the CRCMP a preferred certificate. You can find more about the demand for CRCMPs at: www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP) P a g e | 75 You can find more information about the CRCMP program at: www.risk-compliance-association.com/CRCMP_1.pdf (It is better to save it and open it as an Adobe Acrobat document). For the distance learning programs you may visit: www.risk-compliance-association.com/Distance_Learning_and_Certificat ion.htm For instructor-led training, you may contact us. We can tailor all programs to specific needs. We tailor presentations, awareness and training programs for supervisors, boards of directors, service providers and consultants. 4. IARCP Authorized Certified Trainer (IARCP-ACT) Program - Become a Certified Risk and Compliance Management Professional Trainer (CRCMPT) or Certified Information Systems Risk and Compliance Professional Trainer (CISRCPT). This is an additional advantage on your resume, serving as a third-party endorsement to your knowledge and experience. Certificates are important when being considered for a promotion or other career opportunities. You give the necessary assurance that you have the knowledge and skills to accept more responsibility. To learn more you may visit: www.risk-compliance-association.com/IARCP_ACT.html 5. Approved Training and Certification Centers (IARCP-ATCCs) - In response to the increasing demand for CRCMP training, the International Association of Risk and Compliance Professionals is developing a world-wide network of Approved Training and Certification Centers (IARCP-ATCCs). This will give the opportunity to risk and compliance managers, officers and consultants to have access to instructor-led CRCMP and CISRCP training at convenient locations that meet international standards. ATCCs use IARCP approved course materials and have access to IARCP Authorized Certified Trainers (IARCP-ACTs). To learn more: www.risk-compliance-association.com/Approved_Centers.html _____________________________________________________________ International Association of Risk and Compliance Professionals (IARCP)