...

P a g e 1

by user

on
Category: Documents
44

views

Report

Comments

Description

Transcript

P a g e 1
Page |1
International Association of Risk and Compliance
Professionals (IARCP)
1200 G Street NW Suite 800 Washington, DC 20005-6705 USA
Tel: 202-449-9750 www.risk-compliance-association.com
Top 10 risk and compliance management related news stories
and world events that (for better or for worse) shaped the
week's agenda, and what is next
Dear Member,
Cyberbullying refers to practice of using
technology to harass, or bully, someone else.
Bullies used to be restricted to methods such as
physical intimidation, postal mail, or the
telephone. Now, developments in electronic
media offer forums such as email, instant
messaging, web pages, and digital photos to add
to the arsenal.
Computers, cell phones, and PDAs are current tools that are being used to
conduct an old practice.
Forms of cyberbullying can range in severity from cruel or embarrassing
rumors to threats, harassment, or stalking. It can affect any age group;
however, teenagers and young adults are common victims, and
cyberbullying is a growing problem in schools.
This is part of Security Tip (ST06-005), Dealing with Cyberbullies, from the
Department of Homeland Security's US Computer Emergency Readiness
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |2
Team (US-CERT), that leads efforts to improve cybersecurity posture,
coordinate cyber information sharing, and proactively manage cyber risks.
Let's continue:
"Why has cyberbullying become such a problem?
The relative anonymity of the internet is appealing for bullies because it
enhances the intimidation and makes tracing the activity more difficult.
Some bullies also find it easier to be more vicious because there is no
personal contact. Unfortunately, the internet and email can also increase
the visibility of the activity.
Information or pictures posted online or forwarded in mass emails can
reach a larger audience faster than more traditional methods, causing more
damage to the victims. And because of the amount of personal information
available online, bullies may be able to arbitrarily choose their victims.
Cyberbullying may also indicate a tendency toward more serious behavior.
While bullying has always been an unfortunate reality, most bullies grow
out of it. Cyberbullying has not existed long enough to have solid research,
but there is evidence that it may be an early warning for more violent
behavior."
You will find more about cyberbullying at:
https://www.us-cert.gov/ncas/tips/ST06-005
You will find excellent tips for your organization and your home at:
https://www.us-cert.gov/ncas/tips
Another example, taken from the US-CERT tips:
"Although free email services have many benefits, you should not use them
to send sensitive information. Because you are not paying for the account,
the organization may not have a strong commitment to protecting you from
various threats or to offering you the best service. Some of the elements you
risk are:
Security. If your login, password, or messages are sent in plain text, they
may easily be intercepted.
If a service provider offers SSL encryption, you should use it.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |3
You can find out whether this is available by looking for a "secure mode" or
by replacing the "http:" in the URL with "https:" (see Protecting Your
Privacy for more information).
Privacy. You aren't paying for your email account, but the service provider
has to find some way to recover the costs of providing the service.
One way of generating revenue is to sell advertising space, but another is to
sell or trade information.
Make sure to read the service provider's privacy policy or terms of use to see
if your name, your email address, the email addresses in your address book,
or any of the information in your profile has the potential of being given to
other organizations (see Protecting Your Privacy for more information).
If you are considering forwarding your work email to a free email account,
check with your employer first. You do not want to violate any established
security policies.
Reliability. Although you may be able to access your account from any
computer, you need to make sure that the account is going to be available
when you want to access it.
Familiarize yourself with the service provider's terms of service so that you
know exactly what they have committed to providing you.
For example, if the service ends or your account disappears, can you
retrieve your messages?
Does the service provider give you the ability to download messages that
you want to archive onto your machine?
Also, if you happen to be in a different time zone than the provider, you may
find that their server maintenance interferes with your normal email
routine."
You will find more at:
https://www.us-cert.gov/ncas/tips/ST05-009
Another example: "A rootkit is a piece of software that can be installed and
hidden on your computer without your knowledge. It may be included in a
larger software package or installed by an attacker who has been able to
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |4
take advantage of a vulnerability on your computer or has convinced you to
download it."
"Rootkits are not necessarily malicious, but they may hide malicious
activities. Attackers may be able to access information, monitor your
actions, modify programs, or perform other functions on your computer
without being detected.
Botnet is a term derived from the idea of bot networks. In its most basic
form, a bot is simply an automated computer program, or robot. In the
context of botnets, bots refer to computers that are able to be controlled by
one, or many, outside sources.
An attacker usually gains control by infecting the computers with a virus or
other malicious code that gives the attacker access. Your computer may be
part of a botnet even though it appears to be operating normally. Botnets
are often used to conduct a range of activities, from distributing spam and
viruses to conducting denial-of-service attacks"
Read more at Number 6 and 7 below. Welcome to the Top 10 list.
Best Regards,
George Lekatis
President of the IARCP
General Manager, Compliance LLC
1200 G Street NW Suite 800,
Washington DC 20005, USA
Tel: (202) 449-9750
Email: [email protected]
Web: www.risk-compliance-association.com
HQ: 1220 N. Market Street Suite 804,
Wilmington DE 19801, USA
Tel: (302) 342-8828
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |5
Revisions to the Standardised Approach
for credit risk - second consultative
document
December 2015
The second consultative document on Revisions to the Standardised
Approach for credit risk forms part of the Committee's broader review of
the capital framework to balance simplicity and risk sensitivity, and to
promote comparability by reducing variability in risk-weighted assets
across banks and jurisdictions.
These proposals differ in several ways from an initial set of proposals
published by the Committee in December 2014.
That earlier proposal set out an approach that removed all references to
external credit ratings and assigned risk weights based on a limited number
of alternative risk drivers.
Respondents to the first consultative document expressed concerns,
suggesting that the complete removal of references to ratings was
unnecessary and undesirable.
The Committee has decided to reintroduce the use of ratings, in a
non-mechanistic manner, for exposures to banks and corporates.
PCAOB Standard-Setting Update
Jay D. Hanson, Board Member
AICPA Conference on Current SEC and PCAOB
Developments, Washington DC
"Behind the scenes, much work is in progress to refine
the process by which projects get added to our agenda,
how they get prioritized and how the work flows from start to finish.
While many aspects of these changes may not be visible to most of you in
the room, I hope the result is better decisions about what gets on our
agenda, informed by appropriate research."
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |6
NIST Seeks Comments on Cybersecurity
Framework Use, Potential Updates and Future Management
The National Institute of Standards and Technology (NIST) is seeking
information on how its voluntary “Framework for Improving Critical
Infrastructure Cybersecurity” is being used, as well as feedback on possible
changes to the Framework and its future management.
Developed in response to a 2013 Executive Order, the Framework consists
of standards, guidelines and practices that help organizations address cyber
risks by aligning policy, business and technological approaches.
“The process to develop the Framework brought together both private and
public sector organizations and resulted in a document that is being used by
a wide variety of organizations,” said Adam Sedgewick, NIST senior
information technology policy advisor.
“We’re looking forward to receiving feedback on specific questions about its
use and how it might be improved.”
ENISA welcomes the agreement of EU Institutions
on the first EU wide cybersecurity Directive and
Agency’s extended role
Following extensive negotiations the EU institutions have reached an
agreement, which will support Member States in achieving a high level of
network & information security that is coherent across the EU and which
will pave the way for more collaboration among them.
The Directive foresees significant new tasks for ENISA, strengthening its
role. ENISA considers this agreement as an important step forward for
securing ICT infrastructure across the EU.
ENISA welcomes the agreement on the upcoming NIS Directive, which is a
significant step towards further improvements in NIS across the EU.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |7
New challenges for a new era
Luis M Linde, Governor of the Bank of Spain, at the 8th
Santander International Banking Conference, Madrid
"The first edition took place in the autumn of 2008, right after the fall of
Lehman Brothers and just before the G20 leaders agreed to launch the
financial regulatory reform in an unprecedented globally coordinated
action.
The objective was clear and so was the mandate given to the Financial
Stability Board and the Basel Committee on Banking Supervision: to build a
stronger and more resilient financial system.
Since then, the main pillars of the reform have been put in place.
The list of new measures implemented is long and, I would say, impressive.
I will not review the list, which is very clearly and well explained in the
latest progress reports published by the Financial Stability Board and the
Basel Committee."
US-CERT, Security Tip
Before You Connect a New Computer to the Internet
Why Should I Care About Computer Security?
Computers help us maintain our financial, social, and professional
relationships.
We use them for banking and bill paying, online shopping, connecting with
our friends and family through email and social networking sites,
researching data posted on the Internet, and so much more.
We rely heavily on our computers to provide these services, yet we
sometimes overlook our need to secure them.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |8
US-CERT, Security Tip
Securing Your Home Network
How are routers used in your home network?
Home routers have become an integral part of our global communications
footprint as use of the Internet has grown to include home-based
businesses, telework, schoolwork, social networking, entertainment, and
personal financial management.
Routers facilitate this broadened connectivity. Most of these devices are
preconfigured at the factory and are Internet-ready for immediate use.
After installing routers, users often connect immediately to the Internet
without performing any additional configuration. Users may be unwilling to
add configuration safeguards because configuration seems too difficult or
users are reluctant to spend the time with advanced configuration settings.
Unfortunately, the default configuration of most home routers offers little
security and leaves home networks vulnerable to attack. Small businesses
and organizations often use these same home routers to connect to the
Internet without implementing additional security precautions and expose
their organizations to attack.
NISTIR 7987 Revision 1
Policy Machine: Features, Architecture, and Specification
David Ferraiolo Serban Gavrila Wayne Jansen
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of
Standards and Technology (NIST) promotes the U.S. economy and public
welfare by providing technical leadership for the Nation’s measurement
and standards infrastructure. ITL develops tests, test methods, reference
data, proof of concept implementations, and technical analyses to advance
the development and productive use of information technology.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Page |9
Who are non-banks and why are they
important for us?
Marius Jurgilas, Member of the Board of the Bank of
Lithuania, at the conference "Non-banks in Payment
Market: Challenges and Opportunities", organised by
the Bank of Lithuania and the Sveriges Riksbank,
Vilnius
"In 2007 Federal Reserve Bank of Kansas City hosted a similarly titled
conference.
It was the time when Europe was still debating the modalities of the
upcoming PSD and Steve Jobs just introduced the first iPhone to the world.
Now we have iPhone 6 and PSD2 and because of the another innovation by
Apple over that time - ApplePay the link between the two is relevant more
than ever."
The current situation in Japan's financial
system and macroprudential policy
Haruhiko Kuroda, Governor of the Bank of Japan, at
the Paris EUROPLACE Financial Forum, Tokyo
"It is a great honor to have this opportunity to speak
before the Paris Europlace Financial Forum today.
Before I begin, I would like to offer my deepest condolences to the victims
of the recent terrorist attacks in Paris.
Since the global financial crisis, the "macroprudential" perspective has
become widely recognized.
Underlying the macroprudential framework is the view that, to ensure
financial stability, it is necessary to devise institutional designs and policy
measures to prevent systemic risk from materializing, based on analyses
and assessments of risks in the financial system as a whole, taking into
account the interconnectedness of the real economy, financial markets, and
financial institutions' behavior."
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 10
Revisions to the Standardised Approach for
credit risk - second consultative document
December 2015
The second consultative document on Revisions to
the Standardised Approach for credit risk forms part
of the Committee's broader review of the capital
framework to balance simplicity and risk sensitivity,
and to promote comparability by reducing variability in risk-weighted
assets across banks and jurisdictions.
These proposals differ in several ways from an initial set of proposals
published by the Committee in December 2014.
That earlier proposal set out an approach that removed all references to
external credit ratings and assigned risk weights based on a limited number
of alternative risk drivers.
Respondents to the first consultative document expressed concerns,
suggesting that the complete removal of references to ratings was
unnecessary and undesirable.
The Committee has decided to reintroduce the use of ratings, in a
non-mechanistic manner, for exposures to banks and corporates.
The revised proposal also includes alternative approaches for jurisdictions
that do not allow the use of external ratings for regulatory purposes.
The proposed risk weighting of real estate loans has also been modified,
with the loan-to-value ratio as the main risk driver.
The Committee has decided not to use a debt service coverage ratio as a risk
driver given the challenges of defining and calibrating a global measure that
can be consistently applied across jurisdictions.
The Committee instead proposes requiring the assessment of a borrower's
ability to pay as a key underwriting criterion.
It also proposes to categorise all exposures related to real estate, including
specialised lending exposures, under the same asset class, and apply higher
risk weights to real estate exposures where repayment is materially
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 11
dependent on the cash flows generated by the property securing the
exposure.
This consultative document also includes proposals for exposures to
multilateral development banks, retail and defaulted exposures, and
off-balance sheet items.
The credit risk standardised approach treatment for sovereigns, central
banks and public sector entities are not within the scope of these proposals.
The Committee is considering these exposures as part of a broader and
holistic review of sovereign-related risks.
The Committee welcomes comments on all aspects of this consultative
document and the proposed standards text.
Comments on the proposals should be uploaded here by Friday 11 March
2016.
All comments will be published on the website of the Bank for International
Settlements unless a respondent specifically requests confidential
treatment.
To read more:
http://www.bis.org/bcbs/publ/d347.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 12
PCAOB Standard-Setting Update
Jay D. Hanson, Board Member
AICPA Conference on Current SEC and PCAOB
Developments, Washington DC
Good Afternoon,
Thank you for the privilege to speak again at this conference. As I am
completing my fifth year as a Board member of the Public Company
Accounting Oversight Board ("PCAOB" or "Board"), this is still one of my
favorite conferences to learn about current developments, as well as
interact with many of you to hear your suggestions and concerns.
You already heard from a number of other PCAOB speakers during this
conference.
We each provide our own unique insights and, as you have heard others say
before me, the views I express today are my personal views and do not
necessarily reflect the views of the Board, any other Board member, or the
staff of the PCAOB.
In the brief time I will take today, I will comment on a few aspects of our
standard setting activities, share some opinions on topics others have
raised, and comment on our project on audit quality indicators.
Standard Setting
PCAOB Chief Auditor Marty Baumann just provided an update about some
of our standard-setting projects.
Several representatives from the Securities and Exchange Commission
("SEC") also commented at this conference on our work to improve our
standard setting process.
Behind the scenes, much work is in progress to refine the process by which
projects get added to our agenda, how they get prioritized and how the work
flows from start to finish.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 13
While many aspects of these changes may not be visible to most of you in
the room, I hope the result is better decisions about what gets on our
agenda, informed by appropriate research.
I also hope that we end up with a better definition of the problem we are
trying to solve, broad consideration of alternatives to solve the problem,
and ultimately, if rulemaking is necessary, a solution that addresses the
problem in a timely and cost effective way.
I will comment on a few of the projects Marty discussed.
We received significant feedback on the auditor reporting model project
after we proposed it in 2013.
A number of commenters expressed concern about the broad scope of what
the auditor would have to consider in identifying critical audit matters
("CAMs") to report.
Commenters also expressed concerns that CAMs would sometimes address
matters that are immaterial or that would reveal company information not
otherwise required to be disclosed under applicable securities laws and
regulations. I am optimistic that our reproposal will address these
important concerns and result in a meaningful, operational standard.
Another overarching concern from preparers is whether we should proceed
with a project like this at all, as opposed to letting the SEC mandate any
needed improvements to management's disclosures.
A similar theme among the comments was the question of whether the
CAMs would substantially duplicate other disclosures, including
management's discussion of critical accounting estimates.
One benefit of the passage of time since our 2013 proposal is that we have
had an opportunity to monitor developments in other countries, including
the United Kingdom ("UK").
We are closely watching the results of the expanded audit or reporting that
has been in place there for several years.
We are also benefitting from new academic studies that are beginning to
focus on the value of the auditor disclosures, how much duplication may be
occurring with management disclosures and whether investors value – and
act on – the information.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 14
The feedback from the consultation papers our staff issued on fair value,
estimates and specialists have been informative.
I encourage preparers to follow these projects closely since the ultimate
result may require auditors to perform more work and therefore may affect
the amount of time preparers spend gathering information for their
auditors.
The specialist consultation paper includes some provocative questions
about whether all information that management provides to the auditor
should be treated the same, regardless of whether it was prepared by
accountants employed by the company or by a specialist, such as an
actuary, who relies on historical data provided by the company, along with
assumptions about the future.
The Board's decisions on the appropriate degree of scrutiny by auditors of
this type of information could have significant effects on many aspects of an
audit.
I personally hope we end up in a place that would enhance the current
standards for the auditor's use of the work of a specialist, but not go as far
as certain of the ideas raised in the consultation paper might suggest.
Preparer Feedback
Marty mentioned the feedback we have received from the U.S. Chamber of
Commerce regarding the work auditors are performing in the area of
internal controls over financial reporting.
Several other speakers at the conference, including SEC Chair White, as
well a panel yesterday afternoon that included my fellow PCAOB Board
Member Jeanette Franzel, discussed the importance of internal controls.
I personally have participated in meetings with many preparers and
members of organizations representing financial management.
I have also had many meetings with audit committee members over the
past year.
I welcome the feedback about the practical consequence of our regulation of
auditors.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 15
In many respects, hearing directly from those on the receiving end of an
audit how rigorous and challenging the audit is today is good news.
On the other hand, it is troubling to hear stories of auditors focusing too
much on immaterial items and doing "defensive auditing."
And as you all know, if you focus too much on the small items, you may
miss big picture.
Our inspection activities show that all engagement teams do not execute
required audit procedures equally well. Many firms have developed tools,
checklists and templates to drive more consistent execution.
While these tools overall are successful, they are not substitutes for an
auditor's understanding of the business, the controls and why specified
audit procedures are necessary.
I was pleased with the panel discussion yesterday, which brought out many
of the issues we have discussed with firms and preparers in recent months.
A big take-away from the panel was that good communication between
management and the audit team is essential.
In that context, let me emphasize again some comments I made recently at
another conference.
Many of the concerns I have heard about ICFR from preparers is that they
believe their management review controls are effective in detecting
potential material misstatements, because they know what actions they and
their team take to review a monthly reporting package, and they know that
their staff will follow up on questions raised during this process.
The auditors, however, are telling preparers that they cannot accept their
sign-off as evidence of the control's effectiveness.
And in fact, while auditors may be able to accept a sign-off when testing a
simple process level control that does not involve much judgment (like
matching a purchase order, shipping document and invoice), that does not
suffice for management review controls.
The applicable auditing standard, AS 5, specifically states that inquiry alone
does not provide sufficient evidence to support a conclusion about the
effectiveness of a control.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 16
The actual procedures needed for a particular management review control
will depend on, among other things, the nature of the control, the risk
associated with the control, the information used in the control, and the
evidence of the control's operation.
AS 5 gives examples such as observation, inspection of relevant
documentation, and re-performance of a control. One of my mentors early
in my career frequently said "you can't just audit by conversation, you need
to audit the support for what management tells you."
Those words from over 30 years ago apply today to controls testing.
I look forward to continuing our discussions with preparers and auditors on
these important topics and many others.
Audit Quality Indicators
Yesterday, Cindy Fornelli from the Center for Audit Quality ("CAQ")
described the CAQ efforts around audit quality indicators.
Chief Accountant Jim Schnurr and others also have mentioned the PCAOB
project in this area.
I commend the CAQ for the work they have done and what they have shared
with us. Collectively, we are advancing thought in this important area and
driving improvements in audits.
The Board issued a concept release in June 2015 on audit quality indicators.
Prior to the issuance of the concept release, we had several discussions over
multiple meetings with our Standing Advisory and Investor Advisory
Groups. Since the issuance, we had further discussions with both groups.
I personally have discussed the concepts with multiple preparers, audit
committees and others.
Overall, we have received substantial helpful input.
The overwhelming feedback has been that exploring audit quality
indicators is a worthwhile effort.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 17
However, there is sharp divergence on the role of the PCAOB in this area,
questions about how AQIs should be used, and varying views about
appropriate next steps.
Some advocate that the PCAOB should move quickly to require the use of
certain defined indicators by audit firms and individual engagement teams
and that such indicators be made publically available for all investors to
consider.
Many others have argued that best use of audit quality indicators is in a
discussion between the engagement team and audit committee, focusing on
indicators that best capture the relevant considerations for that audit.
Some of these commenters suggested that the PCAOB refrain from
mandating any specific indicators at this time.
Rather, these commenters believe that the Board should let auditor and
audit committee practice develop on a voluntary basis before considering
whether rulemaking is necessary.
We received very little feedback on the specific AQIs discussed in the
concept release.
Many commenters believed that those engagement level AQIs that are
focused on the availability and competence of engagement personnel are
most valuable.
Some of my one-on-one conversations with audit committee members
emphasized the importance of the qualitative aspects of the relationship
with the engagement partner, and no quantitative metric would capture
that.
With regard to next steps, my personal opinion is that we need to further
our efforts to validate which AQIs have the strongest correlation to high
quality audits.
I believe we should refine the list of 28 indicators included in the concept
release to 10 or fewer and make that list public, along with clear definitions
for each indicator to encourage consistency in their use.
We should continue to collect and analyze information, through our
inspection process and other outreach, about what indicators audit
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 18
committees and engagement teams find most valuable and provide
transparency about our findings and conclusions.
After a few years, we can reassess the need, if any, for rulemaking to
mandate the use, discussion or disclosure of quality indicators.
I also believe we should encourage the firms' efforts in publishing audit
quality reports to make as much relevant information available to investors
as possible.
Relevant to this approach, I was interested to see that the UK Financial
Reporting Council ("FRC") recently published its 2016-19 strategy.
One aspect of the FRC plan is something I agree with: Place greater
emphasis on best practice, education and other non-regulatory approaches
to help secure continuous improvement in the quality of information and
behaviour, including through our corporate reporting and audit quality
review activities."
The FRC's regulatory mandate is broader than the PCAOB's, but the
principles apply equally to us.
Audit quality indicators is one project where we can experiment with
driving improvements in audit quality by providing information and
encouraging voluntary compliance and disclosure, before we determine
whether regulation is needed. Stay tuned.
Inspection Findings
Tomorrow, you will hear about our recent inspection findings from Helen
Munter, PCAOB Director of Registration and Inspections. I won't go into
any details of what she will discuss, but I want to highlight a couple of
points from our recent general purpose report on observations of the Risk
Assessment Standards.
This report provides information regarding the implementation of, and
compliance with, the Risk Assessment Standards from the PCAOB's
2012-2014 inspections of registered public accounting firms.
The report expresses the Board's concern about the number and
significance of deficiencies related to the Risk Assessment Standards.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 19
It is important to understand that the procedures required by these
standards underlie the entire audit process and drive decisions about the
scope and nature of the procedures that the auditor ultimately performs to
support the opinion expressed in the auditor's report.
Summarizing our inspectors' conclusions about potential causes of the
deficiencies, the report provides examples, including the following, among
others:
· "The firm did not have an adequate understanding of the issuer and its
processes and related internal control over financial reporting."
· "The firm did not adequately design and perform audit procedures to
address identified and assessed risks of material misstatement."
· "Senior members of the engagement team, including the engagement
partner, may not devote sufficient attention to the performance of risk
assessment procedures or the supervision, including review of the work of
engagement team members."
· "Some firm professionals may not exercise due care, including
professional skepticism (e.g., overreliance upon management assertions,
reliance on perceived knowledge of the issuer, and insufficient evaluation of
contradictory evidence)."
The Canadian Public Accountability Board ("CPAB") is Canada's audit
regulator responsible for the oversight of public accounting firms that audit
Canadian reporting issuers. CPAB recently issued a report that discusses
the 2015 annual inspection findings for Canada's four largest public
accounting firms, and I noted that several observations in CPAB's report
are consistent with our recent report. For example, that report states:
· "Auditors must make sure that procedures are appropriately designed and
executed. If fundamental audit areas are delegated to more junior staff, the
firm must see to it that staff have the appropriate training to perform their
assigned procedures and that their work is appropriately supervised and
reviewed."
· "An insufficient understanding of the client's business is the root cause
behind many of the audit findings we identified. To assess risk of error and
ultimately determine an effective audit strategy, the auditor needs a sound
understanding of the company's business, operations, and nature and flow
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 20
of accounting transactions. Otherwise, it is difficult to plan and execute an
effective audit."
· "Areas requiring the most professional judgment and skepticism
continued to feature prominently in our 2015 inspection findings.
Participation of senior engagement leaders at both the planning and issues
resolution stages remains the best way to deal with these matters. To
address audit team inexperience and to support the delivery of a quality
audit, the timely and appropriate involvement of engagement leadership is
essential."
As I think about my (now dated) experience as an auditor and consider
issues relating to the appropriate scope ICRF audit work, the most
important AQIs, and PCAOB inspectors' observations about potential
causes of inspection findings, I find that there is a common theme that
comes up again and again: The best audits are those that are conducted by
the right people, with the right skills, doing things at the right time and in
the right order, properly supervised, with a skeptical mindset and
communicating effectively throughout the process. Simple, right?
With that, let me thank you again for listening, and I will take questions
during the session at the end of the day.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 21
NIST Seeks Comments on Cybersecurity
Framework Use, Potential Updates and Future Management
The National Institute of Standards and Technology (NIST) is seeking
information on how its voluntary “Framework for Improving Critical
Infrastructure Cybersecurity” is being used, as well as feedback on possible
changes to the Framework and its future management.
A preview copy of the Request for Information (RFI) was posted to the
Federal Register at:
https://www.federalregister.gov/articles/2015/12/11/2015-31217/views-on
-the-framework-for-improving-critical-infrastructure-cybersecurity
The comment period opened Friday, Dec. 11, 2015, and closes Feb. 9, 2016.
Developed in response to a 2013 Executive Order, the Framework consists
of standards, guidelines and practices that help organizations address cyber
risks by aligning policy, business and technological approaches.
“The process to develop the Framework brought together both private and
public sector organizations and resulted in a document that is being used by
a wide variety of organizations,” said Adam Sedgewick, NIST senior
information technology policy advisor.
“We’re looking forward to receiving feedback on specific questions about its
use and how it might be improved.”
The Framework was released in February 2014, after a year-long, open
process that included input from industry, academia and government
agencies at the federal and state levels.
An increasing number of organizations that are part of the nation’s critical
infrastructure, including the energy and financial sectors, as well as other
private and public organizations, have been using the Framework to
improve their management of cyber risks.
To fulfill its responsibilities under the Cyber Security Enhancement Act of
2014, NIST is committed to maintaining an inclusive approach that
incorporates the views of a wide array of individuals, organizations and
sectors.
In the RFI, NIST asks specific questions about:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 22
• the variety of ways in which the Framework is being used to improve
cybersecurity risk management,
• how best practices for using the Framework are being shared,
• the relative value of different parts of the Framework,
• the possible need for an update of the Framework, and
• options for the long-term management of the Framework.
Responses to this RFI—which will be posted publicly—will inform NIST's
planning and decision-making about how to further advance the
Framework so that the nation’s critical infrastructure is more secure and
resilient.
For more information and a form for submitting comments on the RFI, visit
the Framework website at:
http://www.nist.gov/cyberframework/cybersecurity-framework-rfi.cfm
Feedback gathered from the RFI also will assist in developing the agenda
for a workshop on the Framework being planned for April 6 and 7, 2016, at
NIST’s Gaithersburg, Md., campus. Specifics about the workshop will be
announced at a later date.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 23
ENISA welcomes the agreement of EU Institutions
on the first EU wide cybersecurity Directive and
Agency’s extended role
Following extensive negotiations the EU institutions have reached an
agreement, which will support Member States in achieving a high level of
network & information security that is coherent across the EU and which
will pave the way for more collaboration among them.
The Directive foresees significant new tasks for ENISA, strengthening its
role. ENISA considers this agreement as an important step forward for
securing ICT infrastructure across the EU.
ENISA welcomes the agreement on the upcoming NIS Directive, which is a
significant step towards further improvements in NIS across the EU.
To find more about the agreement:
http://www.europarl.europa.eu/news/en/news-room/20151207IPR06449
/MEPs-close-deal-with-Council-on-first-ever-EU-rules-on-cybersecurity
The NIS Directive foresees a number of concrete measures to make this
happen, the most fundamental of which are two co-operation mechanisms
among Member States, namely the network of Computer Security Incident
Response Teams (CSIRT Network), to be coordinated by ENISA, and the
“Cooperation group”, consisting of members of national competent
authorities, the EU Commission and ENISA.
Member States also have to appoint a competent national authority dealing
with NIS matters.
Other important measures include the requirement to produce a national
cybersecurity strategy and the obligation for companies working in critical
sectors such as energy, transport, finance and others to inform national
authorities about incidents of significant impact.
The Executive Director of ENISA, Udo Helmbrecht, commented on this
agreement: “Ensuring the availability, integrity and confidentiality of
critical and digital infrastructures is a challenging task for public and
private stakeholders.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 24
ENISA welcomes the new tasks associated with the implementation of the
NIS Directive and will continue to assist the EU Member States and the
private sector in improving cybersecurity capabilities and cooperation
towards the implementation of the NIS Directive and in line with the
objectives of the DSM.”
Background
The Network and Information Services (NIS) Directive was the main
legislative proposal under the 2013 EU Cybersecurity Strategy.
EU’s cyber security strategy is a policy document published by the
European Commission (EC), explaining a number of steps the EC will
undertake, in cooperation with the Member States, public and private
stakeholders and other relevant actors, in the area of cyber security.
Parliament is expected to approve the agreed text on December 17 and
Council the following day. EU countries will then have 21 months in which
to transpose the directive into national law.
CSIRT network: Since 2005 ENISA is already operating a network of
national and governmental CSIRTs that is used to establish trust and
enable information sharing.
ENISA assists EU public and private cybersecurity experts in preventing
and reacting to future crises.
In particular, ENISA organises regular crisis exercises with hundreds of
participants to train experts, foster cooperation amongst them and provide
guidance on best practices.
The Agency also provides expert trainings on crisis management, crisis
planning or exercise development, conducted several studies and organised
international conferences on the topic of cyber crisis cooperation. ENISA’s
Cyber Security Training material was introduced in 2008, and was
complemented ever since.
The material contains essential material for success in the CSIRT
community and in the field of operational security.
Exercises: Since 2010 ENISA organises the bi-yearly pan-European cyber
exercise Cyber Europe; the next major event will happen in 2016.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 25
Article 13a, ICS-SCADA, NCSS: ENISA’s assisted national competent
authorities to implement a harmonised approach to incident reporting for
Telecoms (known as article 13a of the Telecom Package) and Trust Service
Providers (article 19 of eIDAS).
The Agency also assists EU Member States to develop National Cyber
Security Strategies. ENISA has also developed good practices for several
critical sectors and services (e.g. smart grids, ICS-SCADA, cloud, eHealth,
IoT).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 26
New challenges for a new era
Luis M Linde, Governor of the Bank of Spain, at the 8th
Santander International Banking Conference, Madrid
1. Introduction
Good morning.
First, I would like to thank Banco Santander for inviting me to participate
in this new edition of your International Banking Conference.
The first edition took place in the autumn of 2008, right after the fall of
Lehman Brothers and just before the G20 leaders agreed to launch the
financial regulatory reform in an unprecedented globally coordinated
action.
The objective was clear and so was the mandate given to the Financial
Stability Board and the Basel Committee on Banking Supervision: to build a
stronger and more resilient financial system.
Since then, the main pillars of the reform have been put in place.
The list of new measures implemented is long and, I would say, impressive.
I will not review the list, which is very clearly and well explained in the
latest progress reports published by the Financial Stability Board and the
Basel Committee.
I will focus my remarks on three different aspects of the global post-crisis
reform that I find particularly relevant for the topic of this Conference:
First of all, the finalisation, next year, of the Basel III framework.
Second, the new total-loss-absorbing-capacity (TLAC) standard, developed
by the Financial Stability Board and recently endorsed by the G20 leaders.
To finalise, I will briefly refer to a line of work that the Financial Stability
Board is coordinating to address the systemic risks associated with
misconduct in financial institutions and markets.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 27
2. The completion of Basel III
When the crisis started, the global banking system had built up several
vulnerabilities:
-
Many banks were highly leveraged.
-
Capital proved to be insufficient and its quality was low.
-
There was an excessive exposure to liquidity risk.
-
The measurement of risk had major shortcomings.
-
And there was a lack of awareness of the dangers associated with
systemic risk stemming from complex, opaque and highly
interconnected global financial markets.
Basel III is the regulatory response to address these vulnerabilities and, as
such, it is one of the main elements of the global banking prudential reform.
With Basel III the Basel Committee has:
-
Raised the level and quality of capital, especially core Equity Tier 1
capital.
-
Introduced additional requirements in order to reduce systemic risk,
such as those imposed on systemically important banks, or the
countercyclical capital buffers.
-
Introduced two new liquidity ratios to mitigate liquidity risk.
-
Introduced a new leverage ratio to limit leverage and reinforce
risk-based requirements.
-
Developed a large-exposures framework to limit the maximum loss in
case of counterparty's failure.
-
Last, but not least, the Basel Committee has improved the effectiveness
of supervision by upgrading its Core Principles and by strengthening
the supervision of systemically important banks.
Many of these new rules are now in place and we can say that banks are
more resilient now than in 2009.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 28
But different weaknesses persist.
For this reason, the Basel Committee is undertaking a review of the capital
framework that will be finalised by the end of 2016.
In particular, the methodologies used to measure banks' risks are being
reviewed, both under the standardised approaches and under internal
models.
The standardised approaches are being revised to incorporate the lessons
learned from the crisis so as to increase their risk sensitivity without,
however, making them unduly complex.
Regarding the internal models, they have been criticised because of their
lack of comparability, the variability of the resulting risk-weighted assets,
and their complexity and lack of transparency.
These, let's say, "faults" have undermined the credibility of capital ratios.
Therefore, the Basel Committee is considering including several constraints
on internal models in order to strike a better balance between simplicity,
comparability and risk sensitivity.
The other remaining major challenge is calibration.
Basel III has changed the prudential setting quite significantly.
The days when there was a single metric (the risk-weighted capital ratio)
are over.
We now have several prudential measures that will most probably be
interacting in different ways.
Banks will have to comply with a risk-weighted capital ratio (including
additional buffers); a leverage ratio; two liquidity ratios and the large
exposure limits. Additionally, banks that apply internal models will most
likely face capital floors based on standardised approaches.
Finally, some systemic banks will have to hold additional capital to meet
global-systemically-important-bank (GSIB) buffer and
total-loss-absorbing-capacity (TLAC) requirements.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 29
Applying different metrics will make the framework more resilient because
some metrics will avoid the limitations of others.
For instance, floors based on standardised approaches are meant to be a
kind of control or safeguard on internal model risk calculations.
Therefore, during 2016 the Basel Committee will be quite busy deciding on
the constraints on internal models, calibrating the risk-weighted assets
under standardised approaches (as well as the floors to be based on such
standardised approaches) and performing a review of the calibration of the
leverage ratio.
I would like to underline that this calibration process will build upon the
information provided by banks in the context of the next Quantitative
Impact Study (QIS) exercises that will be undertaken by the Committee.
As always when quantitative issues are involved, the quality of the data will
be a main driver for success in the calibration process.
It is therefore very important that banks provide accurate data to these
impact studies.
Of course, any constructive feedback on the Committee's consultative
documents will also be very helpful in order to improve the whole exercise.
3. The new TLAC framework
The agreement on total-loss-absorbing-capacity, which was published on
9th November and endorsed by the G20 leaders, is an example of
cooperation at global level towards ending the too-big-to-fail problem.
This new TLAC standard guarantees that global – systemically – important
- banks (GSIBs) will have a sufficient (and well distributed) amount of loss
absorbing capacity to ensure the continuity of their critical functions at the
point of resolution, avoiding the use of public funds. As such, it will
contribute to the credibility of bail-in as an effective resolution tool.
The TLAC requirement establishes that a banking group will have to issue
(and maintain) a minimum amount of capital and debt liabilities to absorb
losses first in case of resolution.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 30
The minimum external TLAC requirement would be placed at each
"resolution entity" within the group (that is, the legal entity where
resolution actions would take place).
G-SIBs must comply with the TLAC minimum standard from 1st January
2019, subject to a phase-in.
This minimum requirement will be calculated as the higher of 16 % of the
risk weighted assets associated to the consolidated balance sheet of the
resolution group and 6% of the denominator of the Basel III leverage ratio.
As of 1st January 2022, these minimum requirements will rise up to 18 %
and 6.75 % respectively.
The TLAC will be required alongside minimum Basel III capital
requirements, and the extra capital buffers (systemic, conservation and
countercyclical) will sit on top of the TLAC risk-weighted metric.
In addition, in order to ensure that there is enough recapitalisation capacity
in resolution, one-third of the minimum TLAC requirement is expected to
be covered with instruments other than CET1 (that is, debt).
It is important to bear in mind that the TLAC establishes a common
minimum global requirement and that national authorities have the right at
any time to apply higher requirements in their jurisdictions.
The TLAC is a new prudential requirement that has different objectives
than the capital ratio. Regulatory capital is mainly to absorb losses in a
going-concern situation, whereas TLAC is meant to ensure loss absorption
in gone-concern situations (that is, beyond the point of non-viability).
I should add that, in a resolution context, the location of loss absorbing
resources becomes very important and, for this reason, the TLAC standard
gives guidance on how these resources should be distributed within the
banking group.
This highlights another important difference between the capital
framework and TLAC: the location of resources.
While the former is required on a consolidated basis for the group as a
whole, TLAC is required where resolution takes effect and where critical
functions are performed.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 31
One of the most complex issues in the design of the TLAC was the need to
ensure consistency between the two main banking resolution strategies: the
Single Point of Entry and the Multiple Point of Entry.
Under a Single Point of Entry strategy, resolution actions will be taken in a
single legal entity that is basically the parent company of the group, which
will have to hold sufficient external TLAC.
Additionally, a certain amount of loss-absorbing capacity should be
pre-positioned in all material subsidiaries.
This would ensure that losses are up-streamed to the resolution entity, thus
avoiding putting the material subsidiary into resolution.
By contrast, under a Multiple Point of Entry strategy, the application of
resolution tools to different parts of the group is allowed under the
assumption of limited interconnections between them.
Therefore, in this model, loss-absorption capacity is primarily located in
each resolution entity (subsidiaries and the parent company). This is the
resolution model chosen by the global Spanish banks as it is a better fit with
their business model.
As I said, one of the most complex issues in the design of the TLAC
standard was to find the correct balance between taking into account the
particularities of each resolution strategy and ensuring consistent
treatment between them.
In this respect, the Bank of Spain welcomes the inclusion of certain
elements that go in the correct direction towards achieving regulatory
consistency between resolution strategies.
Let me stress, when mentioning consistency, that it is important that
different jurisdictions also strive to achieve this objective when introducing
the TLAC standard into their regulations.
Crisis Management Groups (CMGs) will also play a crucial role in ensuring
consistency.
Therefore, coordination between the different national authorities
participating in these CMGs will be relevant in the application of TLAC.
Some examples of these key decisions are:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 32
(1) determining adjustments for Multiple Point of Entry groups regarding
the location of deductions and requirements;
(2) identifying material subsidiaries and resolution entities; and
(3) discussions as to whether the minimum TLAC is sufficient to ensure
orderly resolution or whether additional firm-specific requirements are
needed.
TLAC is quite a demanding new standard.
The estimated increase in issuances of TLAC debt is not negligible, if we
consider the impact assessment performed by the Financial Stability Board
and the Basel Committee: the aggregate shortfall for G-SIBs under the low
calibration represents 16.9 % of the €4.5 trillion G-SIBs unsecured debt
market.
Compliance will be facilitated by the agreed phase-in for TLAC and the
replacement of unsecured liabilities maturing in coming years which will be
an important source of TLAC eligible instruments.
However, the success of both the roll-over and the issuance of new
TLAC-eligible instruments will depend on the absorption capacity of
financial markets.
In any event, we should monitor compliance with the requirements and any
potential unintended impact during the transition period.
4. The plan to address misconduct risks
With the publication of the TLAC term sheet, the Financial Stability Board
has virtually completed its work to address the too-big-to-fail problem in
the banking sector.
But there are other important areas where the FSB is working to fulfil the
G20 mandate.
In particular, the Financial Stability Board has claimed that the problems of
misconduct in some financial institutions have the potential to create
systemic risks, considering the scale of the associated fines and sanctions
which could run into the millions and also the negative impact on
confidence.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 33
This is a serious threat that must be properly addressed.
The banking business is about trust; if confidence in the financial
institutions and markets is lost, the potential for finance to serve the real
economy and foster growth will be undermined.
In response to this threat, a new area of FSB-coordinated work has been set
up.
An action plan has been launched which, among other measures, explores
the pivotal role played by compensation structures and, more generally,
corporate governance frameworks in preventing and mitigating bad
practice.
The FSB is examining whether the reforms already in place, mainly as a
result of principles and standards issued by the OECD, the Basel Committee
and the FSB itself, have proven effective or if, on the contrary, more
preventive measures are required.
5. Closing remarks
Let me conclude. Back in 2009 the FSB and other standard-setting bodies
(such as the Basel Committee) received a mandate from the G20 to restore
the resilience of the financial markets and make future financial crises less
frequent and costly.
Most of the agreed post-crisis measures are now in place and have already
begun to deliver benefits in terms of bank resilience and financial stability.
The Basel Committee intends to finalise the Basel III framework in 2016.
In this respect the two main challenges are:
(i) to find a solution to measure risks in a sensitive, simple and comparable
way; and
(ii) to provide calibration of the capital floors and leverage ratio.
A key driver for success in this calibration exercise will be having access to
accurate data.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 34
I have outlined the main strategic aspects of the new TLAC standard,
designed to provide a first line of defence in a gone concern situations.
Meeting TLAC and Basel III requirements will pose a challenge for banks.
One of these challenges has to do with the potential systemic impact of
misconduct risks, which can undermine confidence.
Having in place adequate compensation structures and sound corporate
governance frameworks is the best way to tackle this.
The Financial Stability Board is leading the work to determine if and when
more measures might be needed to ensure a strong culture in the finance
industry, so that confidence is preserved and financial markets can
continue to serve the real economy.
Thank you for your attention. I wish you a fruitful and interesting
discussion in the rest of the Conference.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 35
US-CERT, Security Tip
Before You Connect a New Computer to the Internet
Why Should I Care About Computer Security?
Computers help us maintain our financial, social, and professional
relationships.
We use them for banking and bill paying, online shopping, connecting with
our friends and family through email and social networking sites,
researching data posted on the Internet, and so much more.
We rely heavily on our computers to provide these services, yet we
sometimes overlook our need to secure them.
Because our computers play such critical roles in our lives, and we input
and view so much personally identifiable information (PII) on them, it’s
imperative to maintain computer security that ensures the safe processing
and storage of our information.
How Do I Improve the Security of My Home Computer?
Following are important steps you should consider to make your home
computer more secure.
While no individual step will eliminate your risk, together these
defense-in-depth practices will make your home computer’s defense
stronger and minimize the threat of malicious exploit.
Connect to a Secure Network
Once your computer is connected to the Internet, it’s also connected to
millions of other computers, which could allow attackers access to your
computer.
Information flows from the Internet to your home network by first coming
into your modem, then into your router and finally into your computer.
Although cable modem, digital subscriber line (DSL), and internet service
providers (ISP) purport some level of security monitoring, it’s crucial to
secure your router—the first securable device that receives information
from the Internet.
Be sure to secure it before you connect to the Internet to improve your
computer’s security (SeeSecuring Your Home Network for more
information).
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 36
Enable and Configure a Firewall
A firewall is a device that controls the flow of information between your
computer and the Internet, similar to a router.
Most modern operating systems include a software firewall. In addition to
the operating system’s firewall, the majority of home routers have a firewall
built in.
Refer to your user’s guide for instructions on how to enable your firewall.
Once your firewall is enabled, consult the user’s guide to learn how to
configure the security settings and set a strong password to protect it
against unwanted changes.
(See Understanding Firewalls for more information.)
Install and Use Antivirus and Antispyware Software
Installing an antivirus and antispyware software program and keeping it up
to date is a critical step in protecting your computer.
Many types of antivirus and antispyware software can detect the possible
presence of malware by looking for patterns in the files or memory of your
computer. This software uses virus signatures provided by software vendors
to look for malware.
Antivirus vendors frequently create new signatures to keep their software
effective against newly discovered malware.
Many antivirus and antispyware programs offer automatic updating.
Enable that feature so your software always has the most current
signatures.
If automatic updates aren’t offered, be sure to install the software from a
reputable source, like the vendor’s website or a CD from the vendor.
(SeeUnderstanding Anti-Virus Software.)
Remove Unnecessary Software
Intruders can attack your computer by exploiting software vulnerabilities
(that is, flaws or weaknesses), so the less software you have installed, the
fewer avenues for potential attack.
Check the software installed on your computer.
If you don’t know what a software program does and don’t use it, research it
to determine whether it’s necessary. Remove any software you feel isn’t
necessary after confirming it’s safe to remove the software.
Back up important files and data before removing unnecessary software in
case you accidentally remove software essential to the operating system.
If possible, locate the installation media for the software in case you need to
reinstall it.
Modify Unnecessary Default Features
Like removing unnecessary software and disabling nonessential services,
modifying unnecessary default features eliminates opportunities for attack.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 37
Review the features that came enabled by default on your computer and
disable or customize those you don’t need or plan on using.
As with nonessential services, be sure to research these features before
disabling or modifying them.
Operate Under the Principle of Least Privilege
In most instances of a malware infection, the malware can operate only
under the rights of the logged-in user.
To minimize the impact the malware can have if it successfully infects a
computer, consider using a standard or restricted user account for
day-to-day activities and only logging in with the administrator account
(which has full operating privileges on the system) when you need to install
or remove software or change system settings from the computer.
Secure Your Web Browser
Web browsers installed on new computers usually don’t have secure default
settings.
Securing your browser is another critical step in improving your computer’s
security because an increasing number of attacks take advantage of web
browsers. (See Securing Your Web Browser.)
Apply Software Updates and Enable Future Automatic Updates
Most software vendors release updates to patch or fix vulnerabilities, flaws,
and weaknesses (bugs) in their software.
Because intruders can exploit these bugs to attack your computer, keeping
your software updated is important to help prevent infection.
(See Understanding Patches.)
When you set up a new computer (and after you have completed the
previous practices), go to your software vendors’ websites to check for and
install all available updates.
Enable automatic updates if your vendors offer it; that will ensure your
software is always updated, and you won’t have to remember to do it
yourself.
Many operating systems and software have options for automatic updates.
As you’re setting up your new computer, be sure to enable these options if
offered.
Be cautious, however, because intruders can set up malicious websites that
look nearly identical to legitimate sites.
Only download software updates directly from a vendor’s website, from a
reputable source, or through automatic updating.
Use Good Security Practices
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 38
You can do some simple things to improve your computer’s security. Some
of the most important are:
 Use caution with email attachments and untrusted links. Malware is
commonly spread by people clicking on an email attachment or a link
that launches the malware.
Don’t open attachments or click on links unless you’re certain they’re
safe, even if they come from a person you know. Some malware sends
itself through an infected computer.
While the email may appear to come from someone you know, it really
came from a compromised computer.
Be especially wary of attachments with sensational names, emails that
contain misspellings, or emails that try to entice you into clicking on a
link or attachment (for example, an email with a subject like that reads,
“Hey, you won’t believe this picture of you I saw on the Internet!”).
(See Using Caution with Email Attachments.)

Use caution when providing sensitive information. Some email or web
pages that appear to come from a legitimate source may actually be the
work of an attacker.
An example is an email claiming to be sent from a system
administrator requesting your password or other sensitive information
or directing you to a website requesting that information.
While Internet service providers may request that you change your
password, they will never specify what you should change it to or ask
you what it is. (See Avoiding Social Engineering and Phishing Attacks.)

Create strong passwords. Passwords that have eight or more
characters, use a variety of uppercase and lowercase letters, and
contain at least one symbol and number are best.
Don’t use passwords that people can easily guess like your birthday or
your child’s name.
Password detection software can conduct dictionary attacks to try
common words that may be used as passwords or conduct brute-force
attacks where the login screen is pummeled with random attempts
until it succeeds.
The longer and more complex a password is, the harder these tools
have to work to crack it.
Also, when setting security verification questions, choose questions for
which it is unlikely that an Internet search would yield the correct
answer. (See Choosing and Protecting Passwords.)
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 39
US-CERT, Security Tip
Securing Your Home Network
How are routers used in your home network?
Home routers have become an integral part of our global communications
footprint as use of the Internet has grown to include home-based
businesses, telework, schoolwork, social networking, entertainment, and
personal financial management. Routers facilitate this broadened
connectivity. Most of these devices are preconfigured at the factory and are
Internet-ready for immediate use. After installing routers, users often
connect immediately to the Internet without performing any additional
configuration. Users may be unwilling to add configuration safeguards
because configuration seems too difficult or users are reluctant to spend the
time with advanced configuration settings.
Unfortunately, the default configuration of most home routers offers little
security and leaves home networks vulnerable to attack. Small businesses
and organizations often use these same home routers to connect to the
Internet without implementing additional security precautions and expose
their organizations to attack.
Why secure your home router?
Home routers are directly accessible from the Internet, are easily
discoverable, are usually continuously powered-on, and are frequently
vulnerable because of their default configuration. These characteristics
offer an intruder the perfect target to obtain a user’s personal or business
data. The wireless features incorporated into many of these devices add
another vulnerable target.
How can you prevent unauthorized access to your home network?
The preventive steps listed below are designed to increase the security of
home routers and reduce the vulnerability of the internal network against
attacks from external sources.
 Change the default username and password: These default usernames
and passwords are readily available in different publications and are
well known to attackers; therefore, they should be immediately
changed during the initial router installation. It’s best to use a strong
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 40

password, consisting of letters, numbers, and special characters
totaling at least 14 characters. Manufacturers set default usernames
and passwords for these devices at the factory for their troubleshooting
convenience. Furthermore, change passwords every 30 to 90 days. See
Choosing and Protecting Passwords for more information on creating a
strong router password.
Change the default SSID: A service set identifier (SSID) is a unique
name that identifies a particular wireless local area network (WLAN).
All wireless devices on a WLAN must use the same SSID to
communicate with each other. Manufacturers set a default SSID at the
factory, and this SSID typically identifies the manufacturer or the
actual device. An attacker can use the default SSID to identify the
device and exploit any of its known vulnerabilities. Users sometimes
set the SSID to a name that reveals their organization, their location, or
their own name. This information makes it easier for the attacker to
identify the specific business or home network based upon an SSID
that explicitly displays the organization’s name, organization’s
location, or an individual’s own name. For example, an SSID that
broadcasts a company name is a more attractive target then an SSID
broadcasting “ABC123.” Using default or well-known SSIDs also makes
brute force attacks against WPA2 keys easier. When choosing an SSID,
make the SSID unique, and not tied to your personal or business
identity.

Don’t stay logged in to the management website for your
router: Routers usually provide a website for users to configure and
manage the router. Do not stay logged into this website, as a defense
against cross-site request forgery (CSRF) attacks. In this context, a
CSRF attack would transmit unauthorized commands from an attacker
to the router’s management website.

Configure Wi-Fi Protected Access 2 (WPA2)-Advanced Encryption
Standard (AES) for data confidentiality: Some home routers still use
Wired Equivalent Privacy (WEP), which is not recommended. In fact, if
your router or device supports only WEP, but not other encryption
standards, you should upgrade your network device.
One newer standard, WPA2-AES, encrypts the communication
between the wireless router and the wireless computing device,
providing stronger authentication and authorization between the
devices. WPA2 incorporates the Advanced Encryption Standard (AES)
128-bit encryption that is encouraged by the National Institute of
Standards and Technology (NIST). WPA2 with AES is the most secure
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 41
router configuration for home use.

Immediately disable WPS: Wi-Fi Protected Setup (WPS) provides
simplified mechanisms to configure moderately secure wireless
networks. A design flaw that exists in the WPS specification for the PIN
authentication significantly reduces the time required to brute force
the entire PIN because it allows an attacker to know when the first half
of the 8-digit PIN is correct. The lack of a proper lockout policy after a
certain number of failed attempts to guess the PIN on many wireless
routers makes a brute-force attack much more likely to occur.

Limit WLAN signal emissions: WLAN signals frequently broadcast
beyond the perimeters of your home or organization. This extended
emission allows eavesdropping by intruders outside your network
perimeter. Therefore, it’s important to consider antenna placement,
antenna type, and transmission power levels. Local area networks
(LANs) are inherently more secure than WLANs because they are
protected by the physical structure in which they reside. Limit the
broadcast coverage area when securing your WLAN. A centrally
located, omnidirectional antenna is the most common type used. If
possible, use a directional antenna to restrict WLAN coverage to only
the areas needed. Experimenting with transmission levels and signal
strength will also allow you to better control WLAN coverage. Note that
a sensitive antenna may pick up signals from further away than
expected, a motivated attacker may still be able to reach an access
point that has limited coverage.

Turn the network off when not in use: While it may be impractical to
turn the devices off and on frequently, consider this approach during
travel or extended offline periods. The ultimate in wireless security
measures—shutting down the network—will definitely prevent outside
attackers from being able to exploit your WLAN.

Disable UPnP when not needed: Universal Plug and Play (UPnP) is a
handy feature allowing networked devices to seamlessly discover and
establish communication with each other on the network. Though the
UPnP feature eases initial network configuration, it is also a security
hazard. For example, malware within your network could use UPnP to
open a hole in your router firewall to let intruders in. Therefore, disable
UPnP unless you have a specific need for it.

Upgrade firmware: Just like software on your computers, the router
firmware (the software that operates it) must have current updates and
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 42
patches. Many of the updates address security vulnerabilities that
could affect the network. When considering a router, check the
manufacturer’s website to see if the website provides updates to
address security vulnerabilities.

Disable remote management: Disable this to keep intruders from
establishing a connection with the router and its configuration through
the wide area network (WAN) interface.
Monitor for unknown device connections: Use your router’s
management website to determine if any unauthorized devices have
joined or attempted to join your network. If an unknown device is
identified, a firewall or media access control (MAC) filtering rule can
be applied on the router. For further information on how to apply these
rules, see the literature provided by the manufacturer or the
manufacturer’s website.
Note: If you must use WEP, it should be configured with the 128-bit key
option and the longest pre-shared key the router administrator can
manage. Note that WEP at its "strongest" is still easily cracked.

_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 43
NISTIR 7987 Revision 1
Policy Machine: Features, Architecture, and Specification
David Ferraiolo Serban Gavrila Wayne Jansen
Reports on Computer Systems Technology
The Information Technology Laboratory (ITL) at the National Institute of
Standards and Technology (NIST) promotes the U.S. economy and public
welfare by providing technical leadership for the Nation’s measurement
and standards infrastructure.
ITL develops tests, test methods, reference data, proof of concept
implementations, and technical analyses to advance the development and
productive use of information technology.
ITL’s responsibilities include the development of management,
administrative, technical, and physical standards and guidelines for the
cost-effective security and privacy of other than national security-related
information in federal information systems.
Note
This version (Revision 1) of NISTIR 7987 revises the original publication
(dated May 2014).
Changes were made to reorganize and improve the content of the report,
incorporate additional material, and bring the report into close alignment
with the terminology and notation of the emerging NGAC-GOADS
standard.
This report, while aligned with NGAC-GOADS, provides additional details
and background material that are intended to aid readers in understanding
the function and operation of the access control model and provide insight
into its implementation.
Introduction
Access control as it pertains to a computing environment is the ability to
allow or prevent an entity from using a computing resource in some specific
manner.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 44
A common example of resource use is reading a file.
The access control has two distinct parts: policy definition where access
authorizations to resources are specified, and policy enforcement where
attempts to access resources are intercepted, and allowed or disallowed.
An access control policy is a comprehensive set of access authorizations that
govern the use of computing resources system wide.
Controlling access to sensitive data in accordance with policy is perhaps the
most fundamental security requirement that exists.
Yet, despite more than four decades of security research, existing access
control mechanisms have a limited ability to enforce a wide, comprehensive
range of policies, and instead enforce a specific type of policy.
Most, if not all, significant information systems employ some means of
access control.
The main reason is that without sufficient access control, the service being
provisioned would likely be undermined.
Many types of access control policies exist.
An enforcement mechanism for a specific type of access control policy is
normally inherent in any computing platform.
Applications built upon a computing platform typically make use of the
access control capabilities available in some way to suit its needs.
An application may also institute its own distinct layer of access controls for
the objects formed and manipulated at the level of abstraction it provides.
A common example of an application abstraction layer is a database
application that implements a role-based access control mechanism, while
operating on a host computer that implements a more elementary
discretionary access control mechanism.
When composing different computing platforms to implement an
information system, a policy mismatch can occur.
A policy mismatch arises when the narrow range of policies supported by
the various access control mechanisms involved have differences that make
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 45
them incompatible for meeting a specific need.
In some cases, it is possible to work around limitations in the ability for all
platforms to express a consistent access control policy, by mapping
equivalences between the available access control constructs to effect the
intended policy.
For example, a traditional multi-level access control system that supports
information flow policies has been demonstrated as capable of effecting
role-based access control policies through carefully designed and
administered configuration options.
However, such mappings require that the correct semantic context is used
consistently when administering policy, which can be mentally taxing and
error inducing, and prevent the desired policy from being maintained
correctly in the information system.
NIST has devised a general-purpose access control framework, referred to
as the Policy Machine (PM), which can express and enforce arbitrary,
organization-specific, attribute-based access control policies through policy
configuration settings.
The PM is defined in terms of a fixed set of configurable data relations and a
fixed set of functions that are generic to the specification and enforcement
of combinations of a wide set of attribute-based access control policies.
The PM offers a new perspective on access control in terms of a
fundamental and reusable set of data abstractions and functions.
The goal of the PM is to provide a unifying framework that supports
commonly known and implemented access control policies, as well as
combinations of common policies, and policies for which no access control
mechanism presently exists.
Access control policies typically span numerous systems and applications
used by an organization.
However, when users need to access resources that are protected under
different control mechanisms, the differences in the type and range of
policies supported by each mechanism can differ vastly, creating policy
mismatches.
If the PM framework was reified in every computing platform, obvious
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 46
benefits would be not only the elimination of policy mismatches, but also
the ability to meet organizational security requirements readily, since a
wider range of arbitrary policies could be expressed uniformly throughout
the platforms that comprise an information system.
The PM can arguably be viewed as a dramatic shift in the way policy can be
specified and enforced. But more importantly, it can also be viewed as a way
to develop applications more effectively by taking advantage of the control
features offered by the PM and using them to meet the access control needs
for objects within the layer of abstraction the application provides.
That is, the PM framework affords applications a single generic facility that
can not only enforce access control policies comprehensively across
distributed and centralized operating environments, but also subsume
aspects involving the characterization, distribution, and control of
implemented capabilities, resulting in a dramatic alleviation of many of the
administrative, policy enforcement, data interoperability, and usability
challenges faced by enterprises today.
Purpose and Scope
The purpose of this Internal Report (IR) is to provide an overview of the PM
and guidelines for its implementation.
The report explains the basics of the PM framework and discusses the range
of policies that can be specified and enacted.
It also describes the architecture of the PM and the details of key functional
components.
The intended audience for this document includes the following categories
of individuals:
• Computer security researchers interested in access control and
authorization frameworks
• Security professionals, including security officers, security
administrators, auditors, and others with responsibility for information
technology security
• Executives and technology officers involved in decisions about
information technology security products
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 47
• Information technology program managers concerned with security
measures for computing environments.
This document, while technical in nature, provides background information
to help readers understand the topics that are covered.
The material presumes that readers have a basic understanding of
computer security and possess fundamental operating system and
networking expertise.
Background
Classical access control models and mechanisms are defined in terms of
subjects (S), access rights (A), and named objects (O).
Users represent individuals who directly interact with a system and have
been authenticated and established their identities.
A user identity is unique and maps to only one individual.
A user is unable to access objects directly, and instead must perform
accesses through a subject.
A subject represents a user and any system process or entity that acts on
behalf of a user.
Subjects are the active entities of a system that can cause a flow of
information between objects or change the security state of the system.
Objects are system entities that must be protected.
Each object has a unique system-wide identifier.
The set of objects may pertain to processes, files, ports, and other system
abstractions, as well as system resources such as printers. Subjects may also
be included in the set of objects.
In effect, this allows them to be governed by another subject.
That is, the governing subject can administer the access of such subjects to
objects under its control.
The selection of entities included in the set of objects is determined by the
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 48
protection requirements of the system.
Subjects operate autonomously and may interact with other subjects.
Subjects may be permitted modes of access to objects that are different
from those other subjects.
When a subject attempts to access an object, a reference mediation function
determines whether the subject’s assigned permissions adequately satisfy
policy before allowing the access to take place.
In addition to carrying out user accesses, a subject may maliciously (e.g.,
through a Trojan horse) or inadvertently (e.g., through a coding error)
make requests that are unknown to and unwanted by its user.
An access matrix provides a simple representation of the access modes to
an object for which a subject is authorized [Lam71, Gra72, Har76].
Figure 1 provides a simple illustration of an access matrix.
Each row of the matrix represents a subject, Si, while each column
represents an object, Oi.
Each entry, Ai,j, at the intersection of a row and column of the matrix,
contains the set of access rights for the subject to the object.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 49
The access matrix model, while simple, can express a broad range of
policies, because it is based on a general form of an access rule (i.e., subject,
access mode, object), and imposes little restriction on the rule itself.
Since, in most situations, subjects do not need access rights to most objects,
the matrix is typically sparse.
Several, more space-efficient representations have been proposed as
alternatives.
An authorization relation, for example, represents an access matrix as a list
of triples of the form (Si, Ai,j, Oj).
Each triple represents the access rights of a subject to an object and this
representation is typically used in relational database systems.
Access control and capability lists are two other forms of representation.
An access control list (ACL) is associated with each object in the matrix and
corresponds to a column of the access matrix.
Each access entry in the ACL contains the pair (Si, Ai,j), which specifies the
subjects that can access the object, along with each subject’s rights or
modes of access to the object.
ACLs are widely used in present-day operating systems.
Similarly, a capability list is associated with each subject and corresponds
to a row of the matrix.
Each entry in a capability list is the pair (Ai,j, Oj), which specifies the
objects the subject can access, along with its access rights to each object.
A capability list can thus be thought of as the inverse of an access control
list.
Capability lists, when bound with the identity of the subject, have use in
distributed systems.
A key difference between the capability list and access control list is the
subject’s ability to identify objects in the latter.
With an access control list, a subject can identify any object in the system
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 50
and attempt access; the access control mechanism can then mediate the
access attempt using the object’s access list to verify whether the subject is
authorized the request mode of access.
In a capability system, a subject can identify only those objects for which it
holds a capability.
Possessing a capability for the object is a requisite for the subject to attempt
access to an object, which is then mediated by the reference mediation
function.
Both the contents of access control and capability lists, as well as the access
control mechanism itself, must be protected from compromise to prevent
unauthorized subjects from gaining access to an object.
Access Control Models
Discretionary models form a broad class of access control models.
Discretionary in this context means that subjects, which represent users as
opposed to administrators, are allowed some freedom to manipulate the
authorizations of other subjects to access objects.
Non- discretionary models are the complement of discretionary models,
insofar as they require that access control policy decisions are regulated by
a central authority, not by the individual owner of an object.
That is, authorizations to objects can be changed only through the actions
of subjects representing administrators, and not by those representing
users.
With non- discretionary models, subjects and objects are typically classified
into or labeled with distinct categories.
Category-sensitive access rules that are established through administration
completely govern the access of a subject to an object and are not
modifiable at the discretion of the subject.
Many different access control models, both discretionary and
non-discretionary, have been developed to suit a variety of purposes.
Models are often developed or influenced by well- conceived organizational
policies for controlling access to information, whose key properties are
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 51
generalized, abstracted, and described in some formal or semi-formal
notation.
Therefore, models typically differ from organizational policy in several
ways.
As mentioned, models deal with abstractions that involve a formal or
semi-formal definition, from which the presence or lack of certain
properties may be demonstrated.
Organizational policy on the other hand is usually a more informally stated
set of high-level guidelines that provide a rationale for the way accesses are
to be controlled, and may also give decision rules about permitting or
denying certain types of access.
Policies may be also incomplete, include statements at variable levels of
discourse, and contain self-contradictions, while models typically involve
only essential conceptual artifacts, are composed at a uniform level of
discourse, and provide a consistent set of logical rules for access control.
Organizational objectives and policy for access control may not align well
with those of a particular access control model.
For example, some models enforce a strict policy that may too restrictive for
some organizations to carry out their mission, but essential for others.
Even if alignment between the two is strong, in general, the organizational
access control policy may not be satisfied fully by the model.
For example, different federal agencies can have different conformance
directives regarding privacy that must be met, which affect the access
control policy.
Nevertheless, access control models can provide a strong baseline from
which organizational policy can be satisfied.
Well-known models include Discretionary Access Control, Mandatory
Access Control, Role Based Access Control, One-directional Information
Flow, Chinese Wall, Clark-Wilson, and N- person Control.
Several of these models are discussed below to give an idea of the scope and
variability between models.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 52
They are also used later in the report to demonstrate how seemingly
different models can be expressed using the Policy Machine model.
It is important to keep in mind that models are written at a high conceptual
level, which stipulates concisely the scope of policy and the desired
behavior between defined entities, but not the security mechanisms needed
to reify the model for a specific computational environment, such as an
operating system or database management system.
While certain implementation aspects may be inferred from an access
control model, such models are normally implementation free, insofar as
they do not dictate how an implementation and its security mechanisms
should be organized or constructed.
These aspects of security are addressed through information assurance
processes.
Discretionary Access Control (DAC)
The access matrix discussed in the previous section was originally
envisioned as a discretionary access control (DAC) model.
Many other DAC models have been derived from the access matrix and
share common characteristics.
The access matrix was later formalized as the now well-known HRU model
and used to analyze the complexity of computing the safety properties of
the model, which was found to be undecidable.
DAC policies can be expressed in the HRU model, but DAC should not be
equated to it, since the HRU model is policy neutral and can also be used to
express access control policies that are non-discretionary.
In addition to an administrator’s ability to manipulate a subject’s
authorization to access objects, a DAC access matrix model leaves a certain
amount of control to the discretion of the object's owner.
Ownership of an object is typically conferred to the subject that created the
object, along with the capabilities to read and write the object.
For example, it is the owner of the file who can control other subjects'
accesses to the file.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 53
Control then implies possession of administrative capabilities to create and
modify access control entries associated with a set of other subjects, which
pertain to owned objects.
Control may also involve the transfer of ownership to other subjects.
Only those subjects specified by the owner may have some combination of
permissions to the owner’s files.
DAC policy tends to be very flexible and is widely used in the commercial
and government sectors.
However, DAC potentially has two inherent weaknesses.
The first is the inability for an owner to control access to an object, once
permissions are passed on to another subject.
For example, when one user grants another user read access to a file,
nothing stops the recipient user from copying the contents of the file to an
object under its exclusive control.
The recipient user may now grant any other user access to the copy of the
original file without the knowledge of the original file owner.
Some DAC models have the ability to control the propagation of
permissions.
The second weakness is vulnerability to Trojan horse attacks, which is
common weakness for all DAC models.
In a Trojan horse attack, a process operating on behalf a user may contain
malware that surreptitiously performs other actions unbeknownst to the
user.
Mandatory Access Control
Mandatory Access Control (MAC) is a prime example of a non-discretionary
access control model.
MAC has its origins with military and civilian government security policy,
where individuals are assigned clearances and messages, reports, and other
forms of data are assigned classifications.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 54
The security level of user clearances and of data classifications govern
whether an individual can gain access to data.
For example, an individual can read a report, only if the security level of the
report is classified at or below his or her level of clearance.
Defining MAC for a computer system requires assignment of a security level
to each subject and each object.
Security levels form a strict hierarchy such that security level x dominates
security level y, if and only if, x is greater than or equal to y within the
hierarchy.
The U.S. military security levels of Top Secret, Secret, Confidential, and
Unclassified are a good example of a strict hierarchy.
Access is determined based on assigned security levels to subjects and
objects and the dominance relation between the subject’s and object’s
assigned security.
The security objective of MAC is to restrict the flow of information from an
entity at one security level to an entity at a lesser security level.
Two properties accomplish this.
The simple security property specifies that a subject is permitted read
access to an object only if the subject’s security level dominates the object’s
security level.
The é-property specifies that a subject is permitted write access to an object
only if the object’s security level dominates the subject’s security level.
Indirectly, the é-property, also referred to as the confinement property,
prevents the transfer of data from an object of a higher level to an object of
a lower classification and is required to maintain system security in an
automated environment.
These two properties are supplemented by the tranquility property, which
can take either of two forms: strong and weak.
Under the strong tranquility property, the security level of a subject or
object does not change while the object is being referenced.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 55
The strong tranquility property serves two purposes.
First, it associates a subject with a security level.
Second, it prevents, a subject from reading data with a high security level,
storing the data in memory, switching its level to a low security level, and
writing the contents of its memory to an object at that lower level.
Under the weak tranquility property labels are allowed to change, but never
in a way that can violate the defined security policy.
It allows a session to begin in the lowest security level, regardless of the
user’s security level, and increased that level only if objects at higher
security levels are accessed.
Once increased, the session security level can never be reduced, and all
objects created or modified take on the security level held by the session at
the time when the object was created or modified, regardless of its initial
security level.
This is known as the high water mark principle.
Because of the constraints placed on the flow of information, MAC models
prevent software infected with Trojan horse from violating policy.
Information can flow within the same security level or higher, preventing
leakage to a lower level.
However, information can pass through a covert channel in MAC, where
information at a higher security level is deduced by inference, such as
assembling and intelligently combining information of a lower security
level.
Chinese Wall
The Chinese Wall policy evolved to address conflict-of-interest issues
related to consulting activities within banking and other financial
disciplines.
The stated objective of the Chinese Wall policy and its associated model is
to prevent illicit flows of information that can result in conflicts of interest.
The Chinese Wall model is based on several key entities: subjects, objects,
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 56
and security labels.
A security label designates the conflict-of-interest class and the company
dataset of each object.
The Chinese Wall policy is application-specific in that it applies to a narrow
set of activities that are tied to specific business transactions.
Consultants or advisors are naturally given access to proprietary
information to provide a service for their clients.
When a consultant gains access to the competitive practices of two banks,
for instance, the consultant essentially obtains insider information that
could be used to profit personally or to undermine the competitive
advantage of one or both of the institutions.
The Chinese Wall model establishes a set of access rules that comprises a
firewall or barrier, which prevents a subject from accessing objects on the
wrong side of the barrier.
It relies on the consultant’s dataset to be logically organized such that each
company dataset belongs to exactly one conflict of interest class, and each
object belongs to exactly one company dataset or the dataset of sanitized
objects within a specially designated, non-conflict-of-interest class.
A subject can have access to at most one company dataset in each conflict of
interest class.
However, the choice of dataset is at the subject’s discretion.
Once a subject accesses (i.e., reads or writes) an object in a company
dataset, the only other objects accessible by that subject lie within the same
dataset or within the datasets of a different conflict of interest class.
In addition, a subject can write to a dataset only if it does not have read
access to an object that contains unsanitized information (i.e., information
not treated to prevent discovery of a corporation's identity) and is in a
company dataset different from the one for which write access is requested.
The following limitations in the formulation of the Chinese Wall model
have been noted: a subject that has read objects from two or more company
datasets cannot write at all, and a subject that has read objects from exactly
one company dataset can write only to that dataset.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 57
These limitations occur because subjects include both users and processes
acting on behalf of users, and can be resolved by interpreting the model
differently to differentiate users from subjects.
The policy rules of the model are also more restrictive than necessary to
meet the stated conflict-of-interest avoidance objective.
For instance, as already mentioned, once a subject has read objects from
two or more company datasets, it can no longer write to any data set.
However, if the datasets reside in different conflict-of-interest classes, no
violation of the policy would result were the subject allowed to write to
those objects.
That is, while the policy rules are sufficient to preclude a conflict of interest
from occurring, they are not necessary from a formal logic perspective,
since actions that do not incur a conflict of interest are also prohibited by
the rules.
Role Based Access Control
The Role Based Access Control (RBAC) model governs the access of a user
to information through roles for which the user is authorized to perform.
RBAC is a more recent access control model than those described above.
It is based on several entities: users (U), roles (R), permissions (P), sessions
(S), and objects (O).
A user represents an individual or an autonomous entity of the system.
A role represents a job function or job title that carries with it some
connotation of the authority held by a members of the role.
Access authorizations on objects are specified for roles, instead of users.
A role is fundamentally a collection of permissions to use resources
appropriate to conduct a particular job function, while a permission
represents a mode of access to one or more objects of a system.
Objects represent the protected resources of a system.
Users are given authorization to operate in one or more roles, but must
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 58
utilize a session to gain access to a role.
A user may invoke one or more sessions, and each session relates a user to
one or more roles.
The concept of a session within the RBAC model is equivalent to the more
traditional notion of a subject discussed earlier.
When a user operates within a role, it acquires the capabilities assigned to
the role.
Other roles authorized for the user, which have not been activated, remain
dormant and the user does not acquire their associated capabilities.
Through this role activation function, the RBAC model supports the
principle of least privilege, which requires that a user be given no more
privilege than necessary to perform a job.
Another important feature RBAC is role hierarchies, whereby one role at a
higher level can acquire the capabilities of another role at a lower level,
through an explicit inheritance relation.
A user assigned to a role at the top of a hierarchy, also is indirectly
associated with the capabilities of roles lower in the hierarchy and acquires
those capabilities as well as those assigned directly to the role.
Standard RBAC also provides features to express policy constraints
involving Separation of Duty (SoD) and cardinality.
SoD is a security principle used to formulate multi-person control policies
in which two or more roles are assigned responsibility for the completion of
a sensitive transaction, but a single user is allowed to serve only in some
distinct subset of those roles (e.g., not allowed to serve in more than one of
two transaction- sensitive roles).
Cardinality constraints that limit a role’s capacity to a fixed number of
users, have been incorporated into SoD relations in standard RBAC.
Two types of SoD relations exist: static separation of duty (SSD) and
dynamic separation of duty (DSD).
SSD relations place constraints on the assignments of users to roles,
whereby membership in one role may prevent the user from being a
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 59
member of another role, and thereby presumably forcing the involvement
of two or more users in performing a sensitive transaction that would
involve the capabilities of both roles.
Dynamic separation of duty relations, like SSD relations, limit the
capabilities that are available to a user, while adding operational flexibility,
by placing constraints on roles that can be activated within a user’s
sessions.
As such, a user may be a member of two roles in DSD, but unable to execute
the capabilities that span both roles within a single session.
Certain access control models may be simulated or represented by another.
For example, MAC can simulate RBAC if the role hierarchy graph is
restricted to a tree structure rather than a partially ordered set [Kuh98].
RBAC is also policy neutral, and sufficiently flexible and powerful enough to
simulate both DAC and MAC.
Prior to the development of RBAC, MAC and DAC were considered to be the
only classes of models for access control; if a model was not MAC, it was
considered to be a DAC model, and vice versa.
Policy Machine Framework
The policy machine (PM) is a redefinition of access control in terms of a
standardized and generic set of relations and functions that are reusable in
the expression and enforcement of policies.
Its objective is to provide a unifying framework to support a wide range of
policies and policy combinations through a single security model.
An important characteristic of the PM framework is that it is inherently
policy neutral.
That is, no particular security policy is embodied in the PM model.
Instead, the model serves a vehicle for expressing a wide range of security
polices and enforcing them for a specific system through a precise
specification of policy elements and relationships.
The PM can be thought of as a logical ‘‘machine” comprised of a fixed set of
relations and functions between policy elements, which are used to render
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 60
access control decisions.
The relationships incorporated by the PM model are independent of the
data used to populate it.
Policy specifications are attribute based and capable of expressing and
enforcing non- discretionary and discretionary policies [Fer05, Fer11].
Each of the access control security models discussed in the previous chapter
can be represented in terms of the PM model’s data elements and relations,
such that an access decision rendered by the PM framework would be the
same decision as that rendered by the access control model.
The simultaneous enforcement of multiple policies, including reconciliation
of policy conflicts, is an inherent part of the PM framework.
Policy elements of the PM represent not only the users and objects of a
system, but also attributes of those elements that have an effect on access
control decisions.
Several key relations provide a frame of reference for defining and
interpreting a system policy in terms of the policy elements specified.
These relations include assignments that link together policy elements into
a meaningful structure, associations that are used to define authorizations
for classes of users, prohibitions that are used to define what essentially are
negative authorizations, and obligations that are used to perform
administrative actions automatically based on event triggers.
Several key functions also aid in making access control decisions and
enforcing expressed policies.
The remaining sections of this chapter discuss in detail core policy
elements, relations, and functions that comprise the PM model.
Core Policy Elements
The basic data elements of the PM include authorized users (U), processes
(P), objects (O), user and object attributes (UA and OA), policy classes (PC),
operations (Op), and access rights (AR).
Users are individuals that have been authenticated by the system.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 61
A process is a system entity with memory, which operates on behalf of a
user.
Users submit access requests through processes.
The PM treats users and processes as independent but related entities.
Most other access control models use the term subject instead of process,
while a few others use subject to mean both process and user.
Processes can issue access requests, have exclusive access to their own
memory, but none to that of any other process.
Processes communicate and exchange data with other processes through
some logical medium, such as the system clipboard or sockets.
A user may be associated with one or more processes, while a process is
always associated with just one user.
The function Process_User(p) returns the user u ∈ U associated with
process p ∈ P.
A user may create and run various processes from within a session.
The PM model permits only one session per user, however.
Objects are system entities that are subject to control under one or more
defined policies.
Both users and objects have unique identifiers within the system.
The set of objects reflect environment-specific entities needing protection,
such as files, ports, clipboards, email messages, records, and fields.
The selection of entities included in this set is based on the protection
requirements of the system.
By definition, every object is considered to be an object attribute within the
PM model; i.e., O is a subset of OA.
That is, the identifier of the object is treated not only as an object within PM
relations, but may also be treated as an object attribute based on its context
within a relation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 62
User and object attributes are policy elements that represent important
characteristics, which are used to organize and distinguish respectively
between classes of users and objects.
They can also be thought of as containers for users and objects respectively.
Policy classes are another important type of element that plays a somewhat
similar role to attributes.
A policy class is used to organize and distinguish between distinct types of
policy being expressed and enforced.
A policy class can be thought of as a container for policy elements and
relationships that pertain to a specific policy.
The way in which policy elements can be assembled and used to represent
policy is covered in later chapters.
Operations denote actions that can be performed on the contents of objects
that represent resources or on PM data elements and relations that
represent policy.
The entire set of generic operations, Op, are partitioned into two distinct,
finite sets of operations: resource operations, ROp, and administrative
operations, AOp.
Common resource operations include read and write, for example.
Resource operations can also be defined specifically for the environment in
which the PM is implemented.
Administrative operations on the other hand pertain only to the creation
and deletion of PM data elements and relations, and are a stable part of the
PM framework, regardless of the implementation environment.
To be able to carry out an operation, the appropriate access rights are
required.
As with operations, the entire set of access rights, AR, are partitioned into
two distinct, finite sets of access rights: resource access rights, RAR, and
administrative access rights AAR.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 63
Normally a one-to-one mapping exists between ROP and RAR, but not
necessarily between AOP and AAR.
For instructive purposes, access to object resources are discussed separately
from administrative access to policy expressions (i.e., data elements and
relations comprising policy).
Non- administrative resource operations and access rights are emphasized
in this chapter, while the next chapter covers administrative operations and
access rights in more detail.
To read more:
http://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.7987r1.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 64
Who are non-banks and why are they
important for us?
Marius Jurgilas, Member of the Board of the Bank of
Lithuania, at the conference "Non-banks in Payment
Market: Challenges and Opportunities", organised by
the Bank of Lithuania and the Sveriges Riksbank,
Vilnius
It is a great pleasure for me to open the conference on non-banks in
payment market.
In 2007 Federal Reserve Bank of Kansas City hosted a similarly titled
conference.
It was the time when Europe was still debating the modalities of the
upcoming PSD and Steve Jobs just introduced the first iPhone to the world.
Now we have iPhone 6 and PSD2 and because of the another innovation by
Apple over that time - ApplePay the link between the two is relevant more
than ever.
Let me briefly elaborate on two points: who non-banks are and why they are
important for us.
In general non-banks in the payment market mainly refer to the financial
institutions that facilitate payment transactions for end-users.
Sometimes the definition goes even further and includes those entities that
provide technology for the banks to facilitate for those payments.
Both groups are relevant as they deal with different problems.
Overall these institutions do not engage in financial intermediation or
credit risk taking, like shadow banks, which do.
We could start the list of non-banks in payments with traditional post
offices that have been more or less active in payment market for ages.
Many have turned into banks or quasi banks by now.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 65
Then we have electronic money institutions and payment institutions that
joined the club not long ago.
Some of them tried to mimic banks' payments model and failed.
A new wave of non-banks emerged in the age of smart phone.
Equipped with the latest technology and out-of-box thinking they made a
bald step - implemented new business models, in sectors where banks were
slow to act.
Nevertheless, many early initiatives are struggling for a number of reasons.
Regulators as well as the industry need to understand what is still missing.
Payment initiation services as defined in the PSD2 are a good bet.
But the outlook is not all dark shades. Last year the Economist featured an
article on the future of payments titled "Payments: the end of monopoly".
The title speaks for itself - banks are losing the grip on payments market.
But according to McKinsey 34% of global profits banking industry is
making from payments.
Therefore the question, raised by the Economist -why banking industry
appears to be taking a back seat and just observing the new entrants come
in droves?
Is this just a clever distraction?
I have been told once by a CEO of a major bank, half joking, that once they
grow, we will buy them.
There is some truth to this statement. A great number of non-bank payment
initiatives ended up being provided either in collaboration with banks, via
banks directly, or outright owned by banks.
Therefore when we talk about increased competition that non-banks can
bring into the field of payments we have to ask ourselves if that is just a
wishful thinking or these new institutions really have a chance?
I hope we will go deeper into this topic during the conference.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 66
Introduction of these disruptive technologies, like internet, smartphones,
etc. are bound to lead to major innovations in payments.
But technology is not the only ingredient for successful payment business.
Network and trust are also of key importance.
Moreover, often the main breakthroughs are made when market
participants join forces together leading to standardization.
Be it the promotion of a new and efficient payment scheme or setting up an
underlying infrastructure.
At the same time competition authorities become very uneasy, once they
see market participants sitting around the table discussing future market
arrangements.
This is the reason why we need to find a healthy and comfortable format for
these discussions to take place.
Progress in technology is a powerful wind of change.
But regulation can also lead to positive change if it is implemented with
good timing and with an appropriate scope.
I strongly believe that the right regulatory framework, that provides
incentives and embraces new technology could modernize payment services
and change the status-quo.
I will stop here by saying that here at the central bank we have high
expectations built on non-banks both for channeling innovations and for
refreshing competition.
Currently Lietuvos Bankas is working on a comprehensive National
Payments Transformation Strategy and non-banks, I expect, will be one of
the key players there.
The main objective of this conference from our side is to hear the views of a
wider audience and to learn what the near future is about to bring.I would
like to thank Sveriges Riksbank for organising this event jointly with
Lietuvos Bankas and for close cooperation during preparations and would
like to invite Ms Cecilia Skingsley, Deputy Governor of Sveriges Riksbank,
for the introductory presentation.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 67
The current situation in Japan's financial
system and macroprudential policy
Haruhiko Kuroda, Governor of the Bank of Japan, at
the Paris EUROPLACE Financial Forum, Tokyo
It is a great honor to have this opportunity to speak
before the Paris Europlace Financial Forum today.
Before I begin, I would like to offer my deepest
condolences to the victims of the recent terrorist attacks in Paris.
Since the global financial crisis, the "macroprudential" perspective has
become widely recognized.
Underlying the macroprudential framework is the view that, to ensure
financial stability, it is necessary to devise institutional designs and policy
measures to prevent systemic risk from materializing, based on analyses
and assessments of risks in the financial system as a whole, taking into
account the interconnectedness of the real economy, financial markets, and
financial institutions' behavior.
Today, I will start by providing an assessment of the current situation in
Japan's financial system from a macroprudential perspective. I will then
share with you my views on some of the issues regarding macroprudential
policy.
Assessment of the current situation in Japan's financial system
Let me begin with an overview of the current situation in Japan's financial
system.
The Bank of Japan has been pursuing quantitative and qualitative
monetary easing (QQE) since April 2013, and the policy has been steadily
exerting its intended effects toward achieving the price stability target of 2
percent.
It goes without saying that the financial system serves as an important
transmission channel through which QQE produces its effects.
Indeed, the following positive financial effects have been observed in the
past two and a half years:
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 68
(1) stability of long-term interest rates at low levels and declines in credit
risk premiums;
(2) progress in portfolio rebalancing among financial institutions and
institutional investors; and
(3) a positive spillover to asset prices.
Looking ahead, further enhancement of the financial intermediation
function continues to be expected as financial institutions have secured
robust capital bases.
As such, the effects of QQE are gradually becoming evident on the financial
front as well.
From a macroprudential perspective, however, the more financial activity
increases, the more important it becomes to be vigilant as to whether such
effects of QQE would lead to financial excesses or imbalances.
Under the current framework for the conduct of monetary policy, the Bank
examines financial imbalances - from a longer-term perspective - as a risk
that will significantly affect economic activity and prices.
As part of the examination process, the Bank releases semiannually its
Financial System Report.
In this report, it makes a forward-looking assessment of the stability of the
financial system from various angles - including analyses of the balance
between financial institutions' risks and financial bases, macro stress
testing, and the monitoring of risk indicators that suggest signs of financial
imbalances - and presents tasks and challenges toward achieving financial
stability.
Taking the latest findings into account, significant financial imbalances are
not observed at present. That said, the Bank will continue to examine
developments without presumption.
Macroprudential Policy
I will now turn to macroprudential policy.
In recent years, this area has seen various international discussions
conducted and measures implemented worldwide.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 69
First, "structural measures" for enhancing the resilience of the financial
system, including implementation of the Basel III requirements and
responses to the "Too Big to Fail" problem, have been proceeding steadily.
Second, many countries have been making use of macroprudential
measures aimed at containing excessive financial cycles and the
accumulation of imbalances.
These are sometimes referred to as "time-varying macroprudential policy,"
thereby distinguishing them from structural measures. In what follows, I
will touch upon some of the issues regarding macroprudential policy.
First, let me discuss the selection and application of "time-varying"
macroprudential tools.
Many of the measures that have been adopted recently in various countries
are ones with which to lean against financial cycles, by utilizing regulatory
ratios such as the countercyclical capital buffer (CCB) and the loan-to-value
(LTV) ratio.
The introduction of the CCB regime is scheduled for 2016 in countries
worldwide, including Japan.
Among countries that already have proceeded with the activation of these
measures, some have noted that the measures have been exerting their
intended effects on such sectors as the housing market, where overheating
has been observed.
At the same time, some point to the considerable uncertainty surrounding
the measures' effects and to difficulties that accompany their application,
including the following.
First, there is a lag after activation before the measures begin producing
effects.
Second, leakages of policy effects to unregulated sectors, such as shadow
banking institutions, as well as to overseas, may well occur.
And third, measures intended for specific sectors, such as housing, give rise
to the issue of conflict with other governmental measures.
In fact, the inability to employ these macroprudential tools in a timely
fashion entails the risk of accelerating financial cycles.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 70
"Hard" measures, which involve the adjustment of regulatory ratios in a
countercyclical manner, are relatively new.
Given this, the ultimate challenge, including responses to the various others
I have just mentioned, is how to carry out these measures in an accountable
manner.
One point I want to stress in relation to this is that, in dealing with financial
imbalances, what is important and effective is supervisory guidance by
central banks and financial authorities - namely, their "soft" approach, by
which they issue advance warnings while providing guidance and advice to
financial institutions based on assessments of financial system stability.
Supervisory guidance for financial institutions is primarily regarded as a
microprudential measure.
By carrying them out from a macroprudential perspective in an
industry-wide and collective manner, however, the soft approach is capable
of producing effects as a form of macroprudential policy.
Moreover, compared with hard approaches like the CCB, this approach
allows for more forward-looking and flexible responses.
Based on such understanding, the Bank's disclosure of the challenges and
risks involved in ensuring financial stability, through the publication of the
Financial System Report, and its responses to these issues, through on-site
examinations and off-site monitoring, are considered part of
macroprudential policy.
Second, let me shift my focus to international financial regulations as a
form of "structural" macroprudential policy.
Reform of international financial regulation is entering its final stages.
Basel III and responses to the issue of "Too Big to Fail," such as TLAC
(Total Loss-Absorbing Capacity), are measures designed to substantially
strengthen the resilience of the global financial system.
Furthermore, it is important to acknowledge the fact that financial
authorities and the financial industry worldwide have developed a common
understanding on international regulation, overcoming differences in their
views. This indicates a major step forward, in that we have created a
foundation for international cooperation to tackle many issues and crises
that could arise in the future.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 71
Having said this, I would like to mention several points with regard to the
finalization and gradual implementation of the Basel III regulatory reforms.
The first point is the importance of a comprehensive calibration of the
framework in its finalization.
Several of the remaining issues involve quite a number of calibrations based
on the accumulation of very technical and expert considerations, such as
the measurement of risk-weighted assets.
The outcome of these considerations would have a significant impact on the
determination of required macro capital and the risk-taking behavior of
financial institutions.
I would like to emphasize that the calibration should be finalized in such a
way that the amount of risk-weighted assets and required capital as a whole
would be maintained at an appropriate level, while taking a holistic
approach in examining effects on the institutions.
The second point is the necessity of a review of the effects and impacts of
these regulatory reforms after their implementation.
Reforms of international financial regulations to date have been drastic
enough that it is no exaggeration to refer to them as a "fundamental
re-design."
Looking at individual countries, large-scale financial and structural reforms
are underway, as typified by the Volcker rule in the U.S.
The extent of the effects and impacts of these regulatory reforms on
international financial intermediation and flow of funds in the financial
sector as a whole remains unknown, and therefore requires close
monitoring.
From a long-term perspective, in order for the financial system to ensure
stability and in turn contribute to sustainable economic growth, financial
institutions need to be sufficiently profitable through active and innovative
financial intermediation.
In this regard, it is important to remove any regulatory excess,
inconsistency among regulations, and uncertainty regarding the regulatory
environment.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 72
Concluding Remarks
That brings me toward the end of my speech. Topics for discussion
regarding macroprudential policy go beyond those I have raised today. One
such topic regards the effective institutional arrangements for
macroprudential policy.
Needless to say, there is no such thing as a universally optimal set of
arrangements, as financial and economic structures as well as legal
frameworks differ from country to country.
Moreover, the desirable form of arrangements would vary depending on the
kind of macroprudential measures each country intends to utilize.
Looking at the recent developments in countries with multiple regulatory
and supervisory authorities, there has been quite a number of movements
to establish new bodies or councils in charge of macroprudential policy.
In Japan, the Financial Services Agency (FSA) - which is legally authorized
to conduct industry-wide supervision and inspections - and the Bank which contributes to financial system stability, such as through the "lender
of last resort" function - are making joint efforts in carrying out
macroprudential policy, fulfilling their respective functions.
Furthermore, in June 2014, the two entities together established a task
force with the aim of holding regular joint meetings, and they have been
fostering further coordination.
The Bank is determined to continue with its efforts to contribute to
ensuring the stability of the financial system, making use of these
arrangements.
Thank you.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 73
Disclaimer
The Association tries to enhance public access to information about risk and
compliance management.
Our goal is to keep this information timely and accurate. If errors are brought to
our attention, we will try to correct them.
This information:
is of a general nature only and is not intended to address the specific
circumstances of any particular individual or entity;
should not be relied on in the particular context of enforcement or similar
regulatory action;
-
is not necessarily comprehensive, complete, or up to date;
is sometimes linked to external sites over which the Association has no
control and for which the Association assumes no responsibility;
is not professional or legal advice (if you need specific advice, you should
always consult a suitably qualified professional);
-
is in no way constitutive of an interpretative document;
does not prejudge the position that the relevant authorities might decide to
take on the same matters if developments, including Court rulings, were to lead it
to revise some of the views expressed here;
does not prejudge the interpretation that the Courts might place on the
matters at issue.
Please note that it cannot be guaranteed that these information and documents
exactly reproduce officially adopted texts.
It is our goal to minimize disruption caused by technical errors.
However some data or information may have been created or structured in files or
formats that are not error-free and we cannot guarantee that our service will not
be interrupted or otherwise affected by such problems.
The Association accepts no responsibility with regard to such problems incurred
as a result of using this site or any linked external sites.
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 74
The International Association of Risk and Compliance
Professionals (IARCP)
You can explore what we offer to our members:
1. Membership – Become a standard, premium or lifetime member.
You may visit:
www.risk-compliance-association.com/How_to_become_member.htm
If you plan to continue to work as a risk and compliance management
expert, officer or director throughout the rest of your career, it makes
perfect sense to become a Life Member of the Association, and to continue
your journey without interruption and without renewal worries.
You will get a lifetime of benefits as well.
You can check the benefits at:
www.risk-compliance-association.com/Lifetime_Membership.htm
2. Weekly Updates - Subscribe to receive every Monday the Top 10 risk
and compliance management related news stories and world events that
(for better or for worse) shaped the week's agenda, and what is next:
http://forms.aweber.com/form/02/1254213302.htm
3. Training and Certification - Become
a Certified Risk and Compliance
Management Professional (CRCMP) or a
Certified Information Systems Risk and
Compliance Professional (CISRSP).
The Certified Risk and Compliance
Management Professional (CRCMP)
training and certification program has
become one of the most recognized
programs in risk management and compliance.
There are CRCMPs in 32 countries around the world.
Companies and organizations like IBM, Accenture, American Express,
USAA etc. consider the CRCMP a preferred certificate.
You can find more about the demand for CRCMPs at:
www.risk-compliance-association.com/CRCMP_Jobs_Careers.pdf
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
P a g e | 75
You can find more information about the CRCMP program at:
www.risk-compliance-association.com/CRCMP_1.pdf
(It is better to save it and open it as an Adobe Acrobat document).
For the distance learning programs you may visit:
www.risk-compliance-association.com/Distance_Learning_and_Certificat
ion.htm
For instructor-led training, you may contact us. We can tailor all programs
to specific needs. We tailor presentations, awareness and training programs
for supervisors, boards of directors, service providers and consultants.
4. IARCP Authorized Certified Trainer
(IARCP-ACT) Program - Become a Certified Risk
and Compliance Management Professional Trainer
(CRCMPT) or Certified Information Systems Risk
and Compliance Professional Trainer (CISRCPT).
This is an additional advantage on your resume,
serving as a third-party endorsement to your knowledge and experience.
Certificates are important when being considered for a promotion or other
career opportunities. You give the necessary assurance that you have the
knowledge and skills to accept more responsibility.
To learn more you may visit:
www.risk-compliance-association.com/IARCP_ACT.html
5. Approved Training and Certification Centers
(IARCP-ATCCs) - In response to the increasing
demand for CRCMP training, the International
Association of Risk and Compliance Professionals is
developing a world-wide network of Approved Training
and Certification Centers (IARCP-ATCCs).
This will give the opportunity to risk and compliance managers, officers and
consultants to have access to instructor-led CRCMP and CISRCP training at
convenient locations that meet international standards.
ATCCs use IARCP approved course materials and have access to IARCP
Authorized Certified Trainers (IARCP-ACTs).
To learn more:
www.risk-compliance-association.com/Approved_Centers.html
_____________________________________________________________
International Association of Risk and Compliance Professionals (IARCP)
Fly UP