Standards and Regulations
Impact of Standards and Regulations on Operational Risk
Since 2005, regulations force you to apply the IAS – IFRS standards. However, not all companies have implemented authorization management in compliance with these particular standards, to ensure their governance.
New technologies and tools can ease the integration of your new standards. Particularly with the consolidation of your accounts. To validate them, your company has to prove that it has complete oversight to “Who has access to what? How and why?”.
Here are some standards and regulations currently in effect:
- d’une défaillance du système informatique sur lequel travaille un personnel de l’organisme financier
- d’une erreur, d’une défaillance ou d’une intention frauduleuse de votre personnel.
The second Pillar of regulation Basel demands a stricter governance:
The goal of internal governance control is to make sure that your managers are compliant, transparent, and adhering to the strategy of your organisation and internal governance requirements.
The Basel committee defines the operational risk as the “risk of loss from inadequate or deficient internal processes, from people and systems or from external events”.
This definition means that your risk of loss can come from:
- a deficiency of the information system on which a staff member of the financial agency is working on
- an error, a deficiency, or an attack from your staff
The PCI DSS (Payment Card Industry Data Security Standard) is a security standard for businesses which store, process, or transmit card payment data.
Condition : Restrict your accesses to cardholder data to only the individuals who must have access.
In order to ensure that sensitive data is only accessible by authorised members of staff, systems and processes must be implemented to restrict accesses to only those who need for designated tasks. In other words, your access rights are only granted on the smallest set of data necessary to achieve a given task.
Instruction: The more people who have access to your cardholder data, the higher the risks of fraudulent use of a user account. By restricting access to only individuals with a legitimate need for sensitive data, this prevents a subset of operational risk which includes cardholder data manipulation by inexperienced, or potentially malicious, users.
Source : PCI DSS v3.2
The General Data Protection Regulation (GDPR) applies to all European companies, but also to non-European companies or organizations that handles information regarding European citizens.
This regulation is mainly focused on the implementation of data protection policies by companies — ensuring confidentiality, security, and compliance of data-related regulations. Consequences of non-compliance are significant, so implementing a governance strategy on data is a priority.
You need to know precisely which users have access to what resources, and if their authorization levels are appropriate for their role.