Security on IBM i | Quick-CSi
Since the subprime crisis and the revelation of billions of toxic assets, banks are called upon to achieve more stability ( Basel III ) and more solvency ( Solvency II ) insurance. And above all: to more transparency.
On the banking side: Basel III
Basel 3 is based on three pillars that impose new rules on banks, institutions (insurance companies and lending institutions) and financial holding companies.
While the first two refer only to purely financial obligations, the third introduces the strengthening of the obligation to publish, which relates to the nature, volume and methods of risk management. Institutions are therefore subject to market discipline and must provide information on the adequacy of their own funds. The impact of the Basel agreements on the IT systems of banking and financial institutions is particularly strong.
The solutions put in place will have to be strengthened in three directions: the quantification of risks, their management and clear reporting.
Insurance: Solvency II
Solvency 2 also rests on three pillars :
- A first pillar defines the quantitative standards for the calculation of technical provisions and capital.
- A second pillar sets the qualitative standards for monitoring internal risks to companies and how the supervisory authority should exercise its supervisory powers in this context.
- A third pillar defines all the detailed information available to the public: on the one hand and to which the supervisory authorities may have access in order to exercise their supervisory powers. (Source Wikipedia)
Data and SI: New tools and processes
In this context, the ISD must invest in new software to ensure reporting automatically powered by specific calculation tools. This means a flexible and agile global system both in its hardware and software and in its processes (re-engineering). The two words: compliance and risk management.
Interoperability and impact analysis
As for the DSI, the pressure is thus put to ensure the interoperability of all these new solutions, to train the teams and to evolve the control devices.
It is, therefore, preparing to implement impact analyses (budget, scenarios, identification of impacted areas and quid of market expectations), but also to optimized implementation in order to measure the functional impact, the impact On projects and on tools.
In this way, banks will have to be able to quickly establish a precise balance sheet of their aggregated exposures or the concentration of their risks at the consolidated level but also by business line and legal entity. Institutions will, therefore, need to have adequate management information systems at the level of each business line and it will now be essential that the authorities responsible for resolution management have access to aggregate risk data. This ability to aggregate risk data will allow faster and more efficient resolution. In addition, aggregation of risk data and risk reporting practices will help to better identify and manage the risks to which the institution is exposed.
Towards real security policies
All of these regulations require that CIOs put in place real IT security policies and demonstrate the application of these policies.
Thus, they will have to set up a system ensuring the traceability of data (which accesses, modifies ...) but also a traceability of the actions performed on their systems (which modifies profiles, changes access rights etc.).
They will also need to put in place mechanisms and tools to ensure that only authorized persons will have access to certain data and transactions. They will also need to have a real-time warning system to intervene as soon as possible in case of false manipulations or fraudulent manipulations. Clearly, access control will not only be necessary at the server level but also at the level of transactions and data.
Traceability and Auditability of Information
IT departments will also need to ensure the audibility of their systems. They will need to be able to provide information on who has done what on their systems for a period of several months or even years.
The need for a consolidated risk base and risk ratios is also emerging, enabling auditors to go faster and to analyse these ratios more effectively.
About Quick-CSi Security for IBM i
Quick-CSi : Your forensic agent for IBM Power i
Your data is your patrimony. Be sure to protect your IT data, monitor, control its evolution, and ensure its confidentiality and relevance...