Understand the issues addressed by the new international banking standard known as the Basel Committee on Banking Supervision (BCBS or Basel II), and find out how Tripwire can help meet all requirements of Basel II compliance even before it becomes a worldwide banking regulation.
Daniel J. Langin,Attorney at Law, LLC
Basel II Compliance
with Tripwire
white paper
Configuration Control for Virtual and Physical InfrastructuresContents
3 Overview-What is Basel II? 4 Three Keys to Information Security Under Basel II 4 Mitigating Operational Risk 4 Tracking and Centralizing Loss Event Data 5 Disclosure Policies, Internal Controls, and Assessment Processes 5 Basel II Deadlines and Transition Periods 5 Basel II Requirements and the Role of Change Management 6 How Tripwire Helps Companies Achieve Basel II Compliance 7 Basel II Requirements and Tripwire Solutions 8 Other Resources 8 About the Author
2 | WHITE PAPER | Basel II Compliance with TripwireOverview
As if financial institutions did not have enough compli- security, the requirements that most affect information 1ance worries, a new international standard-Basel II -now security appear in the Supervisory Review (Pillar 2) require-looms on the compliance horizon. Unlike other laws and ments, especially its Operational Risk provisions. Each standards affecting financial institutions in the US and Pillar includes three "approaches" to compliance based on overseas such as the Gramm-Leach-Bliley Act ("GLBA"), increasing levels of sophistication (Basic Indicator Approach, the EU Data Protection Directive and the PCI Data Security Standardized Approach and Advanced Measurement Standard, however, the ramifications of this law extend Approach), and each approach carries its own individual beyond protection of electronic consumer data. Instead, formula for calculating risk and its own "Qualifying Criteria" Basel II focuses on the institution's core functions of evalu- (standards the institution must meet to adopt a given ating, planning for, and disclosing financial risk. approach). As noted above, each nation must adopt its own laws or regulations implementing Basel II. The current state of Overview-What is Basel II? rulemaking in the US consists of a Supervisory Guidance Basel II is not, strictly speaking, a law or regulation. It document and an Advanced Notice of Proposed Rulemaking is an international banking standard created by the Basel issued by the Board of Directors of the FDIC. These docu-Committee on Banking Supervision, or BCBS. BCBS is an ments suggest that US regulatory agencies will adopt those organization made up of central bank and banking regula- aspects of Basel II that are "appropriate for use by large tory authorities from several European nations, Japan, the 2and internationally active US banking institutions, " and UK, and the US, that encourages international cooperation that US rulemaking for Operational Risk will focus on the of banking authorities throughout the world and issues Advanced Measurement Approach ("AMA") because it gives guidance on banking supervision. Even though Basel II is institutions the most flexibility in implementing risk man-not a law or regulation, its terms will ultimately be adopted agement processes. The FDIC has also commented, however, into legislation or regulation by virtually every nation in that this AMA-based approach will require institutions to the world. In this fashion Basel II will eventually extend to "establish a risk management framework that encompasses financial institutions worldwide, making it potentially more all aspects of identifying, measuring and controlling opera-ubiquitous than any US law or EU Directive. tional risk," including board responsibility of development Basel II consists of three "pillars," or organizing con- and oversight of the risk framework.cepts. These are Minimum Capital Requirements, Supervisory So how can companies understand the information secu-Review, and Market Discipline. The Minimum Capital (Pillar rity ramifications of Basel II? Given the dizzying number of 1) requirements mostly deal with the formulae that financial provisions, the existence of three approaches for each Pillar, institutions must use to calculate the minimum capital they and different qualifying criteria for each of these approach-need to protect themselves from risk of loss from defaults es, an institution needs to start its compliance efforts from or other financial losses. The Market Discipline (Pillar basic, common compliance criteria. A good starting point 3) requirements mostly deal with procedures to ensure is to examine three common "keys" to information security... [download for more]
