This tip is part of our Basel II risk management and implementation guide.
Basel II requirements, designed to protect the financial system by linking a bank's risk level to the amount of cash it needs to hold in reserve, have three pillars: minimum capital requirements, supervisory committees and market discipline. The first, minimum capital, affects information security staff the most. Capital requirements must align with a bank's actual risk, and that includes Basel II operational risk and the risks that result from system failure, financial fraud and information security attacks, all of which information security professionals likely have a hand in assessing.
Fortunately, there are several existing and upcoming standards that can help security pros identify and control these risks. Under the Basel II requirements, if an organisation can show it has its risks under control, it can keep less cash in reserve. Strong Basel II operational risk controls therefore have a direct effect on a bank's ability to make a profit.
For information security professionals working in the financial sector, there are two existing standard frameworks that can be of most interest and use. One is ISO 27001, a broad, well known set of best practices that provides a systematic and comprehensive structured approach for dealing with information security weaknesses. The framework of controls and policies helps deal with all kinds of attacks, from outside as well as inside the organisation. And its risk-based approach makes it an ideal platform on which to base any kind of Basel II compliance programme.
BS 25777: A business continuity standard for Basel II
Less well known, however, is the British Standards ICT continuity standard BS 25777, which was published last October. It provides best-practice guidance on how to ensure IT systems provide continuous service. The standard certifies that the plans in place are appropriate for whatever disruptions might occur to the business.
Not to be confused with BS 25999, which looks at business continuity generally, BS 25777 focuses specifically on the effect of IT system downtime and describes how to construct a management system to deal with it.
The detailed standard sets out the steps necessary to identify critical IT services and assess what the effect would be if the service was lost for four hours, eight hours, 24 hours and so on.
The standard requires organisations to set a recovery time objective for each of its critical IT services, including servers and storage arrays, networks, operating systems and applications, data and external suppliers. The importance of these services can be prioritized, and the time objectives for each service can be determined by the business loss that the organisation would suffer by not having it in place.
After the business impact analysis is conducted, the next stage is to design plans to get IT services back up and running within the established recovery time objective. The standard ensures the recovery plans are properly designed and tested to ensure they work. It also provides for continuous improvement, so that plans are updated to take account of changes in technology, systems environments and any lessons learned from past incidents and tests.
The standard is complete, but remember, it relates only to information and communications technology (ICT), so BS 25777 has to be considered within the broader picture of business continuity, which also takes account of other factors, such as the availability of physical premises or staff.
By all accounts, BS 25777 has been effective in helping organizations manage ICT issues, and there is some talk of it becoming an international standard fairly quickly. From a Basel point of view, it offers a systematic way of building and demonstrating controls to limit the operational risk (and cost) of any IT system failure.
About the author:
Alan Calder is a leading author on information security and IT governance issues. He is also chief executive of IT Governance Limited, the one-stop-shop for books, tools, information and advice on governance, risk management and compliance in the UK. Alan was previously CEO of Wide Learning, a supplier of e-learning; of Focus Central London, a training and enterprise council; and of Business Link London City Partners, a government agency focused on helping growing businesses to develop. He was a member of the Information Age Competitiveness Working Group of the UK Government's Department for Trade & Industry, and is a member of the DNV Certification Services Certification Committee, which certifies compliance with international standards including BS7799.