Ask the Expert: Security Policy Impact of Basel II

Question:

With respect to Basel II, what security frameworks or guidelines (if any) are recommended to comply with the governance-risk aspects of Basel II?

Answer: From Mark T. Edmead, CISSP, CISA

The new Basel II Capital Accord is designed to address operational risk. Operational risk is defined as the risk of loss resulting from inadequate or failed business processes, people and systems or from external events. Many organizations are adopting the COSO (Committee of Sponsoring Organizations of Treadway Commission) framework as the framework for risk management. The COSO-based risk assessment has been used extensively in the risk management industry.

Basel II uses a "three pillars" concept. The first pillar provides a way to manage the sensitivity of the risk and the second pillar addresses the framework for dealing with the risks a financial institution might face. It is in Pillar 2 where the importance of a sound system of internal control and governance structure is stressed. A COSO-type risk assessment approach allows for different risk management needs to be aligned and incorporated into one framework. The core areas where COSO can be applied include:

• Establishment of a control culture
• Identification and assessment of material risk
• Policies and procedures to control and mitigate risk
• Disclosure of operational risk practices
• Management of information systems

The COSO framework addresses the same principles of the Basel II Accord. They include the promotion of governance, risk management (including identification, assessment, monitoring and mitigation), and risk disclosure.

Related Resources and Information

Information Security Policies Made Easy, Version 10.0 contains over 1400 pre-written information security policies enabling organizations to adopt a risk-based approach to information security management.