Computer security

Many of the frauds that have been perpetrated in the financial sector could not have
been achieved without a breach of computer security. It is essential that the operational
risk manager ensures that adequate computer security controls are in place.
Computer security is more than just passwords. Some of the key questions the
operational risk might ask in assessing computer security are as follows:
Ω Is there an information security policy? How definitive is it?
Ω Is it documented?
Ω Are responsibilities for security processes clearly allocated?
Although I initially suggested that computer security is more than just passwords
there are some important factors which will undermine the password security unless
implemented correctly as follows:

Ω Are passwords required to sign on?
Ω What are the rules of password generation?
Ω Is there an alert to indicate when a sign-on has failed more than three times?
The operational risk manager should try to gather data about computer failures or
security breaches in order to assess the likelihood and impact of operational risks
recurring. However, if the firm does not have adequate records of past events and a
method for ‘learning from past mistakes’ it could be argued that this is a key
operational weakness in itself!
The operational risk manager should ask the following key questions to ensure
incident management is performed correctly:
Ω What is the security incident reporting procedure? Is there a focal point?
Ω Are suspected security weaknesses reported?
Ω Are software malfunctions reported?
Ω Is there a disciplinary process for dealing with security breaches?
The data collected by strong incident management will be very useful in building up
a database of past operational failures when the operational risk manager starts to
measure operational risk. 398