Core Banking Systems: Notes (Part - 2) | Financial Management & Strategic Management for CA Intermediate PDF Download

 Page 1


5.27 
 
 
CORE BANKING SYSTEMS 
 
 
 
 
 
 
 5.3 CBS RISKS, SECURITY POLICY AND 
CONTROLS 
5.3.1 Risks associated with CBS 
(a) Operational Risk: It is defined as a risk arising from direct or indirect loss 
to the bank which could be associated with inadequate or failed internal 
process, people and systems. For example- Inadequate audits, improper 
management, ineffective internal control procedures etc. Operational risk 
necessarily excludes business risk and strategic risk. The components of 
operational risk include transaction processing risk, information security 
risk, legal risk, compliance risk and people risk.  
• Transaction Processing Risk arises because faulty reporting of 
important market developments to the bank management may also 
occur due to errors in entry of data for subsequent bank 
computations. 
• Information Security Risk comprises the impacts to an organization 
and its stakeholders that could occur due to the threats and 
vulnerabilities associated with the operation and use of information 
systems and the environments in which those systems operate. Data 
breaches can cost a bank its reputation, customers can lose time and 
money and above all their confidential information. 
• Legal Risk arises because of the treatment of clients, the sale of 
products, or business practices of a bank. There are countless 
examples of banks being taken to court by disgruntled corporate 
customers, who claim they were misled by advice given to them or 
business products sold. Contracts with customers may be disputed. 
• Compliance Risk is exposure to legal penalties, financial penalty and 
material loss an organization faces when it fails to act in accordance 
with industry laws and regulations, internal policies or prescribed best 
practices.  
Page 2


5.27 
 
 
CORE BANKING SYSTEMS 
 
 
 
 
 
 
 5.3 CBS RISKS, SECURITY POLICY AND 
CONTROLS 
5.3.1 Risks associated with CBS 
(a) Operational Risk: It is defined as a risk arising from direct or indirect loss 
to the bank which could be associated with inadequate or failed internal 
process, people and systems. For example- Inadequate audits, improper 
management, ineffective internal control procedures etc. Operational risk 
necessarily excludes business risk and strategic risk. The components of 
operational risk include transaction processing risk, information security 
risk, legal risk, compliance risk and people risk.  
• Transaction Processing Risk arises because faulty reporting of 
important market developments to the bank management may also 
occur due to errors in entry of data for subsequent bank 
computations. 
• Information Security Risk comprises the impacts to an organization 
and its stakeholders that could occur due to the threats and 
vulnerabilities associated with the operation and use of information 
systems and the environments in which those systems operate. Data 
breaches can cost a bank its reputation, customers can lose time and 
money and above all their confidential information. 
• Legal Risk arises because of the treatment of clients, the sale of 
products, or business practices of a bank. There are countless 
examples of banks being taken to court by disgruntled corporate 
customers, who claim they were misled by advice given to them or 
business products sold. Contracts with customers may be disputed. 
• Compliance Risk is exposure to legal penalties, financial penalty and 
material loss an organization faces when it fails to act in accordance 
with industry laws and regulations, internal policies or prescribed best 
practices.  
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.28 
• People Risk arises from lack of trained key personnel, tampering of 
records, unauthorized access to dealing rooms and nexus between 
front and back end offices.  
(b) Credit Risk: It is the risk that an asset or a loan becomes irrecoverable in 
the case of outright default, or the risk of an unexpected delay in the 
servicing of a loan. Non repayment of loans to the lending bank, constant 
defaults etc. results in huge non-performing assets which pave way for 
credit risks. Since bank and borrower usually sign a loan contract, credit risk 
can be considered a form of counterparty risk. 
(c) Market Risk: Market risk refers to the risk of losses in the bank’s trading 
book due to changes in equity prices, interest rates, credit spreads, foreign-
exchange rates, commodity prices, and other indicators whose values are 
set in a public market. For example - Reduction in the share price of the 
bank, loss incurred in major equity investment, wide fluctuation in interest 
rates etc. To manage market risk, banks deploy several highly sophisticated 
mathematical and statistical techniques 
(d) Strategic Risk: Strategic risk, sometimes referred to as business risk, can be 
defined as the risk that earnings decline due to a changing business 
environment, for example new competitors, new mergers or acquisitions or 
changing demand of customers. 
(f) IT Risk: Once the complete business is captured by technology and 
processes are automated in CBS; the Data Centre (DC) of the bank, 
customers, management and staff are completely dependent on the DC. 
From a risk assessment and coverage point of view, it is critical to ensure 
that the Bank can impart advanced training to its permanent staff in the 
core areas of technology for effective and efficient technology management 
and in the event of outsourcing to take over the functions at a short notice 
at times of exigencies. Some of the common IT risks related to CBS are as 
follows: 
o Ownership of Data/ process: Data resides at the Data Centre. Establish 
clear ownership so that accountability can be fixed and unwanted 
changes to the data can be prevented. 
o Authorization process: Anybody with access to the CBS, including the 
customer himself, can enter data directly. What is the authorization 
process? If the process is not robust, it can lead to unauthorized access 
to the customer information.  
Page 3


5.27 
 
 
CORE BANKING SYSTEMS 
 
 
 
 
 
 
 5.3 CBS RISKS, SECURITY POLICY AND 
CONTROLS 
5.3.1 Risks associated with CBS 
(a) Operational Risk: It is defined as a risk arising from direct or indirect loss 
to the bank which could be associated with inadequate or failed internal 
process, people and systems. For example- Inadequate audits, improper 
management, ineffective internal control procedures etc. Operational risk 
necessarily excludes business risk and strategic risk. The components of 
operational risk include transaction processing risk, information security 
risk, legal risk, compliance risk and people risk.  
• Transaction Processing Risk arises because faulty reporting of 
important market developments to the bank management may also 
occur due to errors in entry of data for subsequent bank 
computations. 
• Information Security Risk comprises the impacts to an organization 
and its stakeholders that could occur due to the threats and 
vulnerabilities associated with the operation and use of information 
systems and the environments in which those systems operate. Data 
breaches can cost a bank its reputation, customers can lose time and 
money and above all their confidential information. 
• Legal Risk arises because of the treatment of clients, the sale of 
products, or business practices of a bank. There are countless 
examples of banks being taken to court by disgruntled corporate 
customers, who claim they were misled by advice given to them or 
business products sold. Contracts with customers may be disputed. 
• Compliance Risk is exposure to legal penalties, financial penalty and 
material loss an organization faces when it fails to act in accordance 
with industry laws and regulations, internal policies or prescribed best 
practices.  
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.28 
• People Risk arises from lack of trained key personnel, tampering of 
records, unauthorized access to dealing rooms and nexus between 
front and back end offices.  
(b) Credit Risk: It is the risk that an asset or a loan becomes irrecoverable in 
the case of outright default, or the risk of an unexpected delay in the 
servicing of a loan. Non repayment of loans to the lending bank, constant 
defaults etc. results in huge non-performing assets which pave way for 
credit risks. Since bank and borrower usually sign a loan contract, credit risk 
can be considered a form of counterparty risk. 
(c) Market Risk: Market risk refers to the risk of losses in the bank’s trading 
book due to changes in equity prices, interest rates, credit spreads, foreign-
exchange rates, commodity prices, and other indicators whose values are 
set in a public market. For example - Reduction in the share price of the 
bank, loss incurred in major equity investment, wide fluctuation in interest 
rates etc. To manage market risk, banks deploy several highly sophisticated 
mathematical and statistical techniques 
(d) Strategic Risk: Strategic risk, sometimes referred to as business risk, can be 
defined as the risk that earnings decline due to a changing business 
environment, for example new competitors, new mergers or acquisitions or 
changing demand of customers. 
(f) IT Risk: Once the complete business is captured by technology and 
processes are automated in CBS; the Data Centre (DC) of the bank, 
customers, management and staff are completely dependent on the DC. 
From a risk assessment and coverage point of view, it is critical to ensure 
that the Bank can impart advanced training to its permanent staff in the 
core areas of technology for effective and efficient technology management 
and in the event of outsourcing to take over the functions at a short notice 
at times of exigencies. Some of the common IT risks related to CBS are as 
follows: 
o Ownership of Data/ process: Data resides at the Data Centre. Establish 
clear ownership so that accountability can be fixed and unwanted 
changes to the data can be prevented. 
o Authorization process: Anybody with access to the CBS, including the 
customer himself, can enter data directly. What is the authorization 
process? If the process is not robust, it can lead to unauthorized access 
to the customer information.  
 
 
 
5.29 
 
 
 
CORE BANKING SYSTEMS 
 
 
 
o Authentication procedures: Usernames and Passwords, Personal 
Identification Number (PIN), One Time Password (OTP) are some of 
the most commonly used authentication methods. However, these 
may be inadequate and hence the user entering the transaction may 
not be determinable or traceable. 
o Several software interfaces across diverse networks: A Data Centre 
can have as many as 75-100 different interfaces and application software. 
A data center must also contain adequate infrastructure, such as power 
distribution and supplemental power subsystems, including electrical 
switching; uninterruptable power supplies; backup generators and so on. 
Lapse in any of these may lead to real-time data loss.  
o Maintaining response time: Maintaining the interfacing software and 
ensuring optimum response time and up time can be challenging. 
o User Identity Management: This could be a serious issue. Some Banks 
may have more than 5000 users interacting with the CBS at once. 
o Access Controls: Designing and monitoring access control is an 
extremely challenging task. Bank environments are subject to all types of 
attacks; thus, a strong access control system is a crucial part of a bank’s 
overall security plan. Access control, however, does vary between branch 
networks and head office locations.  
o Incident handling procedures: Incident handling procedures are used 
to address and manage the aftermath of a security breach or cyberattack. 
However, these at times, may not be adequate considering the need for 
real-time risk management. 
o Change Management: Though Change management reduces the risk 
that a new system or other change will be rejected by the users; however, 
at the same time, it requires changes at application level and data level of 
the database - Master files, transaction files and reporting software. 
5.3.2 Security Policy 
Large corporations like banks, financial institutions need to have a laid down 
framework for security with properly defined organizational structure. This helps 
banks create whole security structure with clearly defined roles, responsibilities 
within the organization. Banks deal in third party money and need to create a 
framework of security for its systems. This framework needs to be of global 
standards to create trust in customers in and outside India. 
Page 4


5.27 
 
 
CORE BANKING SYSTEMS 
 
 
 
 
 
 
 5.3 CBS RISKS, SECURITY POLICY AND 
CONTROLS 
5.3.1 Risks associated with CBS 
(a) Operational Risk: It is defined as a risk arising from direct or indirect loss 
to the bank which could be associated with inadequate or failed internal 
process, people and systems. For example- Inadequate audits, improper 
management, ineffective internal control procedures etc. Operational risk 
necessarily excludes business risk and strategic risk. The components of 
operational risk include transaction processing risk, information security 
risk, legal risk, compliance risk and people risk.  
• Transaction Processing Risk arises because faulty reporting of 
important market developments to the bank management may also 
occur due to errors in entry of data for subsequent bank 
computations. 
• Information Security Risk comprises the impacts to an organization 
and its stakeholders that could occur due to the threats and 
vulnerabilities associated with the operation and use of information 
systems and the environments in which those systems operate. Data 
breaches can cost a bank its reputation, customers can lose time and 
money and above all their confidential information. 
• Legal Risk arises because of the treatment of clients, the sale of 
products, or business practices of a bank. There are countless 
examples of banks being taken to court by disgruntled corporate 
customers, who claim they were misled by advice given to them or 
business products sold. Contracts with customers may be disputed. 
• Compliance Risk is exposure to legal penalties, financial penalty and 
material loss an organization faces when it fails to act in accordance 
with industry laws and regulations, internal policies or prescribed best 
practices.  
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.28 
• People Risk arises from lack of trained key personnel, tampering of 
records, unauthorized access to dealing rooms and nexus between 
front and back end offices.  
(b) Credit Risk: It is the risk that an asset or a loan becomes irrecoverable in 
the case of outright default, or the risk of an unexpected delay in the 
servicing of a loan. Non repayment of loans to the lending bank, constant 
defaults etc. results in huge non-performing assets which pave way for 
credit risks. Since bank and borrower usually sign a loan contract, credit risk 
can be considered a form of counterparty risk. 
(c) Market Risk: Market risk refers to the risk of losses in the bank’s trading 
book due to changes in equity prices, interest rates, credit spreads, foreign-
exchange rates, commodity prices, and other indicators whose values are 
set in a public market. For example - Reduction in the share price of the 
bank, loss incurred in major equity investment, wide fluctuation in interest 
rates etc. To manage market risk, banks deploy several highly sophisticated 
mathematical and statistical techniques 
(d) Strategic Risk: Strategic risk, sometimes referred to as business risk, can be 
defined as the risk that earnings decline due to a changing business 
environment, for example new competitors, new mergers or acquisitions or 
changing demand of customers. 
(f) IT Risk: Once the complete business is captured by technology and 
processes are automated in CBS; the Data Centre (DC) of the bank, 
customers, management and staff are completely dependent on the DC. 
From a risk assessment and coverage point of view, it is critical to ensure 
that the Bank can impart advanced training to its permanent staff in the 
core areas of technology for effective and efficient technology management 
and in the event of outsourcing to take over the functions at a short notice 
at times of exigencies. Some of the common IT risks related to CBS are as 
follows: 
o Ownership of Data/ process: Data resides at the Data Centre. Establish 
clear ownership so that accountability can be fixed and unwanted 
changes to the data can be prevented. 
o Authorization process: Anybody with access to the CBS, including the 
customer himself, can enter data directly. What is the authorization 
process? If the process is not robust, it can lead to unauthorized access 
to the customer information.  
 
 
 
5.29 
 
 
 
CORE BANKING SYSTEMS 
 
 
 
o Authentication procedures: Usernames and Passwords, Personal 
Identification Number (PIN), One Time Password (OTP) are some of 
the most commonly used authentication methods. However, these 
may be inadequate and hence the user entering the transaction may 
not be determinable or traceable. 
o Several software interfaces across diverse networks: A Data Centre 
can have as many as 75-100 different interfaces and application software. 
A data center must also contain adequate infrastructure, such as power 
distribution and supplemental power subsystems, including electrical 
switching; uninterruptable power supplies; backup generators and so on. 
Lapse in any of these may lead to real-time data loss.  
o Maintaining response time: Maintaining the interfacing software and 
ensuring optimum response time and up time can be challenging. 
o User Identity Management: This could be a serious issue. Some Banks 
may have more than 5000 users interacting with the CBS at once. 
o Access Controls: Designing and monitoring access control is an 
extremely challenging task. Bank environments are subject to all types of 
attacks; thus, a strong access control system is a crucial part of a bank’s 
overall security plan. Access control, however, does vary between branch 
networks and head office locations.  
o Incident handling procedures: Incident handling procedures are used 
to address and manage the aftermath of a security breach or cyberattack. 
However, these at times, may not be adequate considering the need for 
real-time risk management. 
o Change Management: Though Change management reduces the risk 
that a new system or other change will be rejected by the users; however, 
at the same time, it requires changes at application level and data level of 
the database - Master files, transaction files and reporting software. 
5.3.2 Security Policy 
Large corporations like banks, financial institutions need to have a laid down 
framework for security with properly defined organizational structure. This helps 
banks create whole security structure with clearly defined roles, responsibilities 
within the organization. Banks deal in third party money and need to create a 
framework of security for its systems. This framework needs to be of global 
standards to create trust in customers in and outside India. 
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.30 
Information Security 
Information security is critical to mitigate the risks of Information technology. 
Security refers to ensure Confidentiality, Integrity and Availability of information. 
RBI has suggested use of ISO 27001: 2013 implement information security. Banks 
are also advised to obtain ISO 27001 Certification. Many banks have obtained 
such certification for their data centers. Information security is comprised of the 
following sub-processes: 
• Information Security Policies, Procedures and practices: This refers to the 
processes relating to approval and implementation of information security. 
The security policy is basis on which detailed procedures and practices are 
developed and implemented at various units/department and layers of 
technology, as relevant. These cover all key areas of securing information at 
various layers of information processing and ensure that information is 
made available safely and securely. For example – Non-disclosure 
agreement with employees, vendors etc., KYC procedures for security. 
• User Security Administration: This refers to security for various users of 
information systems. The security administration policy documents define how 
users are created and granted access as per organization structure and access 
matrix. It also covers the complete administration of users right from creation 
to disabling of users is defined as part of security policy. 
• Application Security: This refers to how security is implemented at various 
aspects of application right from configuration, setting of parameters and 
security for transactions through various application controls. For example – 
Event Logging. 
• Database Security: This refers to various aspects of implementing security for 
the database software. For example - Role based access privileges given to 
employees. 
• Operating System Security: This refers to security for operating system 
software which is installed in the servers and systems which are connected to 
the servers.  
• Network Security: This refers to how security is provided at various layers of 
network and connectivity to the servers. For example - Use of virtual private 
networks for employees, implementation of firewalls etc. 
• Physical Security: This refers to security implemented through physical access 
controls. For example - Disabling the USB ports. 
Page 5


5.27 
 
 
CORE BANKING SYSTEMS 
 
 
 
 
 
 
 5.3 CBS RISKS, SECURITY POLICY AND 
CONTROLS 
5.3.1 Risks associated with CBS 
(a) Operational Risk: It is defined as a risk arising from direct or indirect loss 
to the bank which could be associated with inadequate or failed internal 
process, people and systems. For example- Inadequate audits, improper 
management, ineffective internal control procedures etc. Operational risk 
necessarily excludes business risk and strategic risk. The components of 
operational risk include transaction processing risk, information security 
risk, legal risk, compliance risk and people risk.  
• Transaction Processing Risk arises because faulty reporting of 
important market developments to the bank management may also 
occur due to errors in entry of data for subsequent bank 
computations. 
• Information Security Risk comprises the impacts to an organization 
and its stakeholders that could occur due to the threats and 
vulnerabilities associated with the operation and use of information 
systems and the environments in which those systems operate. Data 
breaches can cost a bank its reputation, customers can lose time and 
money and above all their confidential information. 
• Legal Risk arises because of the treatment of clients, the sale of 
products, or business practices of a bank. There are countless 
examples of banks being taken to court by disgruntled corporate 
customers, who claim they were misled by advice given to them or 
business products sold. Contracts with customers may be disputed. 
• Compliance Risk is exposure to legal penalties, financial penalty and 
material loss an organization faces when it fails to act in accordance 
with industry laws and regulations, internal policies or prescribed best 
practices.  
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.28 
• People Risk arises from lack of trained key personnel, tampering of 
records, unauthorized access to dealing rooms and nexus between 
front and back end offices.  
(b) Credit Risk: It is the risk that an asset or a loan becomes irrecoverable in 
the case of outright default, or the risk of an unexpected delay in the 
servicing of a loan. Non repayment of loans to the lending bank, constant 
defaults etc. results in huge non-performing assets which pave way for 
credit risks. Since bank and borrower usually sign a loan contract, credit risk 
can be considered a form of counterparty risk. 
(c) Market Risk: Market risk refers to the risk of losses in the bank’s trading 
book due to changes in equity prices, interest rates, credit spreads, foreign-
exchange rates, commodity prices, and other indicators whose values are 
set in a public market. For example - Reduction in the share price of the 
bank, loss incurred in major equity investment, wide fluctuation in interest 
rates etc. To manage market risk, banks deploy several highly sophisticated 
mathematical and statistical techniques 
(d) Strategic Risk: Strategic risk, sometimes referred to as business risk, can be 
defined as the risk that earnings decline due to a changing business 
environment, for example new competitors, new mergers or acquisitions or 
changing demand of customers. 
(f) IT Risk: Once the complete business is captured by technology and 
processes are automated in CBS; the Data Centre (DC) of the bank, 
customers, management and staff are completely dependent on the DC. 
From a risk assessment and coverage point of view, it is critical to ensure 
that the Bank can impart advanced training to its permanent staff in the 
core areas of technology for effective and efficient technology management 
and in the event of outsourcing to take over the functions at a short notice 
at times of exigencies. Some of the common IT risks related to CBS are as 
follows: 
o Ownership of Data/ process: Data resides at the Data Centre. Establish 
clear ownership so that accountability can be fixed and unwanted 
changes to the data can be prevented. 
o Authorization process: Anybody with access to the CBS, including the 
customer himself, can enter data directly. What is the authorization 
process? If the process is not robust, it can lead to unauthorized access 
to the customer information.  
 
 
 
5.29 
 
 
 
CORE BANKING SYSTEMS 
 
 
 
o Authentication procedures: Usernames and Passwords, Personal 
Identification Number (PIN), One Time Password (OTP) are some of 
the most commonly used authentication methods. However, these 
may be inadequate and hence the user entering the transaction may 
not be determinable or traceable. 
o Several software interfaces across diverse networks: A Data Centre 
can have as many as 75-100 different interfaces and application software. 
A data center must also contain adequate infrastructure, such as power 
distribution and supplemental power subsystems, including electrical 
switching; uninterruptable power supplies; backup generators and so on. 
Lapse in any of these may lead to real-time data loss.  
o Maintaining response time: Maintaining the interfacing software and 
ensuring optimum response time and up time can be challenging. 
o User Identity Management: This could be a serious issue. Some Banks 
may have more than 5000 users interacting with the CBS at once. 
o Access Controls: Designing and monitoring access control is an 
extremely challenging task. Bank environments are subject to all types of 
attacks; thus, a strong access control system is a crucial part of a bank’s 
overall security plan. Access control, however, does vary between branch 
networks and head office locations.  
o Incident handling procedures: Incident handling procedures are used 
to address and manage the aftermath of a security breach or cyberattack. 
However, these at times, may not be adequate considering the need for 
real-time risk management. 
o Change Management: Though Change management reduces the risk 
that a new system or other change will be rejected by the users; however, 
at the same time, it requires changes at application level and data level of 
the database - Master files, transaction files and reporting software. 
5.3.2 Security Policy 
Large corporations like banks, financial institutions need to have a laid down 
framework for security with properly defined organizational structure. This helps 
banks create whole security structure with clearly defined roles, responsibilities 
within the organization. Banks deal in third party money and need to create a 
framework of security for its systems. This framework needs to be of global 
standards to create trust in customers in and outside India. 
  
 
ENTERPRISE INFORMATION SYSTEMS 
5.30 
Information Security 
Information security is critical to mitigate the risks of Information technology. 
Security refers to ensure Confidentiality, Integrity and Availability of information. 
RBI has suggested use of ISO 27001: 2013 implement information security. Banks 
are also advised to obtain ISO 27001 Certification. Many banks have obtained 
such certification for their data centers. Information security is comprised of the 
following sub-processes: 
• Information Security Policies, Procedures and practices: This refers to the 
processes relating to approval and implementation of information security. 
The security policy is basis on which detailed procedures and practices are 
developed and implemented at various units/department and layers of 
technology, as relevant. These cover all key areas of securing information at 
various layers of information processing and ensure that information is 
made available safely and securely. For example – Non-disclosure 
agreement with employees, vendors etc., KYC procedures for security. 
• User Security Administration: This refers to security for various users of 
information systems. The security administration policy documents define how 
users are created and granted access as per organization structure and access 
matrix. It also covers the complete administration of users right from creation 
to disabling of users is defined as part of security policy. 
• Application Security: This refers to how security is implemented at various 
aspects of application right from configuration, setting of parameters and 
security for transactions through various application controls. For example – 
Event Logging. 
• Database Security: This refers to various aspects of implementing security for 
the database software. For example - Role based access privileges given to 
employees. 
• Operating System Security: This refers to security for operating system 
software which is installed in the servers and systems which are connected to 
the servers.  
• Network Security: This refers to how security is provided at various layers of 
network and connectivity to the servers. For example - Use of virtual private 
networks for employees, implementation of firewalls etc. 
• Physical Security: This refers to security implemented through physical access 
controls. For example - Disabling the USB ports. 
 
 
 
5.31 
 
 
 
CORE BANKING SYSTEMS 
 
 
 
Sample listing of Risks and Controls w.r.t Information Security is available in Table 
5.3.1. 
Table 5.3.1: Sample Listing of Risks and Controls w.r.t Information Security 
Risks Key IT Controls 
Significant information resources may 
be modified inappropriately, disclosed 
without authorization, and/or 
unavailable when needed. (e.g., they 
may be deleted without authorization.) 
Super user access or administrator 
passwords are changed on system, 
installation and are available with 
administrator only.  
Password of super use or administrator is 
adequately protected. 
Lack of management direction and 
commitment to protect information 
assets. 
Security policies are established and 
management monitors compliance with 
policies. 
Potential Loss of confidentiality, 
availability and integrity of data and 
system. 
Vendor default passwords for applications 
systems, operating system, databases, and 
network and communication software are 
appropriately modified, eliminated, or 
disabled. 
User accountability is not established. All users are required to have a unique user id. 
It is easier for unauthorized users to 
guess the password of an authorized 
user and access the system and/or data. 
This may result in loss of confidentiality, 
availability and integrity of data and 
system. 
The identity of users is authenticated to 
the systems through passwords. 
The password is periodically changed, kept 
confidential and complex (e.g., password 
length, alphanumeric content, etc.). 
Unauthorized viewing, modification or 
copying of data and/ or unauthorized 
use, modification or denial of service in 
the system. 
System owners authorize the nature and 
extent of user access privileges, and such 
privileges are periodically reviewed by 
system owners. 
Security breaches may go undetected. Access to sensitive data is logged and the 
logs are regularly reviewed by 
management. 
Potential loss of confidentiality, 
availability and integrity of data and 
system. 
Physical access restrictions are 
implemented and administered to ensure 
that only authorized individuals can access