Payments Risk Policy & Governance Flashcards
10%
What is risk management?
The process required to identify, control, and minimize the impact of risk events.
What is risk appetite?
The amount of risk, on a broad level, an organization is willing to accept in pursuit of value.
What is risk tolerance?
The acceptable level of variation between the achievement of a specific objective and the risk appetite.
What is risk culture?
The norms and traditions of behavior of individuals and of groups within an organization that determine the way in which they identify, understand, discuss, and act on the risk the organization confronts and takes on.
What is risk assessment?
The overall process of risk identification, analysis, and evaluation that guides resource allocation, and assists in designing the infrastructure necessary to effectively respond to and monitor risks.
What is risk identification?
Finding, recognizing, and describing risks
What is risk analysis?
The process to determine the level of risks
What is risk evaluation?
The process of comparing risk assessment results to determine if residual risk is at an acceptable level.
What is risk acceptance?
An informed decision to accept or take a particular risk.
What is risk avoidance?
An informed decision to withdraw from, or not become involved with, an activity in order to avoid exposure to unwanted or unacceptable risk.
What is risk sharing?
A form of risk treatment involving the agreed-upon distribution of risk among other parties.
What is risk assignment?
The allocation of risk by agreement. Risk assignment is a form of risk sharing.
Who is the board of directors?
A group of individuals that are elected to act as representatives of stockholders and to establish corporate management-related policies.
Who is the chief executive officer (CEO)?
The highest-ranking executive in an organization whose primary responsibilities include making major corporate decisions, managing overall operations and resources, and acting as the main point of communication between the board and the organization’s operations.
Who is the senior management team?
A group of individuals at the highest level of management who have the day-to-day task of managing the organization.
Who are shareholders?
A group that either plays a direct role through electing directors or an indirect role by not investing in a company, thereby pressuring management to meet sales and profit projections.
What should an audit policy address?
An organization’s policy objective, the scope of work, the assignment and administration of authority, auditing standards, and if audit functions are handled in-house or outsourced.
What are procedures?
Instructions that define how an organization will proceed, perform, or affect something to accomplish the objectives of a policy.
What are PCI Data security standard requirements?
- Install and maintain a firewall configuration to protect cardholder data
- Do not use vendor-supplied defaults for system passwords and other security parameters
- Protect stored data
- Encrypt transmission of cardholder data across open, public networks
- Use and regularly update anti-virus software
- Develop and maintain secure systems and applications
- Restrict access to cardholder data by business need-to-know
- Assign a unique ID to each person with computer access
- Restrict physical access to cardholder data
- Track and monitor all access to network resources and cardholder data
- Regularly test security systems and processes
- Maintain a policy that addresses information security
What are the three components of the PCI Compliance continuous process?
- Assess
- Remediate
- Report
What is the Payment Card Industry Data Security Standard (PCI DSS)?
A global data security standard that all businesses must adhere to in order to accept payment cards, and to store, process, and / or transmit cardholder standards.
What is the purpose of a customer identification program (CIP)?
It is intended to enable a financial institution to form a reasonable belief that it knows the true identity of each customer.
What must a customer identification program (CIP) include?
Account opening procedures that specify identifying information that should be obtained from each customer, reasonable procedures for verifying their identity, and information should be documented and retained.
What is the beneficial ownership rule?
A rule from the Financial Crimes Enforcement Network (FinCEN), stating an institution must establish and maintain written procedures that are reasonably designed to identify and verify beneficial owner(s) of 25% or greater of a legal entity customer, and to include such procedures in its anti-money laundering compliance program.
