|
Читайте также: |
FIU Information System Maturity Model (FISMM)
Version 1.1 (July 2011) 1.2 (January 2012)
Document Version Control
| Version | Month | Remarks |
| 1.0 | June 2011 | Discussed in the ITWG meeting at Yerevan, Armenia (July 2011) |
| 1.1 | September 2011 | Incorporated following suggestions made during the ITWG meeting at Yerevan, Armenia (Jul 2011):
|
| 1.2 | January 2012 | Removed reference to old FATF standards and incorporated following suggestions made in the peer review by OpWG, TWG and ITWG:
|
Module wise Version Control Chart
| Section | Prepared /updated by | Version | Remarks |
| FISMM Description | Sanjeev Singh, FIU – IND (India) | Draft (Jun 2009) | Presented in ITWG meeting at Kuala Lumpur, Malaysia (Oct 2009) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Restructured the domains increasing the number from 14 to 15. Added new sections on IT strategy formulation, abbreviations used and bibliography. | |
| Sanjeev Singh, FIU – IND (India) | Rev2 (Jul 2011) | Added new section on Performance management and summary. Moved glossary of terms, abbreviations used and bibliography to the end of the document. | |
| Peer Review | Rev3 (Jan 2012) | Minor changes in text | |
| FD01 - Collection of reports | Sanjeev Singh, FIU – IND (India) | Draft (Oct 2010) | Presented in ITWG meeting at Chisinau, Moldova (Oct 2010) |
| Peer Review | Rev1 (Jan 2012) | Updated functionalities of FT01.02 - Report preparation software and minor changes in text | |
| FD02 - Access to information | Sanjeev Singh, FIU – IND (India) | Rev1 (Mar 2011) | Presented in ITWG meeting at Chisinau, Moldova (Oct 2010) |
| Sanjeev Singh, FIU – IND (India) | Rev2 (Jun 2011) | Domain expanded to include list of sources | |
| Peer Review | Rev3 (Jan 2012) | Updated functionalities of FT02.03 - Service oriented architecture and minor changes in text | |
| FD03 - Processing of information | Sanjeev Singh, FIU – IND (India) | Draft (Oct 2010) | Presented in ITWG meeting at Chisinau, Moldova (Oct 2010) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Modified to include processing of information accessed (other than reports) by FIU | |
| Peer Review | Rev2 (Jan 2012) | Minor changes in text | |
| FD04 - Detection of new targets | Sanjeev Singh, FIU – IND (India) | Draft (Mar 2011) | Presented in ITWG meeting at Oranjestad, Aruba (Mar 2011) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Renamed from ‘Tactical analysis’ to ‘Detection of new targets at FIU’ | |
| Peer Review | Rev2 (Jan 2012) | Updated work products for FD04.02 – Detection of high risk transaction patterns and included reference to ARIS under FT04.05 - Web mining software and minor changes in text | |
| FD05 - Operational analysis | Sanjeev Singh, FIU – IND (India) | Draft (Mar 2011) | Presented in ITWG meeting at Oranjestad, Aruba (Mar 2011) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Included a separate base practice on exchange with FIU and LEAs | |
| Peer Review | Rev2 (Jan 2012) | Updated list of goal indicators and minor changes in text | |
| FD06 - Strategic analysis | Gonnie de graaff, FIU.net | Draft (Mar 2011) | Presented in ITWG meeting at Cartagena, Colombia (Jun 2010) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Included base practice on trend analysis | |
| Gonnie de graaff, FIU.net | Rev2 (Jun 2011) | Included section on Language Ware Dictionary | |
| FD07 - Domestic Cooperation | Sanjeev Singh, FIU – IND (India) | Draft (Jun 2011) | Presented in ITWG meeting at Yerevan, Armenia (Jul 2011) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jul 2011) | Renamed from ‘Exchange of information with domestic agencies’ to ‘Domestic Cooperation’ | |
| Peer Review | Rev2 (Jan 2012) | Inserted reference to FD05.09 - Spontaneous dissemination of analysis report and minor changes in text | |
| FD08 - International Cooperation | Gonnie de graaff, FIU.net | Draft (Mar 2011) | Presented in ITWG meeting at Oranjestad, Aruba (Mar 2011) |
| Gonnie de graaff, FIU.net | Rev1 (Jun 2011) | Minor updations | |
| Sanjeev Singh, FIU – IND (India) | Rev2 (Jul 2011) | Renamed from ‘Exchange of information with foreign FIUs’ to ‘International Cooperation’ | |
| Peer Review | Rev3 (Jan 2012) | Updated list of goal indicators and minor changes in text | |
| FD09 - Registration of reporting officer | Sanjeev Singh, FIU – IND (India) | Draft (Mar 2011) | Presented in ITWG meeting at Oranjestad, Aruba (Mar 2011) |
| Peer Review | Rev1 (Jan 2012) | Minor changes in text | |
| FD10 – Capacity building of reporting entities | Sanjeev Singh, FIU – IND (India) | Draft (Jun 2011) | Presented in ITWG meeting at Yerevan, Armenia (Jul 2011) |
| Peer Review | Rev1 (Jan 2012) | Inserted reference to FD01 -Collection of reports and minor changes in text | |
| FD11 - Managing compliance of reporting entities | Luis Lupiac, Manuel Luna Duarte, CNBS (Honduras) | Draft (Mar 2011) | Presented in ITWG meeting at Oranjestad, Aruba (Mar 2011) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Expanded the scope of the domain from ‘monitoring compliance’ to ‘managing compliance’ | |
| Sanjeev Singh, FIU – IND (India) | Rev2 (Jul 2011) | Included reference of enforcement strategy | |
| Peer Review | Rev3 (Jan 2012) | Minor changes in text | |
| FD12 - Performance management | Sanjeev Singh, FIU – IND (India) | Draft (Oct 2010) | Discussed in ITWG meeting at Yerevan, Armenia (Jul 2011) |
| FD13 - Information management | Chris Rennie, FINTRAC (Canada) | Draft (Feb 2010) | Presented in ITWG meeting at Mauritius (Mar 2010) |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Added new section on Content management system (CMS) | |
| FD14 - Technical infrastructure management | George Tan, AMLC (Philippines) | Draft (May 2011) | |
| Sanjeev Singh, FIU – IND (India) | Rev1 (Jun 2011) | Added base practices (based on COBIT) and information on Enterprise management system (EMS). Presented in ITWG meeting at Yerevan, Armenia (Jul 2011) | |
| Peer Review | Rev2 (Jan 2012) | Minor changes in text | |
| FD15 - Information security management | Sanjeev Singh, FIU – IND (India) | Draft (Jun 2011) | Discussed in ITWG meeting at Yerevan, Armenia (Jul 2011) |
| Peer Review | Rev1 (Jan 2012) | Minor changes in text |
Table of Contents
Preface. 11
FIU Information System Maturity Model (FISMM) 12
Introduction. 12
FISMM architecture. 12
Uses of the FISMM.. 14
Capability assessment 14
Performance management 15
Process improvement 16
I T strategy formulation. 17
Technology evaluation. 19
Summary. 20
Conclusion. 20
FISMM Domain Text 21
FD01 - Collection of reports. 22
Base Practices. 22
FD01.01 - Prescribe reporting format 22
FD01.02 - Assist reporting entities in preparation of report 23
FD01.03 - Receive reports in electronic form.. 23
FD01.04 - Receive reports using online secure gateway. 23
Related Technology. 23
FT01.01 - Reporting format specification. 23
FT01.02 - Report preparation software. 24
FT01.03 - Online gateway for receipt of reports. 24
FT01.04 – Relational database management system (RDBMS) 25
FD02 – Access to Information.. 26
Base Practices. 27
FD02.01 - Timely access to financial information. 27
FD02.02 - Timely access to administrative information. 28
FD02.03 - Timely access to law enforcement information. 28
Related Technology. 29
FT02.01 - Database integration. 29
FT02.02 - Direct access to external databases. 29
FT02.03 - Service oriented architecture. 30
FD03 - Processing of information.. 31
Base Practices. 31
FD03.01 - Conduct basic data validation. 31
FD03.02 - Conduct rule - based validation. 32
FD03.03 - Conduct external source validation. 32
FD03.04 - Communicate validation result to reporting entity. 32
FD03.05 - Enrich information. 33
FD03.06 - Resolve identity of persons. 33
FD03.07 - Create virtual groups. 33
Related Technology. 34
FT03.01 - Extraction transformation and loading (ETL) software. 34
FT03.02 - Data quality software. 34
FT03.03 - Identity resolution software. 35
FD04 – Detection of new targets. 36
Base Practices. 36
FD04.01- Detection of high risk individuals and legal entities. 36
FD04.02 – Detection of high risk transaction patterns. 37
FD04.03 – Detection of high risk unstructured text 38
FD04.04 – Identification of a new case. 38
Related Technology. 38
FT04.01 - List screening software. 38
FT04.02 - Online analytical processing (OLAP) software. 39
FT04.03 - Data mining software. 39
FT04.04 - Text mining software. 40
FT04.05 - Web mining software. 40
FD05 – Operational analysis. 42
Base Practices. 43
FD05.01 - Assessment and prioritization. 43
FD05.02 - View comprehensive profile. 43
FD05.03 - Search and linkage of information in internal sources. 43
FD05.04 - Collection of information from external information sources. 44
FD05.05 - Collection of information from reporting entities. 44
FD05.06 - Collection of information from foreign FIUs. 44
FD05.07 - Comprehensive analysis of case. 45
FD05.08 - Preparation of analysis report 45
FD05.09 – Spontaneous dissemination of analysis report 46
FD05.10 - Processing request for information. 46
FD05.11 - Receipt and analysis of feedback. 46
Related Technology. 47
FT05.01 - Rule based system.. 47
FT05.02 - Analyst workbench. 47
FT05.03 - Online analytical processing (OLAP) software. 47
FT05.04 - Enterprise search software. 48
FT05.05 - Open source search engine. 48
FT05.06 - Link visualization tool 48
FT05.07 - Report generation tool 49
FD06 - Strategic analysis. 50
Base Practices. 51
FD06.01 – Define terms of reference. 51
FD06.02 - Information gathering. 51
FD06.03 - Information processing. 51
FD06.04 - Creating hypotheses and conclusions. 51
FD06.05 – Reporting of results. 52
FD06.06 - Identifying trends in reports. 52
Related Technology. 52
FT06.01 - Online analytical processing (OLAP) software. 52
FT06.02 - Data mining software. 53
FT06.03 - Spreadsheet software. 53
FT06.04 - Geographic information software. 53
FT06.05 – Language ware dictionary. 54
FD07 – Domestic cooperation.. 55
Base Practices. 55
FD07.01 – Maintain relationship with domestic agencies. 55
FD07.02 – Spontaneous dissemination of analysis report 56
FD07.03 - Request based exchange of information. 56
FD07.04 - Automate the information exchange process. 56
FD07.05 – Identification of ML/TF trends, typologies and scenarios. 57
FD07.06 - Conduct joint analyses. 57
FD07.07 – Receipt and analysis of feedback. 57
FD07.08 – Cooperation in policy development and implementation. 58
Related Technology. 58
FT07.01 – Data standards for information exchange. 58
FT07.02 – Automated access and exchange system.. 58
FD08 - International cooperation.. 59
Base Practices. 60
FD08.01 - Acknowledge agreements on international exchange of information. 60
FD08.02 - Designate staff to the international exchange of information. 60
FD08.03 - Train staff 60
FD08.04 - Exchange information with international counterparts. 61
FD08.05 - Automate the information exchange process. 61
FD08.06 - Perform information matching with counterpart FIU(s) 61
FD08.07 - Conduct joint analyses with counterpart FIU(s) 62
FD08.08 - Feedback and accountability. 62
Related Technology. 62
FT08.01 - Connection to ESW... 62
FT08.02 - Connection to FIU.NET (EU FIUs) 62
FD09 - Registration of reporting officer. 63
Base Practices. 63
FD09.01 - Compile list of reporting entities. 63
FD09.02 - Send registration request 63
FD09.03 - Capture information of reporting entity. 63
FD09.04 - Capture information of reporting officer 64
FD09.05 - Provide login credentials to the reporting officer 64
Related Technology. 64
FT09.01 - Online Gateway for registration. 64
FD10 – Capacity building of reporting entities. 65
Base Practices. 65
FD10.01 – Use of multiple channels to increase awareness. 65
FD10.02 – Share best practices with reporting entities. 66
FD10.03 – Provide feedback to reporting entities. 66
Related Technology. 67
FT10.01- Website. 67
FT10.02- Learning management system.. 68
FD11 - Managing compliance of reporting entities. 69
Base Practices. 70
FD11.01- Develop compliance and enforcement strategy. 70
FD11.02 - Strengthen FIU-Regulator cooperation. 70
FD11.03 - Identify sectors with inadequate spread and depth of reporting. 71
FD11.04 - Identify reporting entities requiring further verification. 71
FD11.05 – Conduct compliance verification. 71
FD11.06 - Impose sanction. 72
FD11.07 - Monitor improvement in areas of non compliance. 73
FD11.08 - Publish sanction related information. 73
Related Technology. 73
FT11.01 - Rule based system.. 73
FT11.02- Computer aided audit tool 74
FD12 - Performance management 75
Base Practices. 75
FD12.01 - Identify key processes. 75
FD12.02 - Define activities in the process. 75
FD12.03 - Assign responsibility to roles. 76
FD12.04 - Define key goal and performance indicators. 76
FD12.05 - I T enable the process. 76
FD12.06 - Measure performance. 77
Related Technology. 77
FT12.01 - Workflow software. 77
FT12.02 - Dashboards and scorecards. 78
FD13 - Information management 79
Base Practices. 79
FD13.01 – Prepare IM strategic plan. 79
FD13.02 – Define IM policy and guidance. 80
FD13.03 – Conduct IM training and awareness. 80
FD13.04 - Develop enterprise information architecture. 80
FD13.05 - Implement IM governance in system lifecycle development 80
Related Technology. 81
FT13.01 – Content management system.. 81
FD14 - Technical infrastructure management 82
Base Practices. 84
FD14.01 - Define a strategic IT plan. 84
FD14.02 - Define the IT processes, organisation and relationships. 84
FD14.03 - Manage IT human resources. 85
FD14.04 - Identify automated solutions. 85
FD14.05 - Acquire and maintain application software. 86
FD14.06 - Acquire and maintain technology infrastructure. 86
FD14.07 - Manage changes. 87
FD14.08 - Manage third-party services. 88
FD14.09 - Manage performance and capacity. 88
FD14.10 - Manage service desk and incidents. 89
FD14.11 - Manage the configuration. 89
FD14.12 - Manage data. 90
FD14.13 - Manage operations. 90
FD14.14 - Monitor and evaluate IT performance. 91
Related Technology. 92
FT14.01 - Enterprise management solution (EMS) 92
FD15 - Information security management 93
Base Practices. 94
FD15.01 – Conduct risk assessment 94
FD15.02 – Develop information security management system.. 94
FD15.03 – Define security organisation. 95
FD15.04 – Manage information assets. 97
FD15.05 – Ensure human resources security. 98
FD15.06 – Ensure physical and environmental security. 99
FD15.07 – Communications and operations management 101
FD15.08 – Access control 103
FD15.09 – Information systems acquisition, development and maintenance. 105
FD15.10 – Information security incident management 107
FD15.11 – Business continuity management 107
FD15.12 – Ensure compliance. 108
Related Technology. 109
FT15.01 - Firewall 109
FT15.02 - Intrusion detection and prevention system.. 109
FT15.03 - Authentication and authorization system.. 110
FT15.04 - Antivirus software. 110
Glossary of Terms. 112
Abbreviations used.. 113
Bibliography. 115
Preface
In the ITWG meeting at Guatemala (Mar 2009), FIU-IND (India) proposed to develop an FIU information system maturity model, showing different sizes of FIUs and the system functions and software products they would expect to be using at various stages in their maturity process.
In the ITWG meeting at Doha (Jun 2009), the concept note on the project was discussed and the project was included in the 2009-2010 ITWG Business Plan under the objective “To provide advice and/or technical assistance to new FIUs and to existing FIUs who are in the process of enhancing or redesigning their IT systems”.
At Kuala Lumpur, Malaysia (Oct 2009), the ITWG discussed the ‘FISMM architecture’. The domains ‘Information management’ and ‘Strategic analysis’ were discussed in ITWG meetings at Mauritius (Mar 2010) and Cartagena, Colombia (Jun 2010) respectively. In the ITWG meeting at Chisinau, Moldova (Oct 2010), the domains “Collection of reports” and “Processing of information” were presented.
At Oranjestad, Aruba (Mar 2011), the ITWG decided to restructure FISMM domains and the number of domains increased from 14 to 15. During the meeting at Oranjestad, Aruba, ITWG discussed the domains ‘Exchange of information with foreign FIUs’, ‘Monitoring compliance of reporting entities’, ‘Access to information’, ‘Detection of new targets’ and ‘Operational analysis’.
In the meeting at Yerevan, Armenia (Jul 2011), ITWG discussed the domains ‘Capacity building of reporting entities’, ‘Domestic Cooperation’, ‘Performance management’, ‘Technical infrastructure management’, ‘Information security management’ and the revised domain ‘Managing compliance of reporting entities’. The domain ‘Exchange of information with domestic agencies’ and ‘Exchange of information with foreign FIUs’ were renamed as ‘Domestic Cooperation’ and ‘International Cooperation’ respectively. The ITWG also decided to involve Operational working group (OpWG) and Training working group (TWG) in reviewing the FISMM document.
During the peer review, members provided feedback and comments on the domains, goal indicators, base practices and related technology. In January 2012, a draft template for self assessment and strategic planning exercise using FISMM was developed, which can be used by any FIU.
Дата добавления: 2015-11-14; просмотров: 106 | Нарушение авторских прав
| <== предыдущая страница | | | следующая страница ==> |
| Управление государственным долгом | | | FISMM architecture |