SAQA

All qualifications and part qualifications registered on the National Qualifications Framework are public property. Thus the only payment that can be made for them is for service and reproduction. It is illegal to sell this material for profit. If the material is reproduced or quoted, the South African Qualifications Authority (SAQA) should be acknowledged as the source.

SOUTH AFRICAN QUALIFICATIONS AUTHORITY

REGISTERED UNIT STANDARD THAT HAS PASSED THE END DATE:

Monitor and manage information technology risks in a banking environment

SAQA US ID	UNIT STANDARD TITLE
7338	Monitor and manage information technology risks in a banking environment
ORIGINATOR
SGB Banking and Micro Finance
PRIMARY OR DELEGATED QUALITY ASSURANCE FUNCTIONARY
BANKSETA - Banking Sector Education and Training Authority
FIELD			SUBFIELD
Field 03 - Business, Commerce and Management Studies			Finance, Economics and Accounting
ABET BAND	UNIT STANDARD TYPE	PRE-2009 NQF LEVEL	NQF LEVEL	CREDITS
Undefined	Regular	Level 5	Level TBA: Pre-2009 was L5	35
REGISTRATION STATUS		REGISTRATION START DATE	REGISTRATION END DATE	SAQA DECISION NUMBER
Passed the End Date - Status was "Reregistered"		2018-07-01	2023-06-30	SAQA 06120/18
LAST DATE FOR ENROLMENT		LAST DATE FOR ACHIEVEMENT
2026-06-30		2029-06-30

In all of the tables in this document, both the pre-2009 NQF Level and the NQF Level is shown. In the text (purpose statements, qualification rules, etc), any references to NQF Levels are to the pre-2009 levels unless specifically stated otherwise.

This unit standard does not replace any other unit standard and is not replaced by any other unit standard.

PURPOSE OF THE UNIT STANDARD

This unit standard is intended for people who will be required to monitor and manage Information Technology risks within the specified business units/divisions. Persons credited with this unit standard will be able to identify potential information technology risks and establish the impact thereof on the business, analyse, monitor and take appropriate action to control these risks.

LEARNING ASSUMED TO BE IN PLACE AND RECOGNITION OF PRIOR LEARNING

Persons attempting this unit standard must have in depth knowledge of information security concepts and practices, have a good technical understanding of the platform and/or network being monitored/managed.

UNIT STANDARD RANGE

Areas of information technology risk include but is not limited to:
Confidentiality of information
Integrating of information
Availability of information
Information processing platforms and networks.
Confidentiality of information

UNIT STANDARD OUTCOME HEADER

Identify potential information technology risks to

Specific Outcomes and Assessment Criteria:

SPECIFIC OUTCOME 1

Identify potential information technology risks to establish the impact on the business.

OUTCOME RANGE

Risks in technology include but are not limited to:

Confidentiality, Integrity, Denial of service/availability, Unauthorised disclosure/modification of information, Destruction of information.

ASSESSMENT CRITERIA

ASSESSMENT CRITERION 1

1. Scenarios around information technology risks are identified to establish the impact on the business, as per company specific requirements.

ASSESSMENT CRITERION 2

2. Control measures and techniques are implemented and tested against all possible risks identified as per company specific requirements.

ASSESSMENT CRITERION 3

3. Service level agreements are drawn up with all information technology users to enable business continuity as per company specific requirements.

ASSESSMENT CRITERION 4

4. Controls are reviewed and updated on a timely basis as per company specific requirements.

ASSESSMENT CRITERION 5

5. Information security policy, standards and good practice procedures are identified, developed and documented as per company specific requirements.

SPECIFIC OUTCOME 2

Analyse identified information technology risks.

ASSESSMENT CRITERIA

ASSESSMENT CRITERION 1

1. The potential impact of the risk is quantified as per company specific requirements.

ASSESSMENT CRITERION 2

2. Causes of the risk are identified as per company specific requirements.

ASSESSMENT CRITERION 3

3. Procedures to minimise the impact of the risk on the business are identified, developed and implemented as per company specific requirements.

ASSESSMENT CRITERION 4

4. Compliance to procedures implemented is performed as per company specific guidelines.

SPECIFIC OUTCOME 3

Monitor and control information technology risks.

ASSESSMENT CRITERIA

ASSESSMENT CRITERION 1

1. Functionalities of information technology are monitored on a regular basis as per company specific requirements.

ASSESSMENT CRITERION RANGE

Functionalities include but are not limited to capacity, connectivity.

ASSESSMENT CRITERION 2

2. Control deficiencies are identified and analysed as per processes followed to minimise re-occurrences of the risk.

ASSESSMENT CRITERION 3

3. Access to and utilisation of information assets are monitored to establish the risk to the business as per company specific requirements.

ASSESSMENT CRITERION 4

4. The back up of essential data is monitored regularly as per company specific guidelines.

ASSESSMENT CRITERION 5

5. Reports are written and submitted on a regularly basis to the relevant authorities as per company specific requirements.

ASSESSMENT CRITERION 6

6. Follow up checks on reports are carried out and deviations are action planned as per company specific requirements.

ASSESSMENT CRITERION 7

7. The processing platforms and network is managed as per company specific requirements.

ASSESSMENT CRITERION RANGE

Processing platforms and network utilisation includes but is not limited to costs, capacity.

ASSESSMENT CRITERION 8

8. Statistics are maintained so that losses/violations can be measured as per company specific requirements.

UNIT STANDARD ACCREDITATION AND MODERATION OPTIONS

Anyone assessing a learner against this unit standard must be registered as an assessor with the relevant ETQA. Any institution offering learning that will enable achievement of this unit standard or assessing this unit standard must be accredited as a provider with the relevant ETQA.

Moderation Option:

Moderation of assessment will be overseen by the relevant ETQA according to the moderation guidelines in the relevant qualification and the agreed ETQA procedures. Therefore anyone wishing to be assessed against this unit standard may apply to be assessed by any assessment agency, assessor or provider institution which is accredited by the relevant ETQA.

UNIT STANDARD ESSENTIAL EMBEDDED KNOWLEDGE

Have knowledge of product suites

Have knowledge of Networks

Have knowledge of security principles relating to Technology Risk

Critical Cross-field Outcomes (CCFO):

UNIT STANDARD CCFO IDENTIFYING

The learner is able to identify and solve problems when monitoring technology risks, ensuring all possible control deficiencies are identified and analysed to minimise re-occurrence of the risk.

UNIT STANDARD CCFO WORKING

The learner is able to work effectively with others when drawing up Service Level agreements with information technology users, ensuring business continuity in the case of unforeseen technology breakdown.

UNIT STANDARD CCFO COLLECTING

The learner is able to collect, organise and critically evaluate information when analysing identified technology risks, ensuring procedures to minimise the impact of the risks are based on complete and accurate information.

UNIT STANDARD CCFO COMMUNICATING

The learner is able to communicate effectively both verbally and in writing when reporting on the control of technology risks, ensuring all relevant parties are aware of and fully understand their roles with regard to issues such as the back up of essential data.

UNIT STANDARD CCFO DEMONSTRATING

The learner is able to understand the relationship between technology risk scenario's, control measures, Service Level Agreements and the effect of these factors on overall information technology risk management.

REREGISTRATION HISTORY

As per the SAQA Board decision/s at that time, this unit standard was Reregistered in 2012; 2015.

UNIT STANDARD NOTES

Legal Requirements:

Adhere to regulatory requirements in terms of Telecom

Terminology:

Connectivity relates to transfer of information between platforms, identical and non-identical power, etc.

QUALIFICATIONS UTILISING THIS UNIT STANDARD:

	ID	QUALIFICATION TITLE	PRE-2009 NQF LEVEL	NQF LEVEL	STATUS	END DATE	PRIMARY OR DELEGATED QA FUNCTIONARY
Elective	61589	National Certificate: Banking	Level 5	Level TBA: Pre-2009 was L5	Passed the End Date - Status was "Reregistered"	2023-06-30	As per Learning Programmes recorded against this Qual

PROVIDERS CURRENTLY ACCREDITED TO OFFER THIS UNIT STANDARD:

This information shows the current accreditations (i.e. those not past their accreditation end dates), and is the most complete record available to SAQA as of today. Some Primary or Delegated Quality Assurance Functionaries have a lag in their recording systems for provider accreditation, in turn leading to a lag in notifying SAQA of all the providers that they have accredited to offer qualifications and unit standards, as well as any extensions to accreditation end dates. The relevant Primary or Delegated Quality Assurance Functionary should be notified if a record appears to be missing from here.

1.	AFRICAN BANK LTD
2.	Chartall Business College
3.	Damelin (Pty) Ltd
4.	Felix Risk Training Consultants
5.	Plumb Line Risk Alignment
6.	Riverwalk Trading 151 CC trading as Culhane Consulting
7.	Standard Bank Personal and Business Banking
8.	The Academy of Financial Markets
9.	The Institute of Literacy Advancement
10.	THE SHERQ CENTRE OF EXCELLENCE PTY LTD