FCA SYSC 13 — Operational Risk: Systems and Controls
Financial Conduct Authority rules for operational risk management applicable to all FCA-regulated firms. Covers operational risk identification and assessment, systems and controls, business continuity planning, outsourcing, technology and cyber risk, change management, information security, access control, data integrity, incident management, insurance, record keeping, and board governance responsibilities. Part of the FCA Senior Management Arrangements, Systems and Controls (SYSC) sourcebook.
Controls: 136
Total Mappings: 226
Publisher: Financial Conduct Authority (FCA) Version: SYSC 13 (current) AC (10) AT (5) AU (9) CA (4) CM (10) CP (13) IA (5) IR (1) MA (5) PL (4) PM (15) PS (9) RA (7) SA (9) SC (9) SI (11) SR (10)
AC Access Control
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | SYSC 13.6.5SYSC 13.7.3 |
| AC-02 | Account Management | SYSC 13.7.3 |
| AC-03 | Access Enforcement | SYSC 13.7.3 |
| AC-05 | Separation Of Duties | SYSC 13.6.2SYSC 13.7.3 |
| AC-06 | Least Privilege | SYSC 13.6.2SYSC 13.7.3 |
| AC-07 | Unsuccessful Login Attempts | SYSC 13.7.3 |
| AC-13 | Supervision And Review -- Access Control | SYSC 13.6.3 |
| AC-17 | Remote Access | SYSC 13.7.3 |
| AC-19 | Access Control For Portable And Mobile Devices | SYSC 13.7.3 |
| AC-20 | Use Of External Information Systems | SYSC 13.7.3 |
AT Awareness and Training
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| AT-01 | Security Awareness And Training Policy And Procedures | SYSC 13.5.1SYSC 13.6.1 |
| AT-02 | Security Awareness | SYSC 13.5.1SYSC 13.6.1 |
| AT-03 | Security Training | SYSC 13.5.1SYSC 13.6.1 |
| AT-04 | Security Training Records | SYSC 13.6.1 |
| AT-06 | Training Feedback | SYSC 13.5.1SYSC 13.6.1 |
AU Audit and Accountability
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | SYSC 13.G.4 |
| AU-02 | Auditable Events | SYSC 13.7.5 |
| AU-03 | Content Of Audit Records | SYSC 13.7.5 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | SYSC 13.7.5 |
| AU-07 | Audit Reduction And Report Generation | SYSC 13.7.5 |
| AU-09 | Protection Of Audit Information | SYSC 13.G.4 |
| AU-11 | Audit Record Retention | SYSC 13.G.4 |
| AU-12 | Audit Record Generation | SYSC 13.7.5 |
| AU-16 | Cross-Organizational Audit Logging | SYSC 13.9.3 |
CA Security Assessment and Authorization
CM Configuration Management
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | SYSC 13.7.1 |
| CM-02 | Baseline Configuration | SYSC 13.7.1SYSC 13.7.2 |
| CM-03 | Configuration Change Control | SYSC 13.7.1SYSC 13.7.4SYSC 13.8.4 |
| CM-04 | Monitoring Configuration Changes | SYSC 13.7.4SYSC 13.8.4 |
| CM-05 | Access Restrictions For Change | SYSC 13.6.2SYSC 13.7.4 |
| CM-06 | Configuration Settings | SYSC 13.6.5SYSC 13.7.1 |
| CM-07 | Least Functionality | SYSC 13.7.1 |
| CM-08 | Information System Component Inventory | SYSC 13.7.1SYSC 13.7.2 |
| CM-09 | Configuration Management Plan | SYSC 13.7.4 |
| CM-14 | Signed Components | SYSC 13.7.4 |
CP Contingency Planning
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | SYSC 13.8.1SYSC 13.9.5 |
| CP-02 | Contingency Plan | SYSC 13.8.1SYSC 13.8.2SYSC 13.9.5 |
| CP-03 | Contingency Training | SYSC 13.8.1 |
| CP-04 | Contingency Plan Testing And Exercises | SYSC 13.8.1SYSC 13.8.2SYSC 13.9.5 |
| CP-05 | Contingency Plan Update | SYSC 13.8.1 |
| CP-06 | Alternate Storage Site | SYSC 13.8.1SYSC 13.8.2 |
| CP-07 | Alternate Processing Site | SYSC 13.8.1SYSC 13.8.2 |
| CP-08 | Telecommunications Services | SYSC 13.8.1SYSC 13.8.2 |
| CP-09 | Information System Backup | SYSC 13.8.1SYSC 13.8.2 |
| CP-10 | Information System Recovery And Reconstitution | SYSC 13.8.1SYSC 13.8.2 |
| CP-11 | Alternate Communications Protocols | SYSC 13.8.2 |
| CP-12 | Safe Mode | SYSC 13.8.1 |
| CP-13 | Alternative Security Mechanisms | SYSC 13.8.1 |
IA Identification and Authentication
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | SYSC 13.7.3 |
| IA-02 | User Identification And Authentication | SYSC 13.7.3 |
| IA-04 | Identifier Management | SYSC 13.7.3 |
| IA-05 | Authenticator Management | SYSC 13.7.3 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | SYSC 13.7.3 |
IR Incident Response
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| IR-06 | Incident Reporting | SYSC 13.4 |
MA Maintenance
PL Planning
PM Program Management
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| PM-01 | Information Security Program Plan | SYSC 13.1-2SYSC 13.3SYSC 13.G.1 |
| PM-02 | Information Security Program Leadership Role | SYSC 13.1-2SYSC 13.6.3SYSC 13.G.1 |
| PM-04 | Plan of Action and Milestones Process | SYSC 13.G.4 |
| PM-06 | Measures of Performance | SYSC 13.5.3SYSC 13.7.5SYSC 13.G.3 |
| PM-07 | Enterprise Architecture | SYSC 13.4 |
| PM-08 | Critical Infrastructure Plan | SYSC 13.5.2 |
| PM-09 | Risk Management Strategy | SYSC 13.1-2SYSC 13.3SYSC 13.5.2SYSC 13.8.4SYSC 13.8.5SYSC 13.G.2 |
| PM-10 | Authorization Process | SYSC 13.G.1 |
| PM-11 | Mission and Business Process Definition | SYSC 13.1-2SYSC 13.5.2SYSC 13.8.4 |
| PM-13 | Security and Privacy Workforce | SYSC 13.5.1SYSC 13.6.1 |
| PM-14 | Testing, Training, and Monitoring | SYSC 13.5.1SYSC 13.5.3SYSC 13.7.5SYSC 13.G.3 |
| PM-28 | Risk Framing | SYSC 13.5.2SYSC 13.G.2 |
| PM-29 | Risk Management Program Leadership Roles | SYSC 13.1-2SYSC 13.6.3SYSC 13.G.1 |
| PM-30 | Supply Chain Risk Management Strategy | SYSC 13.9.1 |
| PM-31 | Continuous Monitoring Strategy | SYSC 13.5.3 |
PS Personnel Security
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | SYSC 13.6.1SYSC 13.6.3SYSC 13.6.4 |
| PS-02 | Position Categorization | SYSC 13.6.1SYSC 13.6.2SYSC 13.6.4 |
| PS-03 | Personnel Screening | SYSC 13.6.4 |
| PS-04 | Personnel Termination | SYSC 13.6.4 |
| PS-05 | Personnel Transfer | SYSC 13.6.4 |
| PS-06 | Access Agreements | SYSC 13.6.1 |
| PS-07 | Third-Party Personnel Security | SYSC 13.6.3SYSC 13.6.4SYSC 13.9.2 |
| PS-08 | Personnel Sanctions | SYSC 13.6.4 |
| PS-09 | Position Descriptions | SYSC 13.6.1SYSC 13.6.3SYSC 13.G.1 |
RA Risk Assessment
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | SYSC 13.1-2SYSC 13.5.3 |
| RA-02 | Security Categorization | SYSC 13.5.2 |
| RA-03 | Risk Assessment | SYSC 13.1-2SYSC 13.5.2SYSC 13.5.3SYSC 13.8.4SYSC 13.G.2 |
| RA-04 | Risk Assessment Update | SYSC 13.5.3 |
| RA-05 | Vulnerability Scanning | SYSC 13.5.3 |
| RA-07 | Risk Response | SYSC 13.5.2SYSC 13.5.3SYSC 13.8.4SYSC 13.8.5SYSC 13.G.2 |
| RA-09 | Criticality Analysis | SYSC 13.5.2 |
SA System and Services Acquisition
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | SYSC 13.7.1 |
| SA-03 | Life Cycle Support | SYSC 13.7.1SYSC 13.8.4 |
| SA-04 | Acquisitions | SYSC 13.9.1SYSC 13.9.2SYSC 13.9.3 |
| SA-05 | Information System Documentation | SYSC 13.6.5 |
| SA-08 | Security Engineering Principles | SYSC 13.7.1SYSC 13.8.4 |
| SA-09 | External Information System Services | SYSC 13.9.1SYSC 13.9.2SYSC 13.9.3SYSC 13.9.5 |
| SA-10 | Developer Configuration Management | SYSC 13.7.1SYSC 13.7.4 |
| SA-11 | Developer Security Testing | SYSC 13.7.1SYSC 13.7.4 |
| SA-21 | Developer Screening | SYSC 13.9.2 |
SC System and Communications Protection
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| SC-05 | Denial Of Service Protection | SYSC 13.7.2SYSC 13.8.2 |
| SC-06 | Resource Priority | SYSC 13.7.2SYSC 13.8.2 |
| SC-07 | Boundary Protection | SYSC 13.7.3 |
| SC-08 | Transmission Integrity | SYSC 13.7.3 |
| SC-12 | Cryptographic Key Establishment And Management | SYSC 13.7.3 |
| SC-13 | Use Of Cryptography | SYSC 13.7.3 |
| SC-24 | Fail in Known State | SYSC 13.8.2 |
| SC-28 | Protection of Information at Rest | SYSC 13.7.3 |
| SC-36 | Distributed Processing and Storage | SYSC 13.8.2 |
SI System and Information Integrity
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | SYSC 13.7.1 |
| SI-02 | Flaw Remediation | SYSC 13.7.1SYSC 13.7.2SYSC 13.7.4 |
| SI-04 | Information System Monitoring Tools And Techniques | SYSC 13.7.5 |
| SI-05 | Security Alerts And Advisories | SYSC 13.4 |
| SI-06 | Security Functionality Verification | SYSC 13.7.1SYSC 13.7.5 |
| SI-07 | Software And Information Integrity | SYSC 13.7.1SYSC 13.7.4 |
| SI-10 | Information Accuracy, Completeness, Validity, And Authenticity | SYSC 13.7.1 |
| SI-11 | Error Handling | SYSC 13.7.1 |
| SI-12 | Information Output Handling And Retention | SYSC 13.G.4 |
| SI-13 | Predictable Failure Prevention | SYSC 13.7.2SYSC 13.8.2 |
| SI-17 | Fail-safe Procedures | SYSC 13.8.2 |
SR Supply Chain Risk Management
| Control | Name | FCA SYSC 13 References |
|---|---|---|
| SR-01 | Policy and Procedures | SYSC 13.9.1 |
| SR-02 | Supply Chain Risk Management Plan | SYSC 13.9.1 |
| SR-03 | Supply Chain Controls and Processes | SYSC 13.9.1SYSC 13.9.3SYSC 13.9.5 |
| SR-04 | Provenance | SYSC 13.9.2 |
| SR-05 | Acquisition Strategies, Tools, and Methods | SYSC 13.9.2 |
| SR-06 | Supplier Assessments and Reviews | SYSC 13.9.1SYSC 13.9.2SYSC 13.9.3 |
| SR-07 | Supply Chain Operations Security | SYSC 13.9.2 |
| SR-08 | Notification Agreements | SYSC 13.9.3 |
| SR-10 | Inspection of Systems or Components | SYSC 13.9.3 |
| SR-12 | Component Disposal | SYSC 13.9.5 |