Broadly speaking, the risk to a bank's information security lies in unauthorized system/data access by business users in the bank, by application/system support personnel, by customers, and by the public at large. Security requirements to cover unauthorized access by business users in the bank include control of login access to the system, access control to application functions, transaction control, including financial risk and operating system access control. Security requirements for support personnel include procedures for access to production environment, control of development or testing areas, and operational control procedures. Security requirements with regard to customers and the public include login IDs, passwords, "need-to-know" requirements when disseminating modem-linked telephone numbers, and careful procedures to balance isolation with operational control measures. References