| Booklet:
Management Section: IT Risk Management Process Subsection: IT Controls Implementation |
|||||||||||||||||||||||||||
| |
|||||||||||||||||||||||||||
Action
Summary 
This section provides
guidelines for controls that will reduce risk when effectively implemented.
These guidelines are applicable to both in-house and external provider
situations. The financial institution should review and assess external
provider practices for consistency with these guidelines. Identified gaps
represent increased risk, which management should mitigate before establishing
a formal relationship.
POLICIES, STANDARDS, AND PROCEDURES
Management should adopt and enforce appropriate policies and procedures
to manage technology risk. The effectiveness of these policies and procedures
depends largely on whether they are used by internal staff and vendors.
Testing compliance with these policies and procedures often helps to identify
and correct problems before they become serious. Clearly written and frequently
communicated policies can establish clear assignments of duties, help
employees to coordinate and perform their tasks effectively and consistently,
and aid in the training of new employees. Senior management should ensure
policies, procedures, and systems are current and well documented.
In general, a policy is a governing principle that provides the basis
for standards, and carries the highest authority in the organization.
It is an overall statement of corporate philosophy or intent that reflects
the best market practice. Standards are mandatory criteria that ensure
corporate conformity with policy, government regulations, and acceptable
levels of control. Procedures are typically documents that describe, in
detail, the behavior or processes used to adhere to the criteria mandated
by standards.
Financial institutions should create, document, maintain, and adhere to
policies and standards to manage and control their IT environment. Documented
procedures are one of the evidentiary elements that can demonstrate compliance
to those policies and standards. The level of detail required is dependent
upon the complexity of the IT environment, but should enable management
to monitor the identified risk posture.
INTERNAL CONTROLS
The institution should adopt adequate controls based on the degree of
exposure and the potential risk of loss arising from the use of technology.
Controls should include clear and measurable performance goals, the allocation
of specific responsibilities for key project implementation, and independent
mechanisms that will both measure risks and minimize excessive risk-taking.
Management should re-evaluate these controls periodically.
Management should establish an effective system of internal controls.
Internal controls for an IT environment generally should address the overall
integrity of that environment. Typically, internal controls span management
and multiple technical disciplines. The scope and quality of internal
controls are key components of the risk assessment process. Senior management
is responsible for the oversight and monitoring of internal controls.
Management should identify the specific requirements for internal controls
in the financial institution’s policies, standards, and practices
in order to establish an auditable baseline. The established baseline
provides a general picture of the control environment. The detail aspects
for each area or discipline are used to measure compliance against the
established requirements (standards).
Management practices associated with general controls include:
|
|
Reporting effectiveness to the Board of Directors; |
|
|
Periodic review and updating of policies, standards, and practices; |
|
|
Regular review of internal and third party audit results; |
|
|
Review of service level agreements; and |
|
|
Review of control metrics including issues and corrective action plans. |
Adequate internal controls should be structured to assure senior management that:
|
|
Personnel create, transmit, and store records and transactions in a safe and sound manner; |
|
|
Adequate segregation of duties exists; |
|
|
MIS data are reliable and the reporting cycle is adequate; |
|
|
Operating procedures are efficient and effective; |
|
|
Procedures are in effect to assure continuity of business; |
|
|
The institution identifies and monitors high-risk conditions, functions, and activities; and |
|
|
There is proper adherence to management standards and policies, applicable laws and regulations, regulatory statements of policy, and other guidelines. |
Independent audits can verify that these controls exist and are functioning
effectively.
PERSONNEL
Financial institutions should mitigate the risks posed by IT staff by
performing appropriate background checks and screening of new employees.
In addition to staff, the controls in this section are relevant for vendor
personnel, consultants, and temporary staff that support the IT function.
Typically, the minimum verification considerations include:
|
|
Character references; |
|
|
Background checks including confirmations of prior experience, academic credentials, professional qualifications, or criminal records; and |
|
|
Confirmation of identity from government issued identification. |
Financial
institutions should protect the confidentiality of information about their
customers and organization by obtaining agreements covering confidentiality,
nondisclosure, and authorized use. Management should obtain signed confidentiality
and nondisclosure agreements before granting new employees, contractors,
and temporary staff access to information technology systems. In addition,
management should require periodic acknowledgement of acceptable use policies
for the network, software applications, Internet, e-mail, and institution
data.
Financial institutions should use job descriptions, employment agreements
(usually higher level positions), training, and awareness programs to
promote understanding and increase individual accountability. Management
should routinely update the institution’s written job descriptions.
The job descriptions should confirm and promote user access rights. Employment
agreements set both the expectations and limits associated with the employee’s
functions. Information security awareness and training programs help support
these and other management policies.
Financial institutions should establish a timely process to remove or
change access rights associated with any party when appropriate. The lack
of such a process may result in unauthorized or inappropriate activity.
The failure to remove access rights, particularly for those individuals
with high levels of privilege, represents significant risk.
INSURANCE
In establishing an insurance program, management should recognize its
exposure to loss, the extent to which insurance is available to cover
potential losses, and the cost of such insurance. Insurance programs should
be commensurate with the complexity and risk of each institution. Management
should weigh these factors to determine how much risk the organization
will assume directly. In assessing the extent of that risk, institutions
should analyze the effect of an uninsured loss on themselves and any affiliates
or parent companies. Management should also review a company’s financial
condition and/or credit rating reviews when deciding on an insurance company.
Once management has acquired appropriate insurance coverage, it should
establish procedures to review and ensure its adequacy. These procedures
should include, at a minimum, an annual program review by the board of
directors.
Insurance complements, but does not replace, an effective system of controls.
Thus, an overall appraisal of the control environment becomes significant
in assessing the adequacy of the insurance program. Effective controls
and audits may result in lower premiums. Before purchasing insurance,
management should assess the costs of insuring:
|
|
IT equipment and facilities; |
|
|
Media reconstruction; |
|
|
Business interruption; |
|
|
Loss of items in transit; |
|
|
Employee fidelity; |
|
|
Extra expense; |
|
|
E-banking activities; |
|
|
Errors and omissions; and |
|
|
Liability to customers resulting from electronic fund transfer system (EFTS) activities. |
Estimates of these costs will enable management to choose the types and
amounts of insurance to carry. They also allow management to determine
to what extent the institution should self-insure against certain losses.
An institution or data center can insure against risks covered in standard
insurance policies. Insurance that covers physical disasters often specifically
excludes computer equipment. Those policies usually cover replacement
of the physical magnetic media, but omit the cost of reconstructing the
recorded information found in the media. Management should clearly understand
what is covered and document any gaps in coverage that may exist.
Insurance policies provide a variety of IT-related coverage. They are
constructed so that they can be adapted to the particular institution's
IT environment. Some examples of specific coverage and guidelines for
evaluating them include:
|
|
IT Equipment and Facilities – Management should obtain coverage of physical damage to the data center and automation equipment throughout the institution. Coverage should include leased equipment if the lessee is responsible for hazard coverage. | |
|
|
Media Reconstruction – An institution should obtain insurance for damage to IT media, such as magnetic tape and disks, if it is the institution’s property and the institution has liability for the media. Insurance is available for on-premises, off-premises, or in-transit situations. It should cover the actual reproduction cost of the property or, if not replaced or reproduced, the blank value of the media. Additional considerations to determine the amount of coverage include programming costs, physical replacement, and backup expense. | |
|
|
Extra Expense – Insurance coverage should include the extra costs of continuing operations following damage or destruction at the data processing center or other work areas. | |
|
|
E-banking Activities – Insurance coverage should include loss or liability arising from electronic banking activities such as Internet banking and bill payment services. | |
|
|
Business Interruption - Data centers and institutions offering outside services should obtain coverage that reimburses them for monetary losses resulting from suspension of operations, because of physical loss of equipment or media. | |
|
|
Valuable Papers and Records – Coverage should include the actual cash value of papers and records (not defined as media) against direct physical loss or damage. | |
|
|
Errors and Omissions – Management should obtain insurance that provides protection against claims arising from negligent acts, errors, or omissions that occur in performing IT services for others. These policies commonly contain the following exclusions: | |
 |
Employee dishonesty; | |
|
Libel, slander, or defamation of character; | |
|
Liability of others assumed by the insured under contract or agreement; | |
|
Liability of loss or damage to property of others; | |
|
Personal or bodily injury or sickness; | |
|
Liability arising out of advice from third parties on methods, procedures, practices, etc.; | |
|
Liability for preparation of income tax returns; and | |
|
Loss caused intentionally by, or at the direction of, the insured. | |
INFORMATION
SECURITY
The board of directors is responsible for overseeing the development,
implementation, and maintenance of the institution’s information
security program. The board should provide management with guidance and
review the effectiveness of management’s actions. The board should
approve written information security policies and the information security
program at least annually. The board should provide management with its
expectations and requirements for:
|
|
Central oversight and coordination; |
|
|
Areas of responsibility; |
|
|
Risk measurement; |
|
|
Monitoring and testing; |
|
|
Reporting; and |
|
|
Acceptable
residual risk. |
Information
is one of a financial institution’s most important assets. Management
and the board of directors should protect information assets to establish
and maintain trust between the financial institution and its customers.
The unauthorized loss, destruction, or disclosure of confidential information
can adversely affect a financial institution’s earnings and capital.
The GLBA, section 501(b), requires management to develop and the board
to approve an information security program to protect the security and
confidentiality of customer information. The institution should protect
customer information from any anticipated threats to security or integrity.
It should also protect customer information from unauthorized access or
use that would result in substantial harm or inconvenience to any customer.
GLBA also requires that the Board oversee the development, implementation
and maintenance of the bank’s security program and that it assigns
specific responsibility for its implementation. The Board should also
review an annual report, prepared by management, regarding the bank’s
actions toward GLBA compliance. The IT Handbook’s “Information
Security Booklet” has additional information on this topic.
BUSINESS CONTINUITY
The board of directors and senior management are responsible for establishing
policies, procedures, and responsibilities for organization-wide business
continuity planning. At a minimum, the board of directors should annually
update and approve the institution’s business continuity plans.
Management should document, maintain, and test the organization’s
business continuity plan and back-up systems on a periodic basis to mitigate
the risk of system failures and unauthorized intrusions. Management should
also report the tests of the plan and back-up systems to the board of
directors on an annual basis. Detailed information on this topic is available
in the IT Handbook’s “Business Continuity Planning (BCP) Booklet.”
SOFTWARE DEVELOPMENT AND ACQUISITION
Senior management should assess and mitigate the operational/transactional
risks associated with the development or acquisition of software. Management
should develop applicable policies and standards, which specify risk management
controls for the development and acquisition of systems. Uncontrolled
software development or acquisition may introduce unacceptable levels
of risk.
Management should guide the development or acquisition of software by
using a system development life cycle (SDLC) or similar methodology that
is appropriate for the specific IT environment. A SDLC methodology will
also help to identify the risks when acquiring software, however financial
institutions should consider the vendor’s control environment, reputation,
and capabilities.
Each phase of the SDLC should have procedures that verify the maintenance
and integrity of controls before the start of the next phase. An institution
should review information security aspects in each phase to identify those
requirements. Audit should be involved to ensure proper security is incorporated
during development. Depending upon the size and complexity of the institution,
management should analyze the operational impact early in the process
to identify any additional cost and support issues.
Management should test new technology, systems, and products thoroughly
before deployment. Testing validates that equipment and systems function
properly and produce the desired results. As part of the testing process,
management should verify whether new technology systems operate effectively
with other technology components including vendor-supplied technology.
Pilot programs or prototypes can be helpful in developing new technology
applications before management accepts them for use on a broad scale.
Management should conduct retesting periodically to help manage risk exposure
on an ongoing basis.
Refer to the IT Handbook’s “Development and Acquisition Booklet”
for additional detailed information on this topic.
OPERATIONS
Senior management should be aware of and mitigate the operational/transactional
risks associated with IT operations. Financial institutions and their
service providers may have one or more IT operations groups. The number
and types will vary from organization to organization. Common examples
are data center or computer operations, network services, distributed
computing, personal or desktop computing, change management, security,
resource management, and contingency planning.
Many operations functions have significant risk factors that need effective
management and control. For example, system and security administrators
have powerful levels of control over the systems they operate or manage.
Institutions should record and review audit trails and logs of system
and security administrator activities to control the risk exposure. Additional
information on this topic is available in the IT Handbook’s “Operation’s
Booklet.”
OUTSOURCING RISK MANAGEMENT
Financial institutions increasingly rely on service providers, software
vendors, and other third parties. Complex institutions often have an institution-wide
vendor management program that encompasses all of these relationships.
IT departments can contract with third parties for a large number of services
including data processing, software development, equipment maintenance,
business continuity, data storage, Internet access, and security management.
The board of directors and senior management are responsible for ensuring
appropriate oversight of outsourced relationships. Technology needed to
support business objectives is often a critical factor in deciding to
outsource. Managing such relationships is not just a technology issue;
it is an enterprise-wide corporate governance issue. An effective outsourcing
oversight program should provide the framework for management to understand,
monitor, measure, and control the risks associated with outsourcing. The
board and senior management should develop and implement enterprise-wide
policies and procedures to govern the outsourcing process including establishing
objectives and strategies, selecting a provider, negotiating the contract,
and monitoring the outsourced relationship.
Some factors institutions should consider or address include:
|
|
Ensuring each outsourcing relationship supports the institution’s overall objectives and strategic plans; |
|
|
Evaluating prospective providers based on the scope and criticality of outsourced services; and |
|
|
Tailoring the enterprise-wide service provider monitoring program based on an initial and ongoing risk assessment of outsourced services. |
The
time and resources devoted to effectively manage outsourcing relationships
will depend on several factors, such as the criticality of outsourced
processes, staff knowledge, and complexity of systems.
Detailed information on this topic is available in the IT Handbook’s
“Outsourcing Technology Services Booklet.”