|
Booklet:
Operations Section: Risk Identification Subsection: |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
Action Summary
ENVIRONMENTAL
SURVEY
To effectively identify, assess, monitor, and manage the risks associated
with IT operations, management should have a comprehensive understanding
of the institution’s operations universe. Technology is increasingly
embedded in business lines, in functional support areas, at the physical
location of a business partner or affiliate, or at multiple data centers.
An environmental survey allows the institution to gain an enterprise-level
view by documenting resources, physical locations, hardware and software
configurations, and interfaces and interdependencies. The survey should
track the capture, processing, flow, and storage of data throughout the
institution. As an integral part of the environmental survey, management
should perform and maintain an inventory of information technology assets.
With a comprehensive understanding of the institution’s technology
environment, management can promote resource allocation, appropriate capital
expenditures, and adequate support for business activities, customer service,
and product delivery. More narrowly, this understanding will facilitate
cost control, configuration and standards management, root cause and problem
analysis, prevention of loss or misuse of corporate resources, and license
management. Management will also be able to control the purchasing process
and prevent the introduction of unauthorized software and hardware. A
thorough environmental survey and inventory also serve as the foundation
for managing and monitoring daily operations. The survey and inventory
provide information vital to the assessment of other important control
processes such as information security, business continuity planning,
and outsourcing risk management.
Management should ensure documentation of the technology environment is
current, appropriate to the size and complexity of the institution, and
prioritized based upon the criticality of the function supported and the
location of equipment. Regardless of institution size, management should
possess a basic inventory of resources as well as a topology or network
map. For large, complex institutions, documentation should provide an
overview with sufficient detail describing subordinate processes and systems.
As an alternative to detailed documentation, there are also network management
tools available to create a database or an electronic repository of inventory
and topology information. Smaller and less complex institutions may be
able to operate with less detailed or sophisticated documentation, but
should nonetheless be responsible for understanding the inventory and
topology of their IT environment. As the size and complexity of the institution
increases, documentation should expand to include business processes and
data flow maps. Management should ensure the survey and inventory are
updated on an on-going basis to reflect the institution’s technology
environment at any point in time.
TECHNOLOGY INVENTORY
Hardware
The hardware inventory should be comprehensive. In addition to identifying
institution-owned assets, it should also identify equipment owned by other
parties but located within the environment. To the extent possible, hardware
items should be marked with a unique identifier, such as a bar code, tamper-proof
tag, or other label. The inventory should encompass stand-alone computing
devices, including:
|
|
Environmental control terminals; |
|
|
Physical access control systems; |
|
|
Service-provider-owned equipment, such as automated teller machine (ATM) administrative terminals; |
|
|
FedWire/Fedline terminals; |
|
|
Bank customer-owned equipment; |
|
|
Vendor-owned equipment; |
|
|
Personal computers (PCs); |
|
|
Mainframes; and |
|
|
Servers. |
The following are examples of useful information to capture in hardware inventories:
|
|
Mainframe, midrange or server: | |
 |
Vendor and model; | |
|
Processor capacity in million instructions per second (MIPS); | |
|
Core or main memory; | |
|
Storage (internal and external tapes, tape silos, direct access storage device (DASD), etc.); | |
|
Function; and | |
|
Location. | |
|
|
Desktop or stand-alone computing devices: | |
|
Vendor and model; | |
|
Owner and purpose; | |
|
Network connectivity (not applicable to stand-alone); | |
|
Dial-out capability; and | |
|
Location. | |
|
|
Network devices: | |
|
Vendor and model; | |
|
Type; | |
|
Native storage (random access memory); and | |
|
Internet protocol (IP) address. | |
|
|
Item processing equipment: | |
|
Vendor and model; and | |
|
Type. | |
Inventories of telecommunication equipment should contain similar information and should document use and connectivity. This is especially important when an institution uses either private branch exchanges (PBX) or voice over Internet protocol (VOIP) to provide voice and data connectivity. Inventories of telecommunications interconnections should include the following information:
|
|
Number and configuration of trunks; | |
|
|
Circuit numbers; | |
|
|
Entry points to the premises; | |
|
|
Central office connectivity; | |
|
|
Types of service supplied, including: | |
|
POTS – plain old telephone service; | |
|
SONET – synchronous optical network; | |
|
ISDN – integrated services digital network; | |
|
Frame relay; and | |
|
Wireless. | |
SOFTWARE
There are at least three major categories of software institutions should
include in the software inventory: operating systems, application software,
and back-office and environmental applications. Application software includes
core processing applications, as well as desktop and workstation office
productivity software. Back-office and environmental software consists
of applications that reside above the operating system and that support
primary applications. Examples of back office and environmental software
include database engines, back-up and storage management software, Internet
servers and application support software, file transmission systems, system
performance monitoring applications, scheduling and change control systems,
utilities, front-end processors (for mainframes only), and problem and
issue tracking software.
The following provides examples of information to capture in software
inventories:
|
|
Type or application name (e.g. general ledger, payroll); |
|
|
Manufacturer or vendor; |
|
|
Serial number; |
|
|
Version level; |
|
|
Patch level; |
|
|
Number of copies installed; |
|
|
Number of licenses owned; and |
|
|
Types of licenses owned (e.g. site, individual). |
NETWORK
COMPONENTS AND TOPOLOGY
The institution’s network infrastructure is critical to all facets
of business operations. Voice and data communication networks form the
backbone for information sharing and data transfer and facilitate tight
integration of technology systems. In addition to maintaining a complete
inventory of hardware and software connected to and operating on the network,
management should also fully document the network configuration.
Depending on the size and complexity of the institution’s network,
management should develop and maintain high-level topologies that depict
wide area networks (WANs), metropolitan area networks (MANs), and local
area networks (LANs). The topologies should have sufficient detail to:
|
|
Facilitate network maintenance and troubleshooting; |
|
|
Facilitate recovery in the event of a disruption; and |
|
|
Plan for expansion, reconfiguration, or addition of new technology. |
Topologies should also:
|
|
Identify all internal and external connectivity (including Internet and modems); |
|
|
Describe the type of connectivity (digital subscriber line (DSL), dialup, cable modem, wireless); |
|
|
Note the bandwidth of connectivity within and between network segments; |
|
|
Identify and describe encrypted or otherwise secure communication channels; |
|
|
Depict the type and capacity of network segment linkages (switches, routers, hubs, gateways, etc.); |
|
|
Portray information security systems (firewalls, intrusion detection systems, and hacker-trapping “honey pots”); |
|
|
Identify primary vendors of telecommunications services; and |
|
|
Identify what information is available and where it resides |
The
network topology should be a technical blueprint of the network structure.
Management should collect other important network documentation. Institutions
should identify and document the type, location, and volume of information
stored and transmitted on their networks. Management should develop a
complete description of all network management tools and network administration
console capability.
Management should also develop data flow diagrams to supplement its understanding
of information flow within and between network segments as well as across
the institution’s perimeter to external parties. Data flow diagrams
should identify:
|
|
Data sets and subsets shared between systems; |
|
|
Applications sharing data; and |
|
|
Classification of data (public, private, confidential, or other) being transmitted. |
Data
flow diagrams are also useful for identifying the volume and type of data
stored on various media. In addition, the diagrams should identify and
differentiate between data in electronic format, and in other media, such
as hard copy or optical images.
MEDIA
Documentation of storage media should complement network topologies and
hardware and software inventories without being redundant. Descriptive
information should identify the type, capacity, and location of the media.
It should also identify the location, type, and classification (public,
private, confidential, or other) of data stored on the media. Additionally,
management should document source systems, data ownership, back up frequency
and methodology (tape, remote disk, compact disc (CD), or other), and
the location of back-up media if other than at the primary off-site storage
facility.