|
Booklet:
Operations Section: Risk Mitigation and Control Implementation Subsection: Policies, Standards, and Procedures |
|||||||||||||||||||||||||||
|
|
|||||||||||||||||||||||||||
POLICIES
Board-approved governing policies provide broad guidance in addressing
risk tolerance and management. Policies should address key areas such
as personnel, capital investment, physical and logical security, change
management, strategic planning, and business continuity. The depth and
coverage of IT operations policies will vary based on institution size
and complexity. Small, noncomplex institutions often embed IT policy in
a variety of other policies or create one central guiding document. Larger,
complex institutions often segregate policies based on business lines
or other operational divisions. Boards of directors and management should
enact policies and procedures sufficient to address and mitigate the risk
exposure of their institutions.
STANDARDS
Internally developed technology standards establish measurable controls
and requirements to achieve policy objectives. Technology standards benefit
an institution by defining and narrowing the scope of options and enabling
greater focus by the supporting IT resources.
Standardization of hardware, software, and the operating environment offers
a number of benefits and greatly facilitates the implementation and maintenance
of “enterprise architecture.” Standardization of hardware
and software (including configurations and versions) simplifies the task
of creating and maintaining an accurate survey and inventory of the technology
environment. It can also improve IT operations performance, reduce IT
cost (particularly in acquisition, development, training, and maintenance),
allow the leveraging of resources, enhance reliability and predictability,
contribute to improved interoperability and integration, reduce the time
to market for projects that involve technology re-configuration, and alleviate
complexity in technology risk management.
The degree to which an institution standardizes its hardware and software
is a business decision. Management should weigh the benefits of standardization
against the competing benefits offered by “best of breed”
technology solutions. Management should also consider that certain applications
will not function effectively on the “standard” platform,
or that hardware will not function properly in a “standard”
configuration. Institutions should adopt minimum technology standards
to leverage purchasing power, ensure interoperability, provide for adequate
information systems security, allow for timely recovery and restoration
of critical systems, and ease the burden of maintenance and support.
Management should implement hardware, operating system, and application
standardization through policies that address every platform from host
to end user. A variety of automated systems and network management tools
are available to monitor and enforce standards and promote version control
in the mainframe, server, and desktop environments. Standardization is
also enforced through the change management process and internal audits.
PROCEDURES
Procedures describe the processes used to meet the requirements of the
institution’s IT policies and standards. Management should develop
written procedures for an institution’s critical operations. Procedures
establish accountability and responsibility, provide specific controls
for risk management policy guidance, define expectations for work processes
and products, and serve as training tools. Because of the value procedures
provide to these areas, management should update and review written procedures
regularly. Updating written procedures is particularly important when
processes, hardware, software, or configurations change.
The scope of required procedures depends on the size and complexity of
the institution’s IT operations and the variety of functions performed
by IT operations. Examples of activities or functional areas where written
procedures are appropriate include:
|
|
Console operations or run manuals – mainframe and midrange systems; | |
|
|
Network administration; | |
|
|
Telecommunication administration; | |
|
|
Data storage administration; | |
|
|
Data library administration; | |
|
|
Equipment maintenance; | |
|
|
Problem management or incident response; | |
|
|
Business continuity planning, disaster recovery, and emergency procedures; | |
|
|
Security – physical and logical; | |
|
|
Change management and change control; | |
|
|
Data and system back-up and off-site storage; | |
|
|
Imaging; | |
|
|
Item processing; | |
|
|
Balancing and reconciliation; | |
|
|
Output control; | |
|
|
Job scheduling; and | |
|
|
Negotiable instruments. | |
