• No results found

Information Technology Risk

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Information Technology Risk"

Copied!
36
0
0

Loading.... (view fulltext now)

Download now ( 36 Page )

Full text

(1)

Information Technology Risk

Joint World Bank/Federal Reserve System

Seminar for Senior Bank Supervisors from

Emerging Economies

Adrienne Haden & Mike Wallas

Board of Governors of the Federal Reserve System November 5, 2002

(2)

Overview

Overview

Banking Risks

– Traditional Risk Elements – Technology Risk Elements

Internal Controls

Vendor Management/Outsourcing

Supervision Integration

Third Party Service Providers

(3)

Traditional Risk Elements

Traditional Risk Elements

SR 95-51 Rating the Adequacy of Risk Management Processes and Internal Controls

Credit

Market

Liquidity

Operational

Legal

Reputational

(4)

Technology Risk

Technology Risk

Elements

Elements

Management Processes

Architecture

Integrity

Security

Availability

SR 98-09 Assessment of Information Technology in the Risk-Focused Framework

(5)

Technology Risks

Technology Risks

Natural Disasters

Audit oversights

Inadequate Separation of Duties

Breaches of policies

Inadequate Password Administration

Systems Not Integrated

Data Center Burns

Web-jacking

Unauthorized Access

Denial of Service

(6)

SR 95-51

Credit Market Liquidity Operational Legal Reputational

SR 98-09

Management Process Architecture Integrity Security Availability Credit Collateral Interest Rate Foreign Exchange Commodities Funding Fire,floods,accidents Theft,Fraud Operations and Administration Errors Fiduciary Regulatory Political Social

Risk Relationships

(7)

Defining IT Risk

Defining IT Risk

Management Process

Architecture

Integrity

Security

Availability

(8)

Management Processes

Management Processes

• Management processes involve planning, investment, development, execution, and staffing of information technology functions.

• Should be consistent with the organization’s mission and business objectives.

• Strategic planning

• Management

– reporting – succession

(9)

Architecture

Architecture

• Architecture refers to the underlying design of an information system and its individual

components.

• Physical and logical architecture

• Individual components

• Meets current & long term business objectives

• Address capacity requirements

(10)

Integrity

Integrity

• Integrity refers to reliability, accuracy, and completeness of information delivered to users.

• An effective level of integrity is measured by: – accuracy

– completeness

• Insufficient integrity could adversely affect – day-today reliability,

– processing performance,

– input and output accuracy, and – ease of use of critical information.

(11)

Security

Security

• Security refers to safety afforded in

information assets and the information processing environments,

• Commensurate with the value of the assets.

• Addresses physical and logical security

• Prevents unauthorized access, modification, destruction or disclosure during creation,

processing, maintenance, storage, or transmission

(12)

Availability

Availability

• Availability refers to the delivery of

information to end-users, counter-parties.

• Effective when information is consistently delivered on a timely basis in support of business and decision-making processes.

• Measures of availability include:

– Capacity of information systems

– Appropriate business continuity planning processes

(13)

Regulatory Expectations for

Regulatory Expectations for

Business Continuity Planning

Business Continuity Planning

è Comprehensive - address all critical functions of the organization.

è Ensure business processes as well as information systems are considered

è Includes critical operations supported by external service providers.

è Test all critical components (at least annually)

(14)

All Aspects of the Organization

All Aspects of the Organization

Should be Considered

Should be Considered

è

Data centers, networks, service

providers, business units

è

Workspace, equipment, files, manuals,

supplies, forms

è

Communications

l internal/chain of command l external

(15)

Testing

Testing

è Current and clear test objectives

è Cover all key aspects of contingency plans and critical business functions

è Use only materials from off-site storage

è Minimum annual testing and analysis of results

è Timely resolution of test exceptions

è Test every significant change to environment

è Recovery time and point objectives defined

(16)

No Glaring Errors or

No Glaring Errors or

Omissions

Omissions

è

No recovery site

è

No transportation plan

è

Recovery site or off-site storage in

close proximity or inappropriate

location

è

No restoration time/capability goals

and objectives

(17)

Back

Back

-

-

up and Offsite Storage

up and Offsite Storage

è

Data back-up

è

Frequency

è

Storage location

l Safe distance from operation/data center l Environmental conditions should not

impact both locations

l Disruption should not impact both locations

(18)

Regulatory Guidance

Regulatory Guidance

/FFIEC Supervisory Policy 5

/Corporate Business Resumption and Contingency Planning

/FFIEC IS Handbook Chapter 10

/Business Continuity Planning Under

Revision

(19)

URSIT

URSIT

-

-

Support and Delivery

Support and Delivery

/Risk management practices should

promote continuity of operations and

availability of data.

/Support and delivery rating

(20)

Relating Technology Risks

Relating Technology Risks

to Traditional Risks

to Traditional Risks

Traditional Risk Elements Technology Risk Elements

(21)

Internal Controls

Internal Controls

• Policies and procedures

• Risk assessment

• Appropriate audit function

• Adequate reporting mechanisms

(22)

Policies and Procedures

Policies and Procedures

• Documented in writing

• Reviewed and approved by Board of Directors

• Appropriate to size and complexity of organization

(23)

Risk Assessment

Risk Assessment

Identification of critical

business lines or functions

Identification of risk to these

business lines

Prioritization

Reviewed in relation to

business objectives

(24)

Audit

Audit

Appropriate to the size and complexity

of the organization

Internal/External Audit

– Staffing

– Qualifications

(25)

Reporting

Reporting

Board of directors

Senior management

Business owners

End-users

Periodic and timely

basis

(26)

Vendor Management

Vendor Management

• Risk Assessment

• Selection of Service Provider

• Contracts

• Controls

• Ongoing Monitoring

• Information Access

(27)

Vendor Relationship Cycle

Vendor Relationship Cycle

Life Cycle Contingency Plan Manage Vendor Vendor Contract Vendor Selection

Objectives Contract Renewal

Plans to Disengage or Validate Products & Services Monitor Vendor

(28)

Why Do Banks Outsource?

Why Do Banks Outsource?

“Good Reasons” for Outsourcing: l Bank lacks scale to

implement technology independently

l Lack of technical skill sets in existing staff

l Complexities of implementing technology are a barrier to entry

l Pricing structures encourage banks to use partners

(29)

Background and Benefits

Background and Benefits

• Transfer of day to day management

• Include use of affiliates

• Activities include information technology, audit, loan review, EFT

• Reduced costs

(30)

Why Do Banks Outsource

Why Do Banks Outsource

?

?

Bad Reasons” for Outsourcing:

l

Bank management desires to move

operational risks to a service provider

l

Bank management perceives

that outsourcing eliminates risk

l

Outsourcing represents an

alternative to gaining technical

skills

(31)

Outsourcing

Outsourcing

• Risks

– Result from inadequate or ineffective vendor oversight

– Bank loses day-to-day control of the information processing function

– Bank’s needs and desire are not the sole driving force for the vendor or service provider

• Mitigation

– Appropriate vendor management programs

• Due diligence • Contracts

• Monitoring

• Periodic review

– User group membership

– Management and Board knowledge and understanding of the vendor relationship

(32)

Supervision Integration

Supervision Integration

Management Integrity Infrastructure Security Availability

Technology

Risks

Credit Market Liquidity Operational Legal Reputational

Traditional

Risks

Employees Customers Others Operations Lending Customer Service Internet Activities

Sources

of Risks

(33)

Risks, Ratings and Integration

Risks, Ratings and Integration

Traditional Risk Elements

CAMELS

IT Risk Elements

(34)

Integrated Supervision

Integrated Supervision

Risk-Based Approach:

• Increased emphasis on planning and on the organization’s risk management process.

• IT included in key business lines and business risks

• Insight into a bank’s ability to meet challenges

(35)

Third Party Service

Third Party Service

Providers

Providers

Interagency Examination Program:

• Multi-Regional Data Processing Service Providers (MDPS)

• Regional Service Providers

• Examination frequency based on

risk-ranked business lines and vendor specific assessments

• Uniform Rating System for Information Technology (URSIT)

(36)

Summary

Summary

Review

– Banking Risks

• Traditional Risk Elements • Technology Risk Elements – Internal Controls

– Vendor Management/Outsourcing – Integration

– Third Party Service Providers

Interagency Reference MaterialsQuestions

References

Download now ( PDF - 36 Page - 1.65 MB )

Related documents

Beliefs and attitudes of citizens in Germany towards smart surveillance and privacy

During the last part of the focus group sessions, issues relating to surveillance laws and regulations were discussed, including citizens' privacy rights with regards to their

Sketchy Micro

 Cryptococcus is an opportunistic infection that most commonly occurs in immunocompromised persons, especially those with HIV, malignancy, or those on high dose steroid

Transmission of Voice Signal: BER Performance Analysis of Different FEC Schemes Based OFDM System over Various Channels

In this paper, we investigate the impact of Forward Error Correction (FEC) codes namely Cyclic Redundancy Code and Convolution Code on the performance of OFDM wireless

UNITED STATES GOVERNMENT PRINTING OFFICE (GPO) CONCEPT OF OPERATIONS (CONOPS V2.0) FOR THE. FUTURE DIGITAL SYSTEM (FDsys)

Content Packages Submission Information Package (SIP) Access Content Package (ACP) Archival Information Package (AIP) Dissemination Information Package (DIP) Deposited

Taiwan Atayal children’s goal pursuit between the many faces of oppression: A reflection using anti-oppressive practice framework

Using the framework of anti-oppressive practice, this article addresses Indigenous youth in the early to middle adolescent years, beginning with personal stories illustrating

Functional association of cellular microtubules with viral capsid assembly supports efficient hepatitis B virus replication

Similar to nocodazole, treatment with cholchicine and vinblastine disrupted the microtubules-like fibriforms (Fig.  4B , panels b–d), and markedly impaired the capsid formation of

Upregulation of SMYD3 and SMYD3 VNTR 3/3 polymorphism increase the risk of hepatocellular carcinoma

The comparison of SMYD3 levels (A) among healthy controls and groups of patients according to HBV-related diseases, CHB, chronic hepatitis B; LC, liver cirrhosis without HCC;

Spider assemblages in floodplain forests along an urbanization gradient

Therefore, we studied the spiders based on three ecological traits (humidity prefer- ence, shade preference and disturbance sensitivity): the urban forest fragments become