Action Summary

Financial institutions should establish appropriate maintenance methodologies. The methodologies should match a project's characteristics and risks and require appropriate:

  • Project planning;
  • Maintenance standards and procedures;
  • Major, routine, and emergency change controls;
  • Patch management controls;
  • Involvement by all affected parties;
  • Documentation standards;
  • Library and utility controls; and
  • Quality assurance and risk management standards and procedures.


Maintenance activities include the routine servicing and periodic modification of hardware, software, and related documentation. Hardware modifications are periodically required to replace outdated or malfunctioning equipment or to enhance performance or storage capacities. Software modifications are required to address user requirements, rectify software problems, correct security vulnerabilities, or implement new technologies. Documentation maintenance is necessary to maintain current, accurate, technology-related records, standards, and procedures.

Failure to implement appropriate change controls can result in operational disruptions or degrade a system's performance or security. Change controls (sometimes referred to as configuration management) involve establishing baseline versions of products, services, or procedures and ensuring all changes are approved, documented, and disseminated. Change controls should address all aspects of an organization's technology environment including software programs, hardware and software configurations, operational standards and procedures, and project management activities.

Change controls can be applied universally to all systems and environments or stratified to particular systems, business lines, support areas, etc. Stratified procedures are often necessary to address the distinct control requirements of mainframe, network, and client/server environments, operating and application programs, and development and acquisition projects.

Management should establish detailed change control standards and procedures to ensure technology related modifications are appropriately authorized, tested, documented, implemented and disseminated. The characteristics and risks of a system, activity, or change should dictate the formality of the change controls. Quality assurance, security, audit, network, and end-user personnel should be appropriately involved in the change process.


Previous Section
Restrictions on Adverse Comments
Next Section
Major Modifications