I.B.1 IT Risk Management Structure
The institution should have an adequate ITRM structure. Depending on the size and complexity of the financial institution, this structure can take different forms. In a large or complex institution, the ITRM function may be an independent business unit. Some agencies have guidance on ITRM for larger, more complex financial institutions. In a small or less complex institution, ITRM may be integrated with functional areas, such as information security, business continuity planning, third-party management, and regulatory compliance. Internal audit, specifically IT audit, can provide independent assurance on the effectiveness of risk management, but should not be responsible for its implementation. Regardless of the structure used, management should ensure that lines of authority are established for enforcing and monitoring controls.
I.B IT Responsibilities and Functions
I.B.2 Information Security