III.C Risk Mitigation
Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following:
- Establishing, implementing, and enforcing IT policies, standards, and procedures.
- Documenting policies for hiring and training personnel.
- Implementing internal controls for information security risks.
- Establishing and implementing effective cybersecurity controls.
- Developing and testing formal business continuity plans.
- Establishing and implementing a well-managed and controlled software development and acquisition function.
- Controlling, managing, and monitoring an IT operations function.
- Reviewing insurance for IT operations, including cyber insurance.
- Developing an effective third-party management program.
Risk mitigation is the process of reducing risks through the introduction of specific controls. Risk mitigation decisions are implemented through the use of controls or risk transfer. Risk transfer can be accomplished through mechanisms such as insurance. After implementing controls or transferring the risk, management should determine the level of residual risk, or the risk that cannot be fully mitigated or avoided. Both controls and risk transfer should be considered when evaluating whether a residual risk is within the financial institution's risk appetite. Risk appetite is the amount of risk a financial institution is prepared to accept when trying to achieve its objectives.
Controls are implemented in financial institution activities and may be performed either manually by staff or through automated systems. Controls can be classified by timing (preventive, detective, corrective) or nature (administrative, technical, physical). Refer to the IT Handbook's "Information Security" booklet for more information. The IT department generally implements controls within the institution for assets that are under the IT department's control. Non-IT-related controls implemented elsewhere in the financial institution should be coordinated with the IT department to ensure their adequacy.
Controls should be evaluated for effectiveness against identified threats or vulnerabilities. Evaluation typically is accomplished by tools that supplement and complement assurance and audit activities. Two examples of tools used are control self-assessments and scenario analysis. Control self-assessments, used internally to assess the effectiveness of ITRM processes and related controls, typically are performed by departments or lines of business periodically testing and validating their controls. Scenario analysis is a process of analyzing possible future events by considering alternative outcomes. It can be a valuable tool for gaining an overall understanding of the exposure to existing, expected, and plausible (including potentially severe) events, as well as the robustness of-or gaps in-controls or other risk mitigation.
Additionally, a control self-assessment should encompass external requirements, such as laws, regulations, and widely accepted control standards and practices. Examples of widely accepted industry standards include National Institute of Standards and Technology (NIST) publications, the Control Objectives for Information and Related Technology (COBIT) framework, and the Information Technology Infrastructure Library (ITIL). Failure to comply with external requirements, whether in law, regulation, or contract, can result in compliance risk as well as strategic, reputation, or other risks. Conformance with widely accepted control standards and practices can demonstrate due care in the operation of IT and potentially reduce operational risk.
Conformance with external requirements alone is not sufficient to ensure that the overall ITRM process is adequate. The ITRM process encompasses risk posed by the operation of the financial institution in its specific internal and external environment. Accordingly, the ITRM process should consider whether the IT control structure, when combined with controls outside the IT systems, adequately mitigates risk associated with the use of IT.
III.B Risk Measurement
III.C.1 Policies, Standards, and Procedures