III.C.6 IT Operations
Management should be aware of and mitigate risks associated with IT operations. The institution and its service providers may have one or more IT operations groups. The number and types vary across institutions. Common examples of IT operations are data center or computer operations, network services, distributed computing, personal or desktop computing, change management, project management, security, resource management, and contingency and resiliency planning.
Many operations functions have significant risk factors that should be addressed through effective management and control. Rapidly evolving threats require an effective monitoring and response program to ensure that vulnerability remediation occurs in a timely manner. Ongoing business-driven changes to applications should have effective change control programs to ensure that application updates are implemented in a timely manner. The institution should have controls over systems changes, including the following:
- Testing, authorization, and approval.
- Timing of implementation.
- Post-implementation review.
- Rollback or recovery of systems when changes are unsuccessful.
Refer to the IT Handbook's "Operations" booklet for more information.
III.C.5 Software Development and Acquisition