III.D Monitoring and Reporting
Financial institution management should ensure satisfactory monitoring and reporting of IT activities and risk. These practices should include the following:
- Developing metrics to measure performance, efficiency, and compliance with policy.
- Developing benchmarks for reviewing performance.
- Establishing and reviewing service level agreements (SLA) with critical third-party providers.
- Developing, implementing, and monitoring a process to measure IT compliance with established policies, standards, and practices.
- Evaluating the effectiveness of mitigation strategies and controls.
- Implementing a quality control or quality assurance program to monitor and test systems and applications.
- Implementing timely and effective reporting processes.
Risk monitoring provides information about the effectiveness of risk mitigation activity and should address changing threat conditions in both the financial industry and in organizations that use similar technology. Risk monitoring is ongoing within the lines of business and should include reviews of metrics (e.g., threat intelligence), performance benchmarks, SLAs, and compliance with internal policies. In addition, as part of the monitoring process, institution management should review the effectiveness of controls and ensure that quality assurance and control practices are appropriately included. Management should ensure that there is clear assignment of responsibilities and accountability for both monitoring and escalation procedures. Management should also develop an IT risk reporting process that includes defined reporting channels to ensure accurate, timely, and relevant reporting to appropriate levels of management.
III.C.8 Third-Party Management