This booklet is one in a series that comprise the Federal Financial Institutions Examination Council (FFIEC) Information Technology Handbook (IT Handbook). It provides guidance to examiners and financial institutionsThis booklet uses the terms "institution" and "financial institution" to describe insured banks, thrifts and credit unions, as well as technology service providers that provide services to such entities. on risk management processes that promote sound and controlled operation of technology environments. Information is one of the most important assets of an institution, and information technology (IT) operations should process and store information in a timely, reliable, secure, and resilient manner. This booklet addresses IT operations in the context of tactical management and daily delivery of technology to capture, transmit, process, and store the information assets and support the business processes of the institution. The examination procedures contained in this booklet assist examiners in evaluating an institution's controls and risk management processes relative to the risks of technology systems and operations that reside in, or are connected to the institution. This booklet rescinds and replaces Chapters 13 "Operations" and 17 "Document Imaging" of the 1996 FFIEC Information Systems Examination Handbook.
The evolving role technology plays in supporting the business function has become increasingly complex. IT operations-traditionally housed in a computer data center with user connections through terminals-have become more dynamic and include distributed environments, integrated applications, telecommunication options, Internet connectivity, and an array of computer operating platforms. As the complexity of technology has grown, the financial services industry has increased its reliance on vendors, partners, and other third parties for a variety of technology solutions and services. Institutions will frequently operate or manage various IT resources from these third-party locations.
The guidance in this booklet covers the risks and expected controls in IT operations and across the institution. It also emphasizes that risks involve more than IT technology and that controls include sound processes and well-trained people. Effective support and delivery from IT operations has become vital to the performance of most critical business lines in the institution. Therefore, IT management should work with business line management and end users to determine and deliver appropriate service levels.
Each section of the booklet begins with an "Action Summary" that summarizes the major themes in that section. The action summary is not a substitute for reading the entire booklet; however examiners can use the action summaries to review the most important points discussed in each section.
The concepts and principles in this booklet are applicable to complex core operations at centralized data center locations, distributed operations at lines of business, microcomputers used as stand alone processors, support functions, and affiliates under the enterprise umbrella. They are also applicable to smaller or less complex technology operations at community banks. The FFIEC member agencies expect institution management to implement controls across the institution to mitigate IT operations-related risk consistent with the nature and complexity of the institution's technology environment.
Institutions developing or reviewing their operational controls, procedures, standards, and processes have a variety of third-party sources to draw on for additional guidance, including outside auditors, consulting firms, insurance companies, industry and trade groups, and other technology professionals. In addition, many national and international organizations have developed guidelines and best practices. These guidelines and best practices provide benchmarks institutions can use to develop sound practices. The following organizations are a sample of standard-setting groups.
- The National Institute of Standards and Technology (NIST) at www.nist.gov.
- The International Organization for Standardization (ISO) Information technology at www.iso.org.
- The Information Systems Audit and Control Association (ISACA) - Control Objectives for Information Technology (COBIT), at www.isaca.org/cobit.htm.
- The Institute of Internal Auditors, at www.theiia.org.
- The Committee of Sponsoring Organizations (COSO) of the Treadway Commission at www.coso.org.
The inclusion of these organizations in this booklet should not convey that the FFIEC endorses or approves their guidelines or guarantees the content or accuracy of the information they provide.
Roles and Responsibilities