To effectively identify, assess, monitor, and manage the risks associated with IT operations, management should have a comprehensive understanding of the institution's operations universe. Technology is increasingly embedded in business lines, in functional support areas, at the physical location of a business partner or affiliate, or at multiple data centers. An environmental survey allows the institution to gain an enterprise-level view by documenting resources, physical locations, hardware and software configurations, and interfaces and interdependencies. The survey should track the capture, processing, flow, and storage of data throughout the institution. As an integral part of the environmental survey, management should perform and maintain an inventory of information technology assets.
With a comprehensive understanding of the institution's technology environment, management can promote resource allocation, appropriate capital expenditures, and adequate support for business activities, customer service, and product delivery. More narrowly, this understanding will facilitate cost control, configuration and standards management, root cause and problem analysis, prevention of loss or misuse of corporate resources, and license management. Management will also be able to control the purchasing process and prevent the introduction of unauthorized software and hardware. A thorough environmental survey and inventory also serve as the foundation for managing and monitoring daily operations. The survey and inventory provide information vital to the assessment of other important control processes such as information security, business continuity planning, and outsourcing risk management.
Management should ensure documentation of the technology environment is current, appropriate to the size and complexity of the institution, and prioritized based upon the criticality of the function supported and the location of equipment. Regardless of institution size, management should possess a basic inventory of resources as well as a topology or network map. For large, complex institutions, documentation should provide an overview with sufficient detail describing subordinate processes and systems. As an alternative to detailed documentation, there are also network management tools available to create a database or an electronic repository of inventory and topology information. Smaller and less complex institutions may be able to operate with less detailed or sophisticated documentation, but should nonetheless be responsible for understanding the inventory and topology of their IT environment. As the size and complexity of the institution increases, documentation should expand to include business processes and data flow maps. Management should ensure the survey and inventory are updated on an on-going basis to reflect the institution's technology environment at any point in time.