Board-approved governing policies provide broad guidance in addressing risk tolerance and management. Policies should address key areas such as personnel, capital investment, physical and logical security, change management, strategic planning, and business continuity. The depth and coverage of IT operations policies will vary based on institution size and complexity. Small, noncomplex institutions often embed IT policy in a variety of other policies or create one central guiding document. Larger, complex institutions often segregate policies based on business lines or other operational divisions. Boards of directors and management should enact policies and procedures sufficient to address and mitigate the risk exposure of their institutions.
Policies, Standards, and Procedures