Procedures describe the processes used to meet the requirements of the institution's IT policies and standards. Management should develop written procedures for an institution's critical operations. Procedures establish accountability and responsibility, provide specific controls for risk management policy guidance, define expectations for work processes and products, and serve as training tools. Because of the value procedures provide to these areas, management should update and review written procedures regularly. Updating written procedures is particularly important when processes, hardware, software, or configurations change.

The scope of required procedures depends on the size and complexity of the institution's IT operations and the variety of functions performed by IT operations. Examples of activities or functional areas where written procedures are appropriate include:

  • Console operations or run manuals - mainframe and midrange systems;
  • Network administration;
  • Telecommunication administration;
  • Data storage administration;
  • Data library administration;
  • Equipment maintenance;
  • Problem management or incident response;
  • Business continuity planning, disaster recovery, and emergency procedures;
  • Security - physical and logical;
  • Change management and change control;
  • Data and system back-up and off-site storage;
  • Imaging;
  • Item processing;
  • Balancing and reconciliation;
  • Output control;
  • Job scheduling; and
  • Negotiable instruments.


Previous Section
Next Section
Controls Implementation