It Risk

March 2018
IT Risk
Discussion Paper
DRAFTED BY
Marc ANDRIES, David CARTEAU, Sylvie CORNAGGIA,
Pascale GINOLHAC, Cyril GRUFFAT, Corinne Le MAGUER
CONTRIBUTORS
Roméo FENSTERBANK, Thierry FRIGOUT,
Pierre HARGUINDEGUY, Christelle LACAZE
EXECUTIVE SUMMARY
The emergence of cyber-attacks in recent years has heightened concerns about IT risk.
These concerns are not specific to the banking and insurance sectors, but they are of
particular relevance to these sectors, which are essential components of a properly
functioning economy and key actors in protecting public interests.
To address these concerns, the supervisory authorities have gradually ramped up their
actions in this field. International bodies have developed new IT risk rules, and authorities,
such as the ACPR, acting in particular within the framework of the European Single
Supervisory Mechanism for the banking system, have strengthened their supervision.
This discussion paper emphasises that IT risk management is no longer a topic specific
to IT teams, but must be part of an overall approach to risk control and risk management
coordinated by the risk management function. Therefore, the operational risk management
reference framework must be refined to more effectively include all aspects of IT risk
within the recognised categories of operational risk. Under such an organisation, the
management body must be directly involved in ensuring the alignment of its IT strategy
with its risk appetite, but also in implementing and monitoring the risk management
framework.
Based on their supervisory experience, the various departments of the ACPR have developed
a definition and classification of IT risk that cover its various aspects and enable treating
it globally. Institutions supervised by the ACPR can use this classification to develop or
reinforce their own risk map. This classification covers the three main processes applicable
to implementation and management of information systems, i.e. issues in relation to the
organisation, proper functioning and security of information systems. For each of these
major processes, this discussion paper describes a set of risk factors, which are examined
on two levels to enable a fairly detailed analysis. For each risk factor, the main expected
measures for mitigating and controlling risks are presented. These measures are optional
and institutions can tailor them to their specific context. They illustrate the best practices
usually observed by the ACPR and they aim to create a common ground for controlling IT
risk management in the banking and insurance sectors.
ACPR – Information technology risk 2

CONTENTS
4 Introduction
6 IT risk and its inclusion in operational risk

6 1 Regulatory status at the international level
7 2 The ACPR’s approach to defining and classifying IT risk
11 Organising the information system, including its security

12 1 Involvement of the management body
13 2 Alignment of IT strategy with the business strategy
14 3 Budget management
15 4 Roles and responsibilities of the IT and information security functions
16 5 Rationalisation of the information system
17 6 Control of outsourcing
19 7 Statutory and regulatory compliance
20 8 Risk management
23 Operating the information system (“build and run”)

24 1 Operations management (systems and networks)
25 2 Continuity of operations management
28 3 Change management (projects, upgrades, fixes)
30 4 Data quality
32 Securing the information system

33 1 Physical protection of facilities
33 2 Identification of assets
34 3 Logical protection of assets
39 4 Detection of attacks
41 5 Response to attacks
43 Appendix: Classification of IT risk

Introduction
F
or several years, many international including guidelines to be followed by
bodies have focused on the growing supervisory authorities for adopting a uni-
IT risk in the banking and insurance form approach to assessing institutions’ IT
sectors. This emphasis is driven by two risks. 2 The European Insurance and
observations. Firstly, institutions’ operations Occupational Pensions Authority (EIOPA3)
now rely entirely on automated information has published an issues paper on cyber
systems, including for customer relations,1 risk4 and has undertaken a review of this
and these environments have become com- risk in conjunction with major players in
plex to manage. Secondly, even when all the insurance sector.
1 This is at times referred to as
the “digitisation” of banking precautions are taken, IT damage is a
and insurance operations.
major risk for these institutions’ operations. Among the various IT risks, cybersecurity
2 EBA (2017): “Guidelines on
ICT Risk Assessment under the In particular, the capacity of cyber-attacks risks have been given particular attention
Supervisory Review and
Evaluation process (SREP)”, to cause harm has steadily increased in by several authorities. The G7 has adop-
11 May 2017.
recent years. Whereas, initially, these ted high-level, non-binding principles
3 In French Autorité européenne
des assurances et des pensions attacks focused primarily on customer intended to provide guidance and har-
professionnelles (AEAPP).
4 Drafted by its Insurance and

equipment and therefore were discrete monise actions in this area,5 and conti-
Reinsurance Stakeholder Group
(IRSG): “Cyber Risk – Some
events that caused little overall disruption, nues these actions on several fronts to
Strategic Issues” (April 2016). they now directly target institutions’ IT envi- encourage the efforts of regulators in
5 G7 (2016): “Fundamental
Elements of Cybersecurity for the
ronments and can have major conse- the sector. The Committee on Payments
Financial Sector”, October and
G7 (2017): “Fundamental
quences, including systemic impacts, due and Market Infrastructures (CPMI)6 of
Elements for Effective Assessment to the increasing interdependency between the Bank for International Settlements
of Cybersecurity in the Financial
Sector”, October. the various financial players. and the International Organisation of
6 Committee on Payments and
Market Infrastructures (CPMI).
Securities Commissions (IOSCO)7 have
7 International Organisation In response, the bodies that develop inter- published guidelines to improve the resi-
of Securities Commissions
(IOSCO). national standards applicable to the lience of market infrastructures to
8 CPMI-IOSCO (2016): banking and insurance sectors have begun cyber-attacks. 8 The Inter national
”Guidance on Cyber Resilience
for Financial Market to articulate their expectations vis-à-vis the Association of Insurance Supervisors
Infrastructures”, June.
industry. The European Banking Authority (IAIS) 9 has also published an issues
9 International Association
of Insurance Supervisors (IAIS). (EBA) has published several documents paper on cyber risk for the insurance
10 IAIS (2016): “Issues Paper prescribing standards in relation to the IT sector,10 which will be followed by an
on Cyber Risk to the Insurance
Sector”, August. risks to which the banking sector is exposed, implementation document.

Introduction
All of these documents explicitly or implicitly in the ECB’s actions by making its off-site
recognise IT risk as an operational risk, as supervisors available to the SSM’s joint
documented and then regulated by the Basel supervisory teams and by having onsite
Committee on Banking Supervision (BCBS) inspections performed by the Banque de
from 2003. However, the inclusion and France’s inspectors. In the areas in which
treatment of IT risk within operational risk it has direct authority, such as “less-signifi-
still needs to be clarified for the same treat- cant institutions”, other banking sector enti-
ment principles to apply thereto. ties (in particular, finance companies and
payment service providers) and insurance,
On their side, the supervisory authorities the ACPR also carries out numerous actions
have also significantly ramped up their in connection with its ongoing supervision
actions in the IT risk field. Starting in and onsite inspections. The constant increase
November 2014, when the European in IT risks is an ongoing challenge that
Central Bank (ECB) acquired direct super- requires expanded resources and skills.
visory powers over the largest banks of To meet this challenge, the ACPR has conti-
Euro-zone (“significant institutions”), assisted nued its training actions and supplemented
by national supervisory authorities compri- the dedicated onsite inspections teams with
sing the Single Supervisory Mechanism a network of around 20 IT risk experts.
(SSM), it immediately initiated several off-site These experts represent the ACPR in various
supervisory actions and onsite inspections. international bodies working on IT risk and
Assessment questionnaires focusing on cybersecurity issues.
cybersecurity and IT outsourcing practices
enabled a quick evaluation of the strengths This discussion paper was drafted by IT
and weaknesses of the sector, which led to experts from the ACPR’s network. It aims
corrective actions. Numerous onsite inspec- to focus attention on IT risk issues deemed
tions, usually conducted by the national significant, both in terms of recognising
authorities, supplemented the process and and reducing such risks. It is a contribution
provided precise information on actions to to the discussion on how IT risk controls
be carried out. should be incorporated into the operatio-
nal risk management framework. Firstly,
This approach was already well-established the paper proposes a definition of IT risk,
in France because, in 1996, the Commission which is viewed as part of operational
bancaire (Banking Commission) had publi- risk. Secondly, this definition is supple-
shed a White paper on the security of infor- mented by a proposal for classifying IT
mation systems in credit institutions and, risk in a manner that covers all aspects
since 1995, it has had a unit dedicated to in a coherent manner. For each factor
risks in relation to information systems within included in this classification, the paper
its onsite inspection teams. On the strength explains what it deems to constitute sound
of this experience, the ACPR participated risk management.

IT risk and its inclusion in operational risk
11 BCBS (2003): “Sound

Practices for the Management
and Supervision of Operational
Risk”, Basel Committee
Publications No. 96, February.
12 BCBS (2006): “International 1 Regulatory status flexible so as to cover a wide variety of
Convergence of Capital
Measurement and Capital at the international level organisations and enable institutions to
Standards”, June 2006 (Basel
Committee Publications apply it in a manner that is proportionate
No. 128).
The concept of operational risk, which was to the breadth and complexity of
13 Directive 2013/36/EU of
the European Parliament and of originally devised by the banking authori- their activities.
the Council of 26 June 2013 on
access to the activity of credit ties, was then adopted by the insurance
institutions and the prudential
supervision of credit institutions
industry authorities. Since 2003, the Basel None of these documents explicitly
and investment firms (CRD IV
Directive). Regulation (EU)
Committee for Banking Supervision has addresses IT risk, although the various
No. 575/2013 of the European
Parliament and of the Council of
steadily expanded its recommendations on authorities are in agreement that it should
26 June 2013 on prudential the management of operational risk.11 It be included under “process, personnel
requirements for credit institutions
and investment firms and has also added capital requirements to and system failures”, for example in the
amending Regulation (EU)
No. 648/2012 (CRR, Article 4). enable institutions to deal with operational case of IT system breakdowns or errors,
14 Directive 2009/138/EC of incidents they may experience.12 To cover or under “external events” in the case of
the European Parliament and of
the Council of 25 November the multiple facets of operational risk, the cyber-attacks. This was due to the original
2009 on the taking-up and
pursuit of the business of Basel Committee has adopted a broad defi- reasoning of the standards-setting autho-
insurance and reinsurance
(Solvency II). Article 13 (33) nition that includes internal failures and rities, which considered IT tools, and
defines operational risk as the
“risk of loss arising from external events, and focuses on the risk of information systems as a whole, to be
inadequate or failed internal
processes, personnel or systems financial loss, whether direct or indirect. components at the service of institutions’
or from external events”.
According to the Committee, operational businesses, rather than an essential
15 Article 10 of the Arrêté du
3 novembre 2014 on the risk covers any “risk of loss resulting from concern. Under this approach, the most
internal control of companies
operating in the banking, inadequate or failed internal processes, important risks are those specifically
payment services and investment
services sector subject to the people and systems or from external events”. related to business operations, such as
supervision of the ACPR defines
operational risk as “the risk of This definition, with slightly different wor- credit, market or insurance risks. An IT
loss due to inadequate or failed
internal processes, personnel
ding, is now included in various legislative failure is thus primarily viewed in terms
and systems or external events,
including legal risk. In
and regulatory frameworks, notably the of its consequence on the business of its
particular, operational risk
includes risks associated with
European directives governing the banking user. The recognition of operational risk
events with a low probability of sector13 and the insurance sector.14 It has in the 2000s was a breakthrough insofar
occurrence but significant
impact, the risks of internal and also been incorporated into the French as a qualitative treatment (risk manage-
external fraud defined in Article
324 of the aforementioned banking laws.15 This framework has been ment and internal control), and later a
Regulation (EU) No. 575/2013,
and model-related risks”. intentionally designed to be broad and quantitative treatment (capital

requirements), supplemented “business” not based on an internal control system.

risks and were extended to various events Furthermore, these standards are not
that could impact business support func- necessarily pertinent to the corporate
tions (including the IT function). The exten- governance system that the banking and
sive and in-depth business continuity work financial regulators require institutions to
carried out around 2005 also focused on put in place. Supervisory authorities will
more robust measures in this area to ensure that institutions’ IT risk manage-
improve fault tolerance, but did not ment framework is not entirely decided
change the general operational risk and deployed by the IT department, but
framework. Apart from a broad all-en- require that this aspect be properly inte-
compassing definition, operational risk grated into the general operational risk
continues to be classified into seven (dis- management framework.
cretionary) categories, none of which,
individually or combined, truly fit the 2 The ACPR’s approach to defining
varied aspects of IT risk.16 and classifying IT risk
The recent work focusing on IT risk is The ACPR General Secretariat has under-
therefore a significant development. There taken work to clarify the definition and
is a more explicit recognition of this risk treatment of IT risk. This cross-disciplinary
due to its growing and cross-disciplinary work, aimed at both the banking and
importance for all businesses. insurance sectors, was carried out by the
Nevertheless, although all regulators clas- ACPR’s network of IT experts. This work
sify it among operational risks, specific culminated in a definition and classifica-
guidance on defining and handling IT tion of IT risk intended to cover all aspects
risk has been slow to come. Accordingly, thereof. These elements are intended to
institutions have been given discretion in contribute to the work of various interna-
this area, but they must demonstrate that tional bodies, particularly in view of the
16 CRR, Article 324: internal they deal with all aspects of IT risk in Basel Committee’s revision of its Principles
fraud; external fraud;
employment practices and
accordance with the provisions applicable for the Sound Management of Operational
workplace safety; clients,
products and business practices;
to operational risk. This is not an easy Risk 18 and the IAIS’s revision of its
damage to physical assets;
business disruption and system
task. Banking and insurance institutions, Insurance Core Principles.
failures; execution, delivery and like all businesses, have long relied on
process management.
17 EBA (2011): “Guidelines on

sound IT management principles publi- Definition of IT risk
Internal Governance (GL44)”,
section E.30.2.2, September.
shed by various international standards
18 BCBS (2011): “Principles for bodies, such as the International At the outset, it seems important to have
the sound management of
operational risk”, June.
Organization for Standardization (ISO), a clear definition of IT risk that is pertinent
19 “Any risks that emanate to which some banking regulations them- from the standpoint of IT activities, as well
from the use of electronic data
and its transmission, including selves refer.17 However, these standards, as with respect to customary operational
technology tools such as the
internet and telecommunications
which have been developed by IT pro- risk analysis concepts. To date, there is
networks. It also encompasses
physical damage that can be
fessionals, do not share the conceptual no such definition in the regulations appli-
caused by cybersecurity
incidents, fraud committed by
framework established by banking and cable to the banking and insurance sec-
misuse of data, any liability financial regulators. The concepts of risk tors. The IAIS refers to a definition
arising from data storage, and
the availability, integrity and management, although similar, are not proposed by insurance sector professio-
confidentiality of electronic
information − be it related to exactly the same and, for example, are nals (The CRO Forum). 19 In 2014, the
individuals, companies,
or governments”.

EBA included a definition in its guidelines customary term “IT risk” has been chosen
on the Supervisory Review and Evaluation and covers these various other terms.
Process (SREP)20, which need to be sup- In addition, this paper discusses three
plemented in light of experience and main risk areas that have been chosen
knowledge acquired in this area. to structure the risk analysis and treat-
ment approach: organisation and gover-
nance, proper functioning and quality,
IT RISK and information system security. This
Information system also covers all IT management processes
Failure or
and comprehensively targets the risk
Inadequate Insufficient
disruption in the
sécurity
factors underlying IT risk. It also provides
organisation operations
a framework for classifying cyber risk.
This definition includes cybersecurity, but

Incident resulting in a loss
is not limited to it. Cybersecurity refers
to an approach designed to protect
The definition proposed in this paper against and respond to attacks against
aims to cover all aspects of risk, inclu- all or part of the information system, and
ding aspects in relation to information thus does not cover all IT risks. Therefore,
system governance and organisation. cybersecurity should be included in the
The ACPR’s definition is: “IT risk” (or approach to treating IT risk and not the
“information and communication tech- other way around. For its work, the ACPR
nology risk” (ICT) or “information system uses the definition of cybersecurity adop-
risk”) is the risk of loss arising from an ted by the ECB.
inadequate organisation, failure, or
insufficient security of the information According to this definition, “cybersecu-
system, which includes all systems equip- rity is the set of controls and organisa-
ment, networks and human resources tional measures, as well as the resources
devoted to processing the institution’s (human, technical, etc.) used to protect
information. This definition is consistent the components of the information system
with an operational risk approach and communication networks against all
because, if the risk is realised, it results logical attacks, whether carried out
in a loss (or near-miss, opportunity cost, through physical or logical security
undue gain or additional costs). This breaches. These controls and measures
definition is broad in scope and applies include prevention, detection and res-
20 EBA SREP GL (2014):
to the information system as a whole, ponse to any malicious IT activity targe-
“Information and communication
technology (ICT) risk” means the
i.e. its technical systems and organisa- ting components of the information
current or prospective risk of
losses due to the
tion, as well as the human resources system, and potentially affecting the
inappropriateness or failure of involved in data processing. It also confidentiality, integrity or availability
the hardware and software of
technical infrastructures, which applies regardless of the term used of systems and data, as well as the tra-
can compromise the availability,
integrity, accessibility and (information system risk, ICT risk or IT ceability of operations performed on
security of such infrastructures
and of data. risk). For reasons of convenience, the these systems and networks”.

Classification of IT risk
CYBERSECURITY
This proposed classification of IT risk
What is it?
categorises in an orderly manner all
Measures identified risk factors for the three IT
Technical and human macro processes: organising the infor-
means
mation system (including its security),
operating the information system (“build
Of what sort? and run”), and securing the information
Prevention system. Primary and secondary IT risk
Detection factors have been identified for each of
Response these three macro processes.
Against what? IT MACRO-PROCESSES GENRATING IT RISK

Malicious attempts against
the SI’s:
• confidentiality
Organising the information sytem
• integrity
• availability
• traceability Operating the information system
(“build and run”)
Securing the information system
QUESTION NO. 1 Organisation-related risk factors include

Do you think the definition of IT risk is situations of inadequate decision-making
suitable, or do you have any proposal and overall supervision, which can lead
to improve it? to poor IT management, inadequate sup-
port for business needs, and unsound
QUESTION NO. 2 management of IT risk in general.
Do you share the opinion that cyber-
risks fall in IT risks and that a Operation-related risk factors are conside-
comprehensive approach of all those red in the broad sense of the term, i.e.
risk is advisable? including operations and projects, business
continuity and data quality. They all focus

on factors that may affect the proper func- institution is no longer exposed to these IT
tioning of the information system and thus risks. It must therefore continue to identify
impact the ability of an institution to conduct and control these risks pursuant to its ope-
its business. In particular, the classification rational risk management framework and
includes the risks of inadequate supervision internal control system.
of projects and changes, business continuity
failures, and poor data quality (customer The sections that follow describe the risk
data, reports to be submitted to regulators factors included in the proposed classifica-
or reports specific to institutions not intended tion and the measures deemed to be of use
to be made public). or necessary to control them. These risk
factors are defined as events or situations
Lastly, security-related risk factors cover all that may increase the probability of IT risk.
malicious attacks that impact the availability, The measures to control these risk factors
confidentiality and integrity of data and that are described in this paper are obviously
systems managed by the institution. These not exhaustive or mandatory. The primary
include risk factors such as inadequate intent is to establish a common analysis
identification and protection of IT assets, framework for all institutions that will enable
deficient detection systems and weak res- them to adopt sound practices for managing
ponse capacity to attacks. these risks. The ACPR may also use these
measures as a basis for its contributions to
The proposed classification is set out in the work of the various international bodies
detail in the appendix hereto. It is more in which it participates.
granular than the current classification of
the Basel Committee on Operational Risk
and is intended to complement it. Institutions
are free to use their own classification or
to use the one proposed by the ACPR. In
all cases, the full range of risks identified QUESTION NO. 3
should be covered, unless not justified by Do you think the ACPR’s proposal for
their organisation or business model. In this the classification of IT risk is suitable,
regard, it is worth noting that if all or part or do you have any proposal to
of an institution’s information system is out- improve it?
sourced, this does not mean that the

Organising the information system,
including its security
I
nformation system organisation refers to applicable to the institution. Lastly, a sound
the macro process covering all deci- and prudent organisation requires a risk
sion-making actions (sometimes referred management system that includes internal
to as “governance”), coordination (such as controls. These organisational actions are
defining a “strategy” and allocating the also important for the security of the infor-
corresponding resources), the allocation of mation system.
responsibilities within the entity, as well as
the policies and actions implemented to The sections that follow explain the primary
ensure proper management of the informa- and secondary risk factors that may impact
tion system (for example by reducing its information system organisation and secu-
complexity), control of outsourced functions, rity, as well as the main measures to control
and compliance of IT tools with the laws these risks.
ORGANISING THE INFORMATION SYSTEM (INCL. INFORMATION SYSTEM SECURITY)
Provide roles and

Decisions
responsabilities of
of the Budget
IT strategy the IT and
management management
information
body
security functions
Rationalisation
Statutory
of the Control of Risk
and regulator
information outsourcing management
compliance
system

Organising the information system, including its security
1 Involvement future needs of the business lines and

of the management body support or control functions, and ensuring
they have the appropriate technological
Due to their technical nature, or for cultural resources when needed. Information
reasons, the “management body” (which system quality and control must be
is the European regulatory reference to included in strategic choices. If the mana-
both senior executives and boards or gement body inadequately understands
equivalent21 ) may be tempted to disregard these issues, there may be delays in
IT issues and choose to rely entirely on IT adapting to change or situations where
managers.22 However, if the IT managers control over the information system is
do not have an accurate vision of the not maintained.
overall issues the company faces, or if they
are not properly supervised, there is a risk It is therefore essential that senior execu-
that they may not be able to provide IT tives and independent directors unders-
ser vices that are adequate for the tand the information system development
company’s business. It is therefore important and management issues relevant to the
that corporate governance principles, proper functioning of their institution.
emphasising managerial responsibility and If they lack expertise in this area, they
fostering clear and transparent decision- should, for example, schedule working
making processes, also be applied to IT meetings with internal and external spe-
activities. In other words, the management cialists dedicated to these matters.
body, which is responsible for the proper
functioning of the institution, must be Inappropriate decisions
involved in decisions relating to the
information system and must ensure IT risks Appropriate involvement of the management
are controlled. body requires that it controls decisions rela-
ting to information system maintenance and
The ACPR’s IT experts have identified three upgrades. Otherwise, poor decisions may
risk factors generated by inadequate be taken, resulting in an inadequate infor-
involvement of the management body. mation system.
Although it does not have to be involved

in every decision, it is important that the
INVOLVEMENT OF THE MANAGEMENT BODY management body sets the policies appli-
cable to the information system. These
Inadequate understanding of issues
policy choices should be based on a
Inappropriate decisions solid risk analysis in line with the risk
21 In this document, the words management system and the risk appetite
“the management body” Insufficient monitoring
refer both to senior executives that has been approved. It is essential
(“Direction générale” in French)
and to the supervisory body that major decisions relating to the infor-
of the institution, like the Board
(“conseil d’administration” Inadequate understanding of issues mation system, which involve the business
or “conseil de surveillance”
in French, or any similar body). lines or may generate significant risk,
22 Or, more broadly, Maintaining and developing an infor- be taken by senior executives under the
on the Information Technology
Department. mation system requires anticipating the supervision of the board.

Insufficient monitoring Failure to anticipate business needs

and technological upgrades/issues/uses
If the management body does not closely
monitor the proper functioning and security IT upgrades often take several years and
of the institution’s information system, it will must be properly anticipated. Unless
be difficult to react quickly in the event of based on a specific strategy that combines
an operational or security incident. the variety of needs and foresees techno-
logical developments, upgrades to the
Complete information on quality, perfor- information system may be erratic and
mance, project schedules and security main- unable to service the institution’s require-
tenance indicators is therefore essential to ments in a timely manner.
enable the management body to fulfil its
responsibilities. These indicators should not Therefore, it is important for IT managers,
be monitored solely by IT managers. The in conjunction with the business lines and
management body can of course focus on with the approval of the management
regularly monitoring certain key indicators body, to formally adopt a genuine IT
that are deemed pertinent with respect to strategy in line with the institution’s strate-
the defined strategy, risk control or oversight gic objectives. To be pertinent, the IT
of a particular service. strategy must anticipate medium-term
needs and developments and set concrete
2 Alignment of IT strategy objectives for managing them. Ordinarily,
with the business strategy this should be the product of a formal
process that includes consultations with
Information technologies evolve constantly. the business lines and functions about
These developments can provide institu- their needs, and incorporates IT risk mana-
tions with new opportunities, but may also gement (e.g. risks in relation to complexity
generate new risks. IT strategy, including and security). Thereafter, its implementa-
with respect to security issues, is a com- tion should be closely supervised to ensure
ponent of institutions’ overall strategy. Its objectives are achieved, anticipate diffi-
objective is to meet the needs of the culties and make necessary adjustments.
business lines and support functions, but It is also important to update the strategy
it is also increasingly at the core of insti- annually to reflect new needs. If the ins-
tutions’ strategy to maintain or gain a titution is a member of a group, it is impor-
competitive advantage through the use tant that its strategy is consistent with that
of technological developments. If the ins- of its group.
titution does not define an IT strategy, or
if the strategy is not aligned with the needs Inadequate tools and service levels
of the business lines, the information sys-
tem may ultimately fail to meet the insti- If an institution has no IT strategy or if the
tution’s requirements, which could strategy is not pertinent, there is a risk that
compromise its ability to achieve its com- the IT department will not appropriately
mercial and financial objectives. The sec- take users’ needs into account and that the
tions below discuss the risk factors that institution will not be able to conduct its
have been identified in this area. business optimally.

It is therefore important to include users’ processes follow one another or are asso-
operational needs in strategic considera- ciated. Projects and maintenance should
tions, for example regarding the availability each receive a specific and well-identified
and security of environments. Obviously, budget allocation to avoid depriving
the strategy document will not describe either one of necessary funds. The
service levels with the same degree of detail resources made available should also
as a service level agreement (SLA). correspond to the deployment stages set
Nevertheless, it is important to conduct a out in the IT strategy.
global analysis of the institution’s operatio-
nal needs, for itself and for its customers Non-existent or insufficiently
and partners, so as to avoid compromising clear budget allocation
its business.
Without the required resources, the IT depart-
3 Budget management ment will be unable to properly manage the
information system. A documented process,
The budgetary process allocates the amounts binding on all departments of the institution,
required to implement the IT strategy that including those concerned with information
has been approved. These include expenses security, is essential to manage the process
(equipment, licences, services, training, of preparing and allocating IT budgets.
etc.) and human resources (internal or exter-
nal resources, including project manage- This process includes identifying functional
ment services). The budgets allocated must and technical requirements in relation to
then be monitored to make any necessary all applications, as well as those require-
adjustments or to redefine them if required. ments in relation to the operation of the
If the budget allocation process is not clearly information system and data security. Given
defined or if no such process exists, if the the life cycle of IT programs/projects,23 it
budget is not aligned with the strategy pre- is important to combine: (i) a multi-year
viously developed and/or if expenditures approach that allocates global budgets for
are not rigorously monitored, the financial large-scale programmes with (ii) an annual
resources available may not be used opti- approach that defines the budget for the
mally for the purposes of planned IT changes. coming year, including the share of major
programmes during the relevant year and
Inadequate budget alignment smaller projects that are considered a prio-
with strategy rity. It is important that all stakeholders be
involved in the process and that final deci-
The IT budget must enable implementation sions be taken by the management body.
of the IT strategy approved by the institu-
tion. If it is insufficient or allocated too late, Inappropriate oversight of expenditures
the strategy may not be implemented or
implementation may be delayed. Monitoring and controlling IT costs are essen-
tial to maximise the institution’s profitability,
23 In this paper, a programme
refers to a set of projects that are It is therefore advisable to make the two to report to the management body on the
coordinated in common due to
their highly complementary nature, processes consistent so as not to generate progress of projects and budget overruns and
which does not exclude individual
coordination of each project. discrepancies. Most frequently, the two to make any necessary adjustments.

Budget control requires monitoring overall able to interact directly with IT managers
expenditures, which is ordinarily done by who hold full and complete authority within
the financial function, as well as monitoring their remits.
by programme and by project, both on an
annual basis, against the allocation for the Therefore, the IT function should be in a posi-
year, and on a multi-year basis, against the tion to globally manage an institution’s infor-
budget originally attributed, adjusted, if mation system. Ordinarily, the IT department
necessary, after the programme or project includes the application development and
is launched. It is important that any budget maintenance teams, as well as the staff res-
overruns over a certain threshold be justified ponsible for operating system and network
and approved by the management body, or infrastructures. However, in some cases, the
that they be offset by management decisions. business lines and support functions have
A clear and up-to-date procedural framework their own development and maintenance
should provide for standardised procedures teams, and at times their own production
for managing expenditures, approving bud- teams, which may also be set up as IT depart-
get overruns, decision-making and informing ments. Accordingly, it is important that one
senior executives and the board. person be in charge of the IT function broadly
speaking, i.e. all teams, whether they are
4 Roles and responsibilities within the central IT department or the business
of the IT and information lines or functions. This manager must have
security functions full authority over the strategic directions of
the entire IT function, the overall budget, the
Although executive managers have full res- standards and procedures for ensuring sound
ponsibility for issues related to the informa- management and control of information sys-
tion system and its security, they need to tem risks. The head of the IT function should
rely on IT managers and their teams, who be sufficiently senior in the hierarchy, ideally
are referred to in this document as the “IT reporting directly to the management body,
function” and “information security func- to ensure that IT issues are properly considered
tion”. The information system will not be within the institution.
properly organised if these roles and res-
ponsibilities are not clearly defined and The information security function must also
allocated, if the managers’ skills profiles be clearly identified and granted full autho-
are not appropriate or if insufficient rity. This function, which is headed by the
resources are budgeted. chief information security officer (CISO),
originally focused on defining the information
Poorly defined, allocated or security policy, raising awareness of security
communicated roles and responsibilities issues among teams and contributing to risk
control, for example by conducting security
A clear division of responsibilities between studies or performing level-2 controls. During
the managers will facilitate efficient mana- its inspections, the ACPR has noted that this
gement of activities and avoid blockages. function is too often incorporated into the IT
As has been the case for other banking and function, whereas it is preferable that it be
insurance functions (risk, compliance), independent so as to enable it to give objec-
supervisors now increasingly expect to be tive opinions on IT security, as well as to

alert the management body of high-risk situa- 5 Rationalisation

tions. As cyber risks grow, the role of the of the information system
CISO becomes increasingly crucial and the
position should be placed high in the hie- Over time, information systems undergo
rarchy. Attaching it to the risk management significant development as new tools are
function is preferable in order to give it the constantly added and old ones are retained,
latitude to give independent opinions that at times partially. The information systems
prevail over those of the IT function and the of banking and insurance institutions are
business lines. Such positioning would be now vast sets of applications, systems and
also be more consistent with its responsibility networks that may be difficult to map due
for level-2 controls, which must be inde- to their complexity. Various factors create
pendent of the first-level controls performed a risk of loss of control over the information
by the IT function. system. These include a lack of control over
the architecture of the information system,
Inadequate or insufficient staffing inconsistent IT standards and a failure to
manage obsolescence.
Senior executives’ choice of the persons
appointed to head the IT and IT security
functions is essential for the proper organi-
RATIONALISATION
sation of the information system. These OF THE INFORMATION SYSTEM
functions must also have sufficient staff or Control over information system
they risk being unable to perform their architecture (urbanisation)
duties, to the detriment of the institution’s
Consistence of IT standards
proper operation and security.
Management of obsolescence
It is important that the persons chosen to
head the IT and IT security functions have
the requisite experience and professional
expertise because these positions require
strong technical and managerial skills. These Lack of control over information
prerequisites also apply to all IT staff, and system architecture (urbanisation)
it is desirable to adopt a formal human
resources management policy in this area When an information system becomes
that specifies the target distribution of inter- highly developed, an architectural
nal and external staff, as well as the key approach, sometimes called “urbanisation”,
functions for which it is necessary to main- is needed to avoid chaotic uncontrollable
tain sufficient in-house expertise, including growth. The principle is similar to that of
to supervise core functions that are out- the development of big cities. Applications
sourced. It can be supplemented by a skills and systems that work together are grouped
management policy that defines staff trai- together to simplify and better control their
ning objectives, in particular obtaining interactions. This work usually requires map-
professional certifications and providing ping and inventorying the components of
additional training on technological and the information system. Application and
business developments. systems architects are responsible for

ensuring that components are not added 6 Control of outsourcing

to the information system in a disorganised
manner. They can identify areas of weakness Because institutions may need skills or a
and make recommendations on optimising workforce they do not have in-house, IT acti-
and upgrading the information system. vities are often outsourced to service pro-
viders, which may belong to the same group
Inconsistent IT standards as the institution, or which may be third-party
companies. Risks of insufficiently supervised
Uncontrolled development of an informa- outsourcing may arise if the contractual
tion system can occur if the actions of framework is poorly defined, if dependence
systems developers and engineers are on a vendor is not controlled, if the expected
insufficiently guided by design, develop- service levels are not rigorously monitored
ment, production and security standards. and if changes in vendors are not antici-
The aim of these standards is to harmonise pated sufficiently in advance to activate
practices and prohibit the use of unap- contractual reversibility procedures.
proved solutions within the institution.
Different standards apply to different acti- Inadequate contractual framework
vities: applications development, produc-
tion and commissioning of network An inappropriate contractual framework,
solutions. To be fully effective, these stan- i.e. a non-existent, incomplete, invalid,
dards must be harmonised by the central unbalanced or imprecise contractual
IT function in order to avoid diverse or framework, may mean that the institution
inconsistent practices within the various will not obtain the expected service, which
entities comprising the IT function (e.g. may be detrimental to the proper operation
by the IT departments of the various sub- or security of its information system.
sidiaries of a group).
The management body should approve
Failure to manage obsolescence major outsourcing projects on the basis of
the opinions expressed by the various
IT technologies evolve rapidly and must control functions, including the IT security
constantly be updated to avoid the risk function. The contract and its associated
that the information system will no longer documents should serve as the reference
be able to be maintained. This is a that defines the rights and obligations of
demanding task because it requires the institution and the service provider. Such
paying close attention to the frequent contract is required, even if services are
version changes of software and systems outsourced within the same group. It is
used, which involves, for example, par- important for the contract to describe in
ticularly careful oversight of IT assets. detail the nature of the service, expected
More fundamentally, institutions should service levels, permanent controls to be
regularly replace applications that use executed, incident handling and business
old programming languages that are no continuity procedures, IT security require-
longer used by developers. Security requi- ments, contractual reversibility conditions,
rements may also justify regularly upda- the roles and responsibilities of the contrac-
ting technologies used. ting parties, the contacts responsible for

routine monitoring of the service, the bodies with outsourcing to foreign jurisdictions,
tasked with coordinating the relationship especially outside the European Union
and the type of information to be regularly (for example, with respect to data pro-
reported to the institution. The institution tection rules). Controlling the risk of
must be informed of chain outsourcing overdependence on one or more vendors
(sub-contractors), and it may require that requires consolidated oversight of
such chain outsourcing be authorised in contracts negotiated with vendors, as
advance. In all cases, the institution must well as approval by the management
ensure that such outsourcing does not gene- body if outsourced activities exceed a
rate any additional risk. Moreover, the dependence threshold to be defined. The
contract must include a right to audit the outsourcing policy should also specify
service, with possible onsite access, and it the conditions applicable to outsourcing
must describe the regulatory provisions (roles and responsibilities, the process
applicable to the service provider. This right for finding and selecting service provi-
of audit must not be unduly limited by res- ders, the contractual framework, and
trictive clauses (long notice periods, various service oversight procedures).
limitations). The contract should also grant
audit rights to the institution’s supervisory Inadequate monitoring of service levels
authorities. It may be useful for the institu-
tion’s legal department to approve standard Service levels are contractual commitments
clauses to ensure that all of the institution’s that a service provider makes to an institu-
contracts comply with the laws and regu- tion about the quality and security of IT
lations on outsourcing and protect the ins- services. If no service levels are set, or if
titution’s interests in a balanced manner. the expected performance levels are too
low, the institution will be unable to demand
Overdependence high-quality services.
If a service provider acquires a predomi- It is therefore essential that service levels

nant position due to the scope of the IT be contractually defined and that they be
activities it performs for an institution, the monitored on an ongoing basis by a dedi-
institution may find it difficult to impose its cated team of the institution, both by ana-
requirements, including if service deterio- lysing the dashboards set up in agreement
rates. Outsourcing to service providers with the vendor and by handling event
abroad, especially outside Europe, may occurrences, if necessary, by agreeing an
expose institutions to an inadequately action plan. This arrangement is most effec-
supervised legal environment. tive if a joint steering committee, comprising
representatives of the institution and the
Developing an outsourcing policy that is vendor, is set up and tasked with monitoring
approved by the management body pro- service quality. The steering committee
vides a framework that defines the acti- should be chaired by a manager whose
vities the institution is willing to outsource, hierarchical level is consistent with the sen-
and those that should be retained in-house sitivity of the outsourced activity. For the
due to their sensitive nature. Such policy most sensitive activities, it is advisable for
should assess the legal risks associated the chair of this committee to be the head

of the IT function or a senior executive. In relations with customers. The information

addition, holding meetings of a technical system may be non-compliant if the business
committee, comprising members with the lines’ expression of needs is inconsistent
appropriate hierarchical level, may be a with the applicable law, if IT developments
useful practice. Finally, a process should do not follow the legal specifications set by
be set up for escalating degraded service the business lines, or if production standards
quality or business relationship issues to the or techniques are in violation of the appli-
IT department or senior executives. cable law.
Inadequate reversibility procedure Business needs not in compliance

with applicable laws
Changing vendors in the IT field is relatively
complex because it usually entails taking Users are responsible for defining their
over an existing service, while guaranteeing information system needs. If they do not
users continuity of service with equivalent comply with the legal requirements appli-
service levels, as well as recovering archives cable to their activity, the expression of their
covering a long period. needs may include non-compliant require-
ments, which will then be incorporated into
Therefore, this process requires appropriate the information system and cause the insti-
advance planning, taking into account tution to be in breach of the law.
budgetary constraints, respecting the time-
table for activating the reversibility clause Preventing such risk requires a project mana-
with the outgoing vendor, and precisely gement methodology that includes a stage
defining the work to be performed. Some at which it is determined that the business
of this work will be taken over by a new lines’ expression of needs is in compliance
service provider, or by the institution if the with the legal requirements applicable to the
activity is brought in-house, whereas other institution, as well as with the institution’s
work may require specific treatment, for internal procedures, for example if they are
example in the form of a project to be stricter. Ordinarily, the legal department
budgeted and planned. should be consulted and its agreement
obtained with respect to the needs expressed.
7 Statutory and
regulatory compliance IT developments not in compliance
with the business lines’ legal instructions
Like any undertaking, institutions must com-
ply with the laws applicable to their business. The IT engineers should, in principle, comply
Therefore, in terms of organisation, the IT with the user’s requirements and, therefore,
solutions institutions use cannot be deve- incorporate the legal provisions applicable
loped by IT engineers autonomously, without to their activity if they have been properly
consideration for the legal obligations appli- formulated. If not, the institution will have
cable to the institution. Otherwise, the ins- a non-compliant information system.
titution risks breaching the laws governing Moreover, legal requirements may change
its business, which is unacceptable and over time, thereby rendering the information
could also prove highly detrimental to its system non-compliant.

It is therefore important that the user accep- identification and control mechanisms will
tance and testing phases verify compliance not be properly implemented. This may
with the law applicable to the institution, manifest itself as non-existent or partial
and that potential violations be detected and mapping, an inadequate permanent control
remedied. If the applicable law is amended system, inadequate handling of incidents,
significantly, the users responsible for pro- or inadequate periodic controls.
cessing must submit change orders to be
implemented by the IT engineers. RISK MANAGEMENT
Risk mapping
IT standards not in compliance
with applicable laws
Permanent control system
IT standards applicable to programming Detection and management

of operational risk incidents
and operating rules may include provisions
inconsistent with an institution’s legal obli- Periodic control system
gations, for example concerning personal
data protection or data retention periods.
These standards should not preclude com- Non-existent or partial risk mapping
pliance with the needs expressed by users.
They should be regularly updated to make Identifying and regularly assessing IT risks
them consistent with these obligations. are prerequisites for adopting risk control
measures. Otherwise, such measures may
To prevent such situations, the institution not be adopted or may be inappropriate,
must regularly verify that its standards meaning institutions will be inadequately
are compliant with the law applicable to prepared and have a greater exposure
its business. to risk.
8 Risk management It is essential that the institution identifies

and compiles a classification of its inherent
The management body should be able to and residual IT risks, both within business
rely on an effective operational risk mana- lines and support functions, including the
gement system that covers all IT risks. In IT department. This inventory should cover
accordance with the law, this system must all physical assets (data centres, offices,
be based on a risk map and a regular risk agencies, etc.), logical assets (online or
assessment, and incorporate risk control smartphone banking, cloud, etc.), activities
and monitoring measures. These control (business lines and support functions),
measures should include internal controls publics (employees, customers, service
at several independent levels to allow cross- providers, partners) and tools (applications,
checks. If the operational risk management networks, etc.), and should be consistent
system does not fully take IT risks into with the institution’s risk appetite, as
account, it will be incomplete and non-com- approved by the management body.
pliant with regulatory obligations. Moreover, Mapping business processes and support
it will not reflect all risks to which the insti- functions is a prerequisite for identifying
tution is exposed, and the IT risk and updating these risks, and should be

done at least annually. In addition to the Inadequate detection and management

mapping of processes and risks, which of operational risk incidents
ideally should be computerised to facilitate
its updating, consolidation and use, it is Operational risk incidents should be moni-
important to define risk reduction measures, tored to measure an institution’s losses
whether organisational, technical or and to take remedial measures. IT inci-
control-based. Fur thermore, cross- dents are expected to be included in ope-
disciplinary risks should be identified and rational risk oversight if they meet the
included in the mapping for each activity. definition of operational risk.24 If IT inci-
It is also essential to clearly define the dents, including security incidents, are
responsibilities of the IT function and of not included in operational risk oversight,
other activities due to the fact that the this risk will not be assessed completely,
business lines and support functions are which could impact the quality of risk
exposed to certain IT risks that are managed mitigation measures, and cause the insti-
by the IT department. tution to hold insufficient capital to deal
with such incidents.
Inadequate permanent control system
Therefore, it is expected that IT incidents
A permanent control system with two distinct that meet the criteria defined will be incor-
levels of controls is necessary to avoid risk porated into the operational incidents
situations. This permanent control system database. If necessary, an incident repor-
should encompass the various information ting threshold can be established, but it
system implementation and management should be set low enough to detect signi-
processes to ensure that any failures are ficant incidents. Aggregating multiple
detected in a timely manner. similar low-magnitude incidents is a good
practice that enables detecting and cor-
It is important that the permanent control recting malfunctions before a major inci-
of IT risks, including information security, dent occurs. In addition, it is important
be included in the institution’s permanent that action plans be adopted in response
control plan. This plan must cover all risks to these incidents and that the manage-
identified and be updated periodically. ment body be regularly informed about
First-level controls should be performed by the most significant incidents and the
operational staff and level-2 controls should associated action plans.
be performed by teams independent of the
IT function. The frequency of controls should Inadequate periodic control system
be modulated depending on the risk level,
but controls should be performed at least The institution’s periodic control system
once a year. Action plans should be esta- provides a third level of controls of all
blished to remedy any deficiencies disco- processes implemented. If it does not
vered during the controls. A tool should cover all information system processes,
24 Generating a financial gain catalogue the control plan and the results the management body may not be pro-
or loss, whether or not realised
(lost profits, near-miss), or a of controls as a means of informing the vided with independent information on
non-financial gain or loss
(e.g. man-days devoted to management body and facilitating their the risk status and corrective measures
re-establishing service after
an IT breakdown). monitoring of controls. taken in this area.

It is therefore essential that IT risks, including

information security risks, be included in
the institution’s audit plan and that they be QUESTION NO. 4
reviewed by specially trained auditors, Do you think the risk factors that are
either as part of general audits or pursuant mentioned for the macro-process of
to specific assignments. Furthermore, the organising the information system are
findings should prompt recommendations rightly identified? If not, what would you
and action plans, the most critical of which suggest for improvement?
should be approved and monitored by the
executive managers. The management body QUESTION NO. 5
must receive sufficient, regularly updated Do you think the mentioned control
information on the IT risks assessed by the measures are suitable? If not, what
periodic control system. would you suggest for improvement?
QUESTION NO. 6
In particular, do you share the view that
is given regarding the positioning and
the responsibilities of the Chief
information security officer?

Operating the information system
(“build and run”)
T
his section deals with risks related to system installed, i.e. providing the service
the “information system operation” expected by users, especially in terms of
macro process, which includes all quality, reliability and availability. The same
actions in relation to the use and operation issues apply to “change” actions, where
of the existing system, as well as actions to the risk is that they will be unable to properly
develop new services or equipment (projects), provide the expected services. In recent
or simply actions to make corrections or years, particular attention has also been
moderate changes (corrective and upgrade paid to data quality.
maintenance). The operational management
of existing services is sometimes called “run” The following sections explain the pri-
and the delivery of new services (application mary and secondary risk factors that
projects, installation of infrastructures) is may disrupt operating processes, conti-
sometimes called “change” or “build”. nuity management, change manage-
ment, and data quality. The main
The aim of all of these actions is to ensure measures for controlling these risks are
the proper operation of the information also described.
OPERATING THE INFORMATION SYSTEM (“BUILD AND RUN”)
Operations Change
management Continuity management Data quality
(sytems and management (projects, management
networks) upgrades,fixes)

Operating the information system (“build and run”)
1 Operations management the equipment, must be appropriate to the

(systems and networks) operational needs imposed by the service
levels expected by users. In addition, the
IT operations, also called “production”, capacity of resources used must be moni-
consist of running the computers on which tored to allow sufficient time for expansion
applications are installed. These compu- without compromising increased use of the
ters, as well as their connecting equipe- information system (e.g. number of users
ments, are called systems and network able to connect to the system, computing
environments. Improper operations mana- power, storage space).
gement of these systems and networks may
result in more or less serious disruptions Sound management of the means of pro-
that can impact the quality of service production requires up-to-date inventories.
vided to users. Inventory management consists of referen-
cing and centralising all information system
The ACPR’s IT experts have identified several hardware and software, in order to have
risk factors that may lead to unsound ope- a complete picture and to be able to verify
rations management. These may include that the equipment installed is adequate for
deficiencies in the means of production, in the needs identified. The characteristics of
the process for detecting errors and ano- each piece of equipment should be
malies, or in the process for resolving inci- recorded, such as version numbers, licences
dents and problems. This also includes the installed and the technical specificities of
risk that service levels expected by users the various components. This will facilitate
will not be met. compliance with technical standards, and
the obsolescence management of ageing
Inadequate means of production components will be optimised.
The means of production provide the Inadequate process

resources necessary for proper operation for detecting errors and anomalies
of the information system. If they are not
properly resourced, for example with equip- Processing errors and anomalies disrupt
ment that is sufficient in number and with proper operation of the information system
adequate power, the information system by reducing availability (delays, interrup-
may not be able to operate properly, in tions) or data quality. Therefore, promptly
particular at peak times. Furthermore, if the detecting them is crucial.
configurations of this equipment are not up
to date or are inappropriate for the institu- Detection is one of the primary tasks of the
tion’s needs, disruptions may occur or secu- operations staff who monitor production.
rity may be impaired. They can increasingly rely on detection tools
that automate monitoring. Specialised teams
It is therefore important that the choice of can also be tasked with these actions to
equipment that will comprise the operating improve response capacity. It is advisable
environment is properly assessed before to install error detection tools at various levels
new solutions are released. The technical of the information system in order to identify
characteristics, in particular the power of various types of technical malfunctions, even

before an incident occurs. For example, Non-compliance with service levels

detecting abnormally long response times
may enable anticipating an interruption of Service levels define users’ expectations
the information system. The detection tools with respect to the operation of the infor-
should cover all equipment to facilitate com- mation system (e.g. availability periods,
prehensive oversight. possible interruption periods, data backup
frequency, switchover to backup systems).
Inadequate management Service levels are agreed for operating
of incidents and problems conditions and, more broadly, for overall
performance of the service. Regardless of
When detected, incidents25 should be any incident, problem or improper hard-
managed so as to restore proper operation ware configuration, unsound operations
of the information system as quickly as pos- management may make it impossible for
sible and minimise downtime. Problem26 the systems and network administrators to
management, which complements incident keep commitments to users.
management, consists of diagnosing the cause
of repetitive or difficult to resolve incidents, Systems and network operating processes
putting in place measures to prevent them are ordinarily set out in formal operational
from reoccurring, and mitigating the impact procedures that enable their administrators
of problems that cannot be avoided. Therefore, to rigorously monitor the various opera-
it is essential for these two processes to be tions in normal service and degraded
effective in order to minimise service degra- service situations. In addition, it is impor-
dation and loss of user confidence. tant that service levels be formally set out
in service agreements with end users.
It is advisable that these processes be for- These agreements should specify the moni-
mally expressed as operational procedures. toring criteria and expected satisfaction
The various incident and problem handling levels for these services, with respect to
stages, from detection to resolution, should s e r v i c e q u a l i t y a n d a v a i l a b i l i t y.
be performed by specialised teams, whose Documenting expected service levels in
actions must be documented to ensure they contracts is useful for measuring whether
are properly completed. Scaling based on users’ needs have been met. Indicators
sensitivity levels enables prioritising. Problem should be used to monitor commitments
management is closely related to incident and take necessary corrective actions.
management, and uses similar tools, clas-
sification criteria and priorities. Resolution 2 Continuity
is generally easier if facilities, information of operations management
flows and critical services have been map-
ped and inventoried. The resolution of inci- Operations continuity refers to the measures
dents and problems should be monitored and resources implemented to ensure the
25 The Information Technology
Infrastructure Library (ITIL) by the committees tasked with monitoring availability of the information system in
defines an incident as “an
unplanned interruption to an service quality. Succinct reports should be accordance with the needs expressed by
information technology (IT)
service or reduction in quality of submitted to the management body to users. Services generally operate in accor-
an IT service”.
enable them to mobilise the appropriate dance with availability periods that vary
26 ITIL defines a problem as the
cause of an incident. teams and allocate sufficient resources. depending on the nature of the activities,

except in certain cases where no interruption based on formal coordination, supervision

is tolerated. In any case, the systems and and decision-making policies and proce-
networks must be fully available during the dures. This requires that the roles and res-
availability periods to enable applications ponsibilities in crisis management situations
to function with adequate response times. be clearly defined. The involvement and
Otherwise, the system will be unavailable approval of the management body is neces-
or experience slowdowns, thereby disrup- sary to ensure that the continuity system is
ting user activity. aligned with the institution’s strategy, that
sufficient budgetary and human resources
The information system may risk unavaila- are allocated, and that employees and their
bility if the institution does not have an managers are committed to the process.
adequate organisation in place to manage Ordinarily, a methodology, an effective
its service continuity system, or if it has not crisis management structure and an appro-
correctly identified the various unavailability priate communication policy complete the
scenarios, or if the means of production or system. The institution should have a business
backup systems are inadequately protected continuity plan that includes an IT backup
against accidents, or if its IT continuity sys- plan.
tem is inadequate, does not correspond to
the system planned for users, or has not Inadequate identification
been tested sufficiently. of unavailability scenarios
Inadequate continuity organisation The continuity plans are customarily based

on loss of assets scenarios, including systems
Institutions must set up an organisation to and networks malfunctions of varying dura-
manage their service continuity framework, tions. The IT backup plan should describe
in accordance with regulatory requirements. the procedures for activating backup
This framework is twofold with a component resources under these various scenarios. If
specific to the continuity of users’ activities the scenarios defined do not identify all
(fall back premises) and an IT backup com- possible disturbances or misevaluate the
ponent (switchover to a backup site). This consequences, the continuity management
system should describe the actions to be system may not adequately respond to an
taken to ensure the continuity of the business unforeseen breakdown, which will prevent
processes deemed essential, and the neces- users from continuing their activities.
sary resources to be implemented in the
event of a crisis. This reduces the risk of To prevent such situations, it is necessary
business interruption or information system to perform impact assessments for users’
malfunctions to an acceptable level for the businesses (in particular, at the regulatory,
institution. If the organisation set up is inade- legal, commercial, financial and reputatio-
quate, the institution may not have available nal levels) based on the various scenarios
backup resources in the event of a failure of unavailability of premises, information
of its main equipment. systems, staff, energy, telecommunications
and key vendors. Service continuity requi-
It is therefore important that the organisation rements are normally defined on the basis
set up to manage service continuity be of the “maximum tolerable period of

disruption” and the “maximum allowable dependent on electricity to power equipment

data loss”. For the production teams, the and water for air conditioning. A wide
former translates into a “recovery time objec- variety of accidents and natural disasters
tive” (RTO), which defines the maximum may severely impact them (fires, floods,
recovery time, and the latter translates into earthquakes, plane crashes, chemical pol-
a “recovery point objective” (RPO), which lution, electromagnetic pollution, etc.).
expresses the maximum allowable period
between an incident and the date of the It is therefore important for institutions to
most recent data backup. rigorously select the locations for their data
centres, avoiding areas exposed to natural
Non-alignment of IT continuity hazards (e.g. flooding or seismic areas) or
with business continuity neighbouring risks (airports, chemical sites,
etc.). They should also equip their data
The IT backup plan describes the continuity centres with devices to detect accidents and
arrangements for IT production. It should minimise potential damage, in particular
be part of the institution’s overall business fire (detection, extinction) and water leaks
continuity plan, which also describes the from the air conditioning system. These
backup resources available to users. The devices must be properly resourced, regu-
IT backup plan must therefore be consistent larly tested and kept in good working order.
with the business continuity plan; These protective devices are not only neces-
otherwise, there is a risk that it will be sary on the premises housing the hardware,
inadequate to enable continuity of essen- but also in the rooms housing electrical
tial or critical applications. equipment and telecommunication servers.
It is also advisable to develop a compre-
To avoid any discrepancy resulting in hensive safety policy, for example, prohi-
inadequate IT backup resources, the IT biting the storage of flammable materials,
backup plan must be based on impact such as cardboard, in machinery rooms or
assessments for users’ businesses and their nearby premises.
corresponding service recovery times
(expressed as RTO and RPO). Any discre- Inadequate continuity systems
pancies that may result from a known defi-
ciency of backup resources must be brought In accordance with the IT backup plan, the
to the attention of the management body institution must be able to switch operation
for a decision on user needs or the allo- of its information system over to a backup
cation of additional resources. infrastructure if its main system becomes
unavailable. If it has poorly resourced its
Inadequate protection of means backup equipment, it may not be able to
of production and backup resources run the applications it needs. If its backups
against accidents are not recent enough, it may lose significant
quantities of important data.
Data centres are particularly vulnerable to
accidents and damage that may affect hard- Therefore, the backup infrastructure equip-
ware and thus disrupt the proper operation ment must be properly resourced to be able
of the information system. These sites are to run the applications and functionalities

identified as essential and critical in the the backup environment. Therefore, the
continuity plan. These infrastructures must backup environment should be used in
be operational in order to quickly switch actual situations by the business line teams
production over to them in accordance with for a sufficiently long period of time and
users’ requirements (RTO and RPO). Data on a range of matters that is representative
backups must be sufficiently frequent and of their activities (in particular, to enable
well-protected. Switchovers may be trigge- conducting end-of-period work, such as at
red for the entire information system, or for the end of a week or month). Backup envi-
certain components or applications. In addi- ronments should allow alternate production
tion, the possibility of regional disasters on at least one of the backup sites. The
must be taken into account, in particular results should be monitored at the appro-
by locating the production environment priate level and necessary corrective mea-
sufficiently far away from the backup envi- sures should be taken.
ronment. Moreover, it is particularly impor-
tant that the backup site have a power 3 Change management
supply from a different power generation (projects, upgrades, fixes)
source than that supplying the main site,
and that it not be exposed to the same IT “change” (a.k.a. “build”) refer to all
natural hazards as the main site (river floo- modifications made to a system, either to
ding, proximity to the same airport or indus- fix it or upgrade it (maintenance), or to
trial or chemical site, etc.). If this is the case, change or supplement it (project). Changes
a third site will be needed in order to may concern software and hardware. These
actually retain production capacity in all are obviously delicate processes because
unavailability scenarios. they are carried out on existing production.
Mismanaged changes will cause malfunc-
Inadequate testing tions. In this area, the risk factors to be
considered are inappropriate change mana-
The effectiveness and pertinence of business gement standards, poorly organized or
continuity plans and IT backup plans depend incompetently managed changes or pro-
on sufficiently regular implementation tes- jects, functional and technical requirements
ting. The testing of technical and organisa- not adequately taken into account, insuffi-
tional systems makes it possible to assess cient testing of new components, and impro-
the robustness of the planned solutions, in perly implemented changes.
accordance with the service levels approved
by users. Inadequately defined or applied
change management standards
It is important for continuity plans to be
tested comprehensively using a proven Because it is a tricky process, change
methodology, so as to obtain reasonable management is usually governed by ope-
assurance of the plans’ quality and effec- rational policies and procedures. Such
tiveness, including compliance with user policies provide, for example, that releases
requirements. Backup tests are truly perti- should be grouped in batches rather than
nent only if they include a switchover of implemented individually. A release for
production from the main environment to which proper guidelines have not been

adopted has greater exposure to the risk proper sequencing of the various perfor-
of erroneous operations. mance stages after the quality of delive-
rables has been verified. Finally, the choice
Therefore, complete and appropriate policies of staff is crucial, and it is necessary to
and procedures are recommended. They verify that they have the expertise required
should be implemented by specialised teams to perform the various tasks.
trained for this purpose within the entities.
The different types of changes should be Functional and technical requirements
defined, including standard changes and not adequately taken into account
urgent changes to correct serious malfunc-
tions. The description of treatments should Changes are made in response to the infor-
distinguish the various phases, including mation system upgrade needs expressed
recording, impact assessment, classification, by users. It is therefore crucial that the
prioritisation, validation stages, planning, changes meet such needs. In addition, tech-
testing and regression conditions. nical standards will also impose technical
Management of versions (releases) should requirements with respect to security, pro-
also be included in these processes. duction and network operation.
Poor project management organisation A methodology shared by all stakeholders

should be followed to collect and approve
Successful change management, and espe- the users’ functional requirements. Technical
cially project management, depends to a requirements that restrict the possibility of
large extent on setting up a solid organisa- meeting functional needs must be made
tion and on the expertise of the teams in known to and be accepted by users.
charge. Applying a work methodology also Technical requirements specific to the ope-
helps to guide the process. Failure to control ration of the systems and networks must be
the work can cause delays and generate taken into account by the technical admi-
additional costs, or may result in a deterio- nistrators at the earliest stages in the design
ration in expected functionalities. and development of new equipment.
In particular, the roles and responsibilities Inadequate testing

of each participant should be clearly defined
in order to ensure a solid organisation. Testing is a mechanism for ensuring that
Committees that monitor the work and coor- changes meet the needs approved, both
dinate the various parties can provide over- functionally and technically.
sight of deadlines, costs and quality, and
facilitate decision-making. Major projects Functional and technical acceptances
should be monitored by a sponsor res- verify that the changes are adequate. It
ponsible for ensuring they progress smoo- is important that they be comprehensive
thly. A communication system for the various and are carried out pursuant to formal
parties involved will reduce misunderstan- procedures, and that the results thereof
dings that can be a source of errors or are documented in reports shared with
delays. Applying a project management all stakeholders. Corrective actions should
methodology is advisable because it ensures be taken if significant anomalies are

discovered. Minor anomalies can be financial assets. This requirement is also

considered non-fatal for commissioning important for risk calculation data, which
and be fixed later. Non-regression testing is used by the management body to manage
should be performed systematically to the business and by supervisors to supervise
avoid unwanted side effects. A pre-pro- it. Therefore, poor quality data can be par-
duction environment as similar as possible ticularly detrimental, both for conducting
to the production environment will enable business if the institution does not use
verifying the adequacy of new compo- reliable data, and for monitoring risks if
nents (functionalities, performance). the indicators used are erroneous. Data
may be of poor quality if data standardi-
Improperly implemented changes sation and definitions are inadequate, or
if the information system uses or generates
Releasing changes is particularly delicate erroneous data. Inadequate controls may
because if it not correctly carried out, it can also explain a data quality problem.
create disruptions to the system in place, with
potentially very damaging consequences if Inadequate data standardisation
rollback is difficult.
The information systems of banks and insu-
It is therefore important to follow a very rance institutions often comprise multiple
rigorous release process. Planned software applications. If they were designed at diffe-
and hardware deployments should follow rent times and for new needs on each occa-
formal procedures that aim to ensure a sion, the concepts they use (e.g. “borrower”,
satisfactory level of availability. These proce- “insured”) may not always be defined in
dures should include rollback methods in the same way, making it difficult to compare
the event of a defect. Customarily, a change or aggregate data. Ordinarily, the most
timetable is adopted in order to group commonly used terms should be managed
changes and implement them at times when by establishing unique “glossaries”, which
experienced staff are present and outside are to be used throughout the institution.
normal service periods (e.g. on weekends). Similarly, data “standardisation” means
If necessary, qualified experts should be homogenising, and unifying if possible, the
on call and managers should be reachable definitions of similar concepts used
in the event of an anomaly. throughout the information system. If the
institution does not use glossaries for its
4 Data quality most commonly shared data, or if it has not
undertaken a standardisation process, the
One of the most important requirements for various components of its information system
an information system is that its data be may use non-comparable data or data that
accurate, i.e. it corresponds to the data cannot be aggregated, thereby depriving
inputs expected and/or changes thereto as it of a consolidated picture of its business
a result of processing performed by the and risks.
information system do not generate errors.
This is particularly important for the infor- For this reason, glossaries should be created
mation systems of banking and insurance for the concepts most commonly used by the
institutions, which hold personal data and institution. The various applications using this

data will thus have a single and reliable source. of the data generated. Risk indicators pro-
A function or business line should be given duced for the management body and super-
responsibility for these glossaries and tasked visors should be based, to the extent possible,
with updating them and ensuring the data on automatically calculated indicators rather
definitions are pertinent. Similarly, to increase than approximate values. Lastly, it is impor-
uniformity among the various applications that tant that the available data be sufficiently
use similar data, and thereby facilitate data detailed and aggregated in accordance
aggregation, it is in the institution’s interest to with the criteria requested, in order to meet
undertake a data standardisation process. all significant users’ needs.
This process should involve business lines and
functions, as owners of the information system, Inadequate data quality controls
as well as the IT function, which is responsible
for the consistency of the information system Data quality must be regularly and tho-
as a whole. This standardisation process can roughly checked by users and control func-
usefully be supported by data dictionaries that tions. Otherwise, the institution may not
set out data definitions and syntax, and that detect situations in which erroneous data
apply to all user entities. is used or generated.
The information system uses Therefore, the verification of data generated

or generates erroneous data and activity or risk monitoring reports should
be based on automated and manual controls
If the information system uses inaccurate input that enable detecting any anomalies and
data, it is likely that it will generate inaccurate setting up action plans to fix them.
output data. Moreover, regardless of the
quality of the source data, if there are proces-
sing errors in the system, the data generated
will be erroneous. Data errors are not due QUESTION NO. 7
solely to accuracy issues; they may also be Do you think the risk factors that are
the result of inappropriate or incomplete data, mentioned for the macro-process of
or data that is unavailable at the time of pro- operating the information system are
cessing. The risk of errors also increases if an rightly identified? If not, what would
automated process is reprocessed manually. you suggest for improvement?
Users should test data suitability before it is QUESTION NO. 8

released and, thereafter, should check it Do you think the mentioned control
regularly. Audit trails will enable reconstruc- measures are suitable? If not, what
tion of processing and the steps taken to would you suggest for improvement?
make changes, thereby providing a history
of changes made to information from its QUESTION NO. 9
original form to its final form. Manual treat- In particular, do you share the view
ments should be limited as much as possible that is given regarding the test mode
and should be thoroughly and regularly for the switchover to the disaster
verified. Production incidents should be ana- recovery site?
lysed to assess their impact on the quality

T
his section discusses the risks that system operation” macro process, as was
may affect the “information system done above, and the “information system
security” macro process, which security” macro process focuses on preventing
includes the various prevention and res- and responding to malicious attacks.
ponse actions that may be taken to thwart
security breaches. Customarily, these The sections below describe the main risk
breaches are described in terms of their factors that can impact the security of infor-
impact on the availability, integrity, confi- mation systems and, for each one, will
dentiality, and evidence or traceability of suggest risk reduction measures that can
data and operations. be implemented. The risk factors discussed
are due to inadequate physical protection
The issue of information system security has of facilities that enable intrusions, inade-
become increasingly important due to cyber quate identification of IT assets (i.e. the
threats, but is in fact not a new concern. various assets that comprise the information
Originally, it encompassed both accidents system, such as hardware, software and
(breakdowns, natural disasters) and malicious data), inadequate protection of these assets,
threats. Today, accidental threats are more inadequate detection of attacks, and inade-
commonly dealt with under the “information quate response to attacks.
SECURING THE INFORMATION SYSTEM
Physical Logical Response

Identification Detection
protection of protection to attacks
of assets of attacks
facilities of assets

1 Physical protection of facilities good working order. Zoning measures

should supplement the security system
The protection of buildings against malicious within the premises by restricting access
intrusion has become increasingly important to various areas on a “need to know”
in recent years to deal with new types of basis. The security systems should be syn-
attacks, whether violent or surreptitious. An chronised to enable correlating events.
intrusion onto the premises can result in the The event logs of the various components
theft and destruction of physical assets, and of the security system should be kept for
may facilitate a logical intrusion into the the time periods required to complete all
information system if malware is installed necessary investigations.
that can spy on, sabotage or replace the
information of the institution, its customers Inadequate protection of IT equipment
or its partners. Such intrusions are possible
if the measures taken to protect buildings or Hardware safeguards should comple-
access to IT equipment are inadequate. ment anti-intrusion systems. Critical phy-
sical assets, such as ser vers,
Inadequate protection administration consoles, network hard-
against intrusion into buildings ware, electrical equipment, keys, etc.,
require enhanced protection using addi-
Protective measures are crucial for premises tional and specific security devices (e.g.
in which systems and network infrastructures cages around servers, locked bays, and
are housed (data centres). They may also be specific video surveillance).
necessary for commercial or administrative
premises which, although not as critical, never- 2 Identification of assets
theless contain the institution’s workstations,
network accesses and documentation. An inadequate inventory of IT assets may
be detrimental to information system security
It is advisable not to identify data centres management because homogeneous and
with signs that describe the use and appropriate security measures may not be
ownership of the premises. Access thereto taken pre-emptively or the response to an
should be restricted to a small group of attack may be deficient. The relevant risk
persons in order to reduce risks. Strict factors are an incomplete inventory or clas-
procedures should regulate access to faci- sification of assets.
lities, including for service providers
appointed to maintain equipment. These Incomplete asset inventory
procedures should grant access only to
persons who have been properly sche- An inventory of IT assets is necessary to
duled, identified and accredited. In gene- identify the most critical assets for users
ral, premises should be protected by and the assets that are most exposed to
perimeter security barriers (fences, gates, cyber-attacks. This inventory should include
security doors, badge controls, etc.) and “business line” assets (e.g. applications,
intrusion detection systems (video surveil- data) and “support” assets (e.g. premises,
lance, alarms, etc.). This equipment must hardware), and should be kept up to date.
be regularly tested and maintained in It should include all information necessary

to identify assets, and should describe the information system. Cyber-attackers have
location, function and ownership of each varied motives, such as realising a direct
asset. The inventory should also associate gain (fraud, theft, ransom, espionage) or
interrelated assets to make it possible to causing harm (disrupting normal operations,
quickly identify interactions and interde- sabotage, reputational damage). Regardless
pendencies, which would be useful for of the motives, these attacks may impact the
crisis management purposes. system’s availability (e.g. blocking a system),
integrity (manipulation of an asset), confi-
Incomplete asset classification dentiality (e.g. viewing or stealing data) or
traceability (e.g. deleting access rights
Classification consists of defining the level changes). Protective measures must therefore
of sensitivity of assets, which is used to deter- cover these various types of disruptions and
mine the protective measures to be imple- be adapted to the sensitivity of each asset.
mented and to quickly identify the assets to These measures can no longer be designed
be isolated and safeguarded in the event of individually. Current best practice is to repli-
an attack. The primary focus of this classifi- cate them at the various levels of the infor-
cation should be data and their associated mation system (e.g. by filtering communications
applications. The classification serves as the not only upon entry but also at other points
basis for assigning sensitivity levels to the in the system) in order to slow the progress
systems and network equipment used for of an attacker. This is known as the “defence-
these applications, as well as to the sites in-depth” concept. If the logical protection
where such equipment is installed, thereby of assets is inadequate, there is a risk that
providing a global picture, both logically an attacker may enter the information system
and physically, enabling the institution to and compromise it. This may be due to inade-
prioritise the protection of assets. quate perimeter security systems, inadequate
protection against malware, inadequate
For the classification to be complete and identity and access rights management,
pertinent, it must include all logical assets inadequate employee authentication, inade-
and be fully applicable to the physical assets. quate protection of systems and data integrity
Moreover, it should result from a formal ana- and confidentiality, inadequate protection of
lysis process approved by the owner of the systems and data availability, inadequate
relevant asset, and be reviewed periodically. management of security patches, inadequate
The asset sensitivity assessment should be security reviews, inadequately secured out-
performed against the following criteria: sourced solutions, or inadequate information
availability, integrity, confidentiality, tracea- systems security awareness.
bility and legal or regulatory obligations.
Financial and reputational impacts may also Inadequate perimeter security systems
be included in this sensitivity assessment.
Perimeter security consists of protecting the
3 Logical protection of assets information system from external intrusion
or of isolating internal zones. Due to the
Asset security relies primarily on a set of IT significant number of communications with
protection measures (“logical” measures) external parties, perimeter security includes
intended to prevent any breach of the channelling communication flows to a

limited number of obligatory passage It is therefore important to deploy anti-

points, then filtering and reviewing the malware devices on all hardware and sof-
content of incoming and outgoing commu- tware: messaging gateways (scanning
nications. In recent years, this protection attachments, detecting executable files),
has been criticised on the grounds that it Internet access gateways, network access
has become nearly impossible to implement points for partners, etc. These devices must
due to the multiplicity of communication be activated and kept up to date. Any excep-
channels and flows. Nevertheless, perimeter tions must follow formal guidelines and be
security continues to be a key tool for effec- approved. Protective devices must themsel-
tively protecting the information system, ves be protected against any attempt by
although it should be supplemented by other users to disable or uninstall them. The use
measures, including detection measures of several separate security suites within
within the system. the information system prevents the exploi-
tation of a weakness or vulnerability of a
It is therefore expected that systems provi- particular tool.
ding perimeter security for the information
system will be set up to prevent any unau- Inadequate identity
thorised attempt to access the information and access rights management
system, or at least the applications and data
identified as sensitive. Devices for filtering Access rights to the information system
network traffic (e.g. firewalls), comprising should normally be granted to users on a
monitoring and blocking rules, should be “need-to-know” basis. They protect legiti-
deployed, and the most sensitive assets mate use of the system and are components
should be logically isolated within the infor- of user identification management. Access
mation system or cut off therefrom. The rights should be granted by the institution
effectiveness of perimeter security systems on the basis of its employees’ status and
should be regularly reassessed and such duties. Therefore, access rights should be
systems should be adapted as necessary. updated whenever employees are hired,
leave or change position. Similar principles
Inadequate protection against malware should apply to information system compo-
nents managed by external providers. If
Malware is the most frequent vector for this is not done, or if the rights granted are
cyber-attacks. It can be used to collect infor- too broad or incorrectly updated, attackers
mation that may facilitate future intrusion may be able to more easily spoof them and
(technical, organisational or procedural hack into the information system.
information), compromise the integrity of
systems or data (website defacement, data To enable all actions on the information
encryption followed by a ransom request), system to be attributed to a given person,
disrupt the availability of applications (sabo- internal and external staff must be identified
tage) or, more directly, may be used to steal by name or unique identifier. The use of
confidential information (espionage). If an generic accounts to access servers, appli-
institution does not install safeguards against cations and data must be restricted and
malware, the security of its information sys- formally supervised. Employees with pri-
tem may be severely compromised. vileged accounts (e.g. administrators) should

also have regular accounts to perform eve- means chosen by employees should be
ryday tasks (access to corporate e-mail, standardised and adapted to their duties.
web browsing, etc.). Effective access rights Compliance with these rules should be regu-
management requires the use of profiles larly monitored. Granting temporary authen-
(business line and technical profiles) to stan- tication credentials should be closely
dardise and facilitate the granting of indi- supervised and secured (e.g. password
vidual rights. Any additional individual changed at the time of the first connection).
access rights, inconsistent with the user’s If static, authentication credentials
profile, must be justified, formally granted (passwords, tokens, etc.) must be renewed
and approved. In general, access rights to periodically. Any off-site access to the infor-
an asset should be approved by the owner mation system should require enhanced
of that asset, either directly or by a delegate. authentication procedures (for employees
It is important that access rights be consistent and exter nal ser vice providers).
at all times with the positions users hold. In Authentication secret elements need to be
particular, accreditations granted should appropriately protected.
be promptly deleted when an employee is
transferred or leaves the company. Best Inadequate protection of the integrity
practice in this area is to synchronise access of systems and data
rights management systems with human
resource management systems (or service System and data integrity safeguards are
contracts if applicable). Rights granted needed to prevent attackers from making
should be reviewed regularly to ensure they changes to information system components
continue to be justified. Similarly, the defi- that may affect its proper operation (inclu-
nition of profiles should be reviewed perio- ding its reliability) or security. Such actions
dically to determine if they remain may include changes to the system’s confi-
pertinent. gurations or access rights in order to carry
out an attack, or altering data for the benefit
Inadequate employee of the attacker.
authentication systems
To enhance the security of systems and to
Authentication consists of providing proof enable detection of any configuration
of identity, for example to access a piece change, whether by adding a programme
of hardware or an application. In compu- or changing the parameters of systems or
ting, the most common tool is a password applications, best practice dictates strictly
but it must be sufficiently secure to limiting the right to run software on equip-
prevent spoofing. ment (servers and workstations) and finger-
printing the servers’ “key” files. Another
It is therefore important to set up authenti- way to reduce the risk of compromising
cation systems adapted to the sensitivity of hardware is to reduce to a bare minimum
the assets to be accessed. Dual factor and/ the software installed thereon and its fea-
or dynamic authentication means should tures. This technique, called “hardening”,
be implemented for access to the most cri- mechanically reduces the number of sof-
tical assets. If necessary, the rules governing tware vulnerabilities that could be exploited
the complexity of confidential authentication by an attacker. Data and their associated

applications can be protected against logically segregated or isolated from other

attempted alteration in several different environments to reduce uncontrolled access
ways. It is advisable for applications to be from a development or testing environment
designed securely by including automatic that is typically less secure. Furthermore, the
controls for creating, modifying, and dele- data accessible from testing or development
ting sensitive data. Moreover, applications environments can be anonymised; better
can be configured to require dual validation yet, such data could be entirely fictitious to
(“four eyes” principle) for important opera- avoid the risk of disclosing real data. To
tions (e.g. approving a payment). When reduce the risk that data may be accessed
data is transported and stored, its integrity by unauthorised third parties, the right to
can be protected by “sealing” tools and view or manipulate production data must
applications that can be used to verify that be supervised and access records kept. This
data has not been altered. Usually, the seal measure particularly applies to service pro-
is calculated by a function called “hashing”, viders such as web hosts, managed service
possibly after adding a “salt”, to prevent providers and software solution publishers,
“dictionary” attacks (“rainbow tables”). which may have extensive rights over pro-
However, to be fully effective and secure, duction environments without the institution
these tools should comply with the current knowing precisely who has access to its
recommendations of the Agence Nationale data. In addition, the most sensitive data
pour la Sécurité des Systèmes d’Information should be protected throughout its life cycle:
(“ANSSI” - National Information Systems when it is input and displayed (e.g. partially
Security Agency). Lastly, and specifically or totally hidden), as well as during storage
for web services offered by institutions, and transport (encryption). It may also be
protections can be applied to websites advisable to encrypt network communications
against the risk of website defacement.27 end-to-end, i.e. both on public networks and
internal networks (between applications). In
Inadequate protection all cases, to be fully effective and secure,
of the confidentiality of systems and data these cryptographic tools should also comply
with the current recommendations of
Measures to protect the confidentiality of the ANSSI.
data, whether in relation to applications
(e.g. customer databases) or hardware The hardware that hosts data or allows
(e.g. configuration data), aim to prevent access to data must also be protected. This
unauthorised access (reading) or theft is particularly true for nomadic devices
(copying). In either case, the legal (breach (laptops) and mobile devices (phones,
of regulatory obligations), financial (com- tablets), to which specific measures can be
pensation for losses, sanctions) and repu- applied to prevent unauthorised access to
tational consequences may be disastrous the device or its contents, such as the encryp-
for an institution. tion of internal storage media or, if possible,
requiring a password to start the equipment.
To prevent data disclosures or theft, produc- More generally, it is good practice to have
27 See Annex B1 of the ANSSI’s tion data should be protected and the transfer procedures for disposing of equipment at
General Security Guidelines (https://
www.ssi.gouv.fr/entreprise/ thereof to other environments should be res- the end of their life cycle that logically and/
reglementation/confiance-numerique/
le-referentiel-general-de-securite-rgs/). tricted. Production environments should be or physically destroy any information in

memory. Lastly, at the application level, for usually update their IT solutions very quickly
publicly available applications (Internet when security breaches are discovered. If
applications and services, mobile applica- an institution does not quickly change the
tions, etc.) the institution should take mea- versions it uses to take advantage of security
sures to prevent any attempt at reverse patches, it will be exposed to attacks. This
engineering. This practice seeks to recover task is facilitated if the institution has an
the source code of software in a usable up-to-date asset inventory (see section 5.2).
form for the purpose of counterfeiting it
(intellectual property infringement) or unders- Protecting the information system against
tanding its operation (e.g. to attack it). logical attacks requires promptly updating
security patches for all relevant assets.
Inadequate availability safeguards A monitoring procedure should be set up
to detect any vulnerabilities of the infor-
External attacks can make the information mation system and provide fixes as quickly
system unavailable, either by completely as possible. The configuration information
preventing access or simply by slowing it available in the asset inventory can be
down. Such cyber-attacks, called denial-of- used to verify the extent of vulnerabilities
service (DoS) attacks,28 which saturate and establish an update plan. This plan
external accesses to a system, have become should take into account the sensitivity level
frequent in recent years. These attacks cause of the assets. To avoid creating new vulne-
immediate disruption to users, and can rabilities, new hardware installed should
damage the reputation of institutions in the have editors’ support and up-to-date ver-
banking and insurance sectors. sions of security patches.
The protection of the information system Inadequate security reviews

from attacks against its availability should
rely primarily on the same continuity mana- Security reviews refer to measures that test
gement systems as those discussed in the effectiveness of defences implemented
connection with the proper operation of the (“intrusion tests”) or check for vulnerabilities
information system (see section 4.2). To by observing hardware and software confi-
prevent DDoS attacks, the institution can gurations (“vulnerability scans” and “code
use filtering solutions to recognise legitimate reviews”). Institutions are increasingly using
requests. If a website for customers is these techniques to supplement their protective
attacked, it may be beneficial to be able measures. This enables testing the chances
to activate a separate site that is a copy of that an attacker may be able to circumvent
the first site or that is used solely to post defences. Without such reviews, the institution
information, and which is accessible at a may incorrectly conclude that the measures
different address than the site under attack. it has implemented are adequate.
Inadequate management Therefore, it is recommended that regular

of security patches security reviews be conducted to verify that
28 If the attacker uses a large the IT assets have no weaknesses that can
number of devices to attempt to
connect to the system, the attack Cyber-attacks often exploit security vulne- be exploited. This should include periodic
is called a distributed denial-of-
service (DDoS) attack. rabilities in software or hardware. Publishers vulnerability scanning campaigns of

equipment connected to the Internet, which capabilities. After the outsourced services
is by definition more exposed, but also of have been set up, they must meet the same
internal equipment (servers). Targeted intru- security requirements as if they were per-
sion tests should supplement vulnerability formed by the institution itself. The outsour-
scanning to test the security of newly ins- cing contract should specify that the security
talled or upgraded hardware and applica- conditions applied by the service provider
tions. To obtain objective and reliable must comply with the institution’s security
results, these campaigns should be conduc- policies. The institution must monitor the
ted by external experts or independent third performance of outsourced services over
parties, using a variety of approaches and time, including any incidents. The institution
methodologies. Lastly, security-focused code must have audit rights that are not unduly
audits should be conducted to identify and limited by restrictive clauses (long notice
fix any potential vulnerability as quickly as periods). With respect to outsourced cloud
possible. computing services, the ACPR published a
number of data and systems security best
Inadequate security practices in July 2013,29 with which insti-
of outsourced solutions tutions are expected to comply, as well as
with the EBA recommendations issued in
It is common that service providers manage December 2017.30
part or all of the information system on
behalf of institutions. These service providers Inadequate information systems
may belong to the same group as the ins- security awareness
titution or may not be affiliated with it. In
either case, service providers act in the Raising the awareness of staff and mana-
name and on behalf of the institution, and gement about the security of information
the institution remains responsible for the systems is a prerequisite to creating a risk
management of its information system, inclu- culture on these issues. Such culture can be
ding its security. useful in thwarting malicious attacks, which
often target employees and managers, and
Therefore, protecting the security of the seek to manipulate them in order to hack
information system requires that the portions into the system (e.g. infected USB sticks or
outsourced be protected to the same extent email messages) or to carry out a fraud
as the rest of the system. For this purpose, (social engineering).
before any outsourcing, the institution must
conduct a risk analysis to which the control Awareness-raising actions are advisable to
functions, in particular the information secu- prevent such actions. They should supple-
rity function need to contribute. The mana- ment existing procedures by providing
gement body will decide on outsourcing information about risks and providing trai-
29 ACPR (2013): “The risks projects taking into account security condi- ning in best practices with respect to the
associated with cloud computing”,
July. https://acpr.banque-france. tions. The risk analysis should identify the use and protection of the information system.
fr/search-es?term=201307+Risque
s+associes+au+Cloud+computing relevant activities that are sensitive in nature, Specific training programmes for employees
30 https://www.eba.europa.eu/ and ensure that the service provider has with high privileges (administrators) or who
documents/10180/1712868/
Final+draft+Recommendations+o solutions that guarantee data confidentiality perform sensitive functions (developers)
n+Cloud+Outsourcing+%28EBA-
Rec-2017-03%29.pdf (e.g. by using encryption) and backup should also be scheduled regularly. To the

extent possible, awareness-raising actions Centre -SOC), which ideally should be ope-
should be extended to external staff, partners rational 24/7. These SIEM tools should
and customers. The effectiveness of each cover the entire information system, or at
action conducted should be evaluated, and least its components that interface with the
adjustments should be made if necessary. Internet and its components classified as
sensitive. Traces collected should be
4 Detection of attacks time-stamped, archived, and protected
against any attempted change. The most
Security can no longer be based solely on serious alerts should be handled by the
protective measures. The occurrence of monitoring team, which should stay
“silent”31 cyber-attacks demonstrates the constantly informed of new attack proce-
ability of attackers to intrude into an infor- dures or vulnerabilities exploited.33 The
mation system without being detected, in organisation in place should enable infor-
order to understand how it is organised mation to be shared about incidents detec-
and cause serious harm. Therefore, protected by the various internal units. Exchanges
tive measures may not be sufficient and with peer institutions and the authorities
must be coupled with detection measures. should also be conducted.
These detection efforts usually focus on two
areas. The first is collecting and analysing Inadequate monitoring
events (“traces”) recorded by the hardware, of unusual behaviour of users
and the second is recognising unusual beha-
viour of users. If such detection tools are External users (e.g. customers connecting
not used, or if they are incomplete, the online) and internal users (employees per-
institution may be unable to detect or block forming operations, IT staff) use the func-
intrusions into its information system. tionalities of the information system intended
for their use. Malicious acts by them, or by
Inadequate trace collection and analysis attackers who usurp their rights, will result
in an abnormal use of these functionalities.
There are tools32 available for collecting, If mechanisms for monitoring abnormal
centralising and correlating events (“traces”) behaviour of users are not put in place, the
recorded by the various types of information institution’s information system risks being
system hardware (e.g. firewalls, network hacked without its knowledge.
routers, detection probes, as well as the
production systems), which can be used to Best practice is to monitor suspicious actions
monitor this equipment. This monitoring in applications, administrative tools,
may enable detecting intrusions or attemp- databases or any other sensitive environ-
ted intrusions into the information system ment within the organisation. This monito-
and thus providing prompt alerts. ring should be done in real time to enable
31 Such attack do not provoke
immediate disruption, but aim to greater responsiveness to attacks. Unusual
gain progressively access to the
different elements of the Best practices, especially for cybersecurity connections to the information system should
information system, in order to
maximize the attack. purposes, now require automatic tools for be monitored (connections at unusual times
32 E.g. security incident event collecting and analysing traces, as well as or dates like holidays, numerous connec-
management (SIEM) tools.
a monitoring team that can take action tions, access from new machines or Internet
33 This function may be
performed by the SOC. based thereon (such as a Security Operating addresses, etc.). Anomalies during the

authentication of external users (customers, proper functioning of the institution, the ope-
service providers) and internal users should rating methods to be implemented to mitigate
be recorded and analysed (e.g. multiple impacts and resume operations. The roles
attempts). Unusual behaviour of customers and responsibilities of decision-makers and
who use transactional sites (e.g. online key employees should be specified, and they
account management) should be detected. must be provided with the resources (pre-
High-value disbursement transactions should mises, equipment, communications or service
be monitored and blocking mechanisms providers) to meet and direct the operations.
may be activated to prevent numerous or This type of organisation is required for
high-value outflows. Copying and mass banking and insurance institutions, in parti-
delete functions on sensitive databases cular for dealing with a loss of resources
should be monitored or blocked, as well (buildings, employees, IT systems). If the
as privilege escalation functions on systems crisis management organisation does not
and databases. cover the various information system security
breach scenarios, institutions may not be
5 Response to attacks able to manage them effectively.
As provided in the cybersecurity mana- Therefore, it is important that crisis mana-

gement principles, the security of infor- gement procedures adapted to cyber risk
mation systems requires, in addition to be adopted and be regularly tested and
protection and detection measures, also adjusted. These procedures should cover
setting up an attack response and infor- the various cyber-attack scenarios and their
mation system security recover y consequences in terms of availability, confi-
approach. Several steps are required, dentiality, integrity and traceability. They
starting with containing the system com- should provide for coordinated action with
ponents affected, eliminating malware, external stakeholders (partners, customers)
returning to service in degraded mode and, if necessary, the competent authorities.
and, finally, rebuilding a healthy and They should include communication mea-
fully functioning information system. sures (media, partners, customers) and
These various operations require a crisis information measures (the management
management organisation, which of body, supervisors).
course should be set up in advance.
Therefore, the risk factors that may Deficiencies in containment of attacks
prevent an appropriate response to
attacks are related to failures in these Containing an attack consists in stopping
various processes, whether crisis mana- the attack from spreading, then eliminating
gement, or containing attacks, or resu- the attack vectors, such as malware, used
ming operations. by the attacker. This is a prerequisite to
resuming operations and preventing the
Deficiencies in crisis management attack from spreading uncontrollably.
The crisis management organisation should Dedicated operational teams, such as a

be based on procedures that indicate, depen- Computer Security Incident Response Team
ding on the various scenarios impacting the (CSIRT) should be responsible for incident

response. These teams should be tasked Restoring an information system impacted

with stopping attacks and eliminating the by an attack requires procedures established
effects thereof. They should have the in advance, that are regularly tested and
expertise and authority to determine what reviewed. These procedures should prioritise
applications to shut down and what recovery actions and ensure the integrity
networks to disconnect, if necessary. of restored systems and data.
Whenever required, these teams should
be able to draw on additional external
expertise, for which contracts have been
entered into. Ideally, these teams should QUESTION NO. 10
be able to set up decoys to distract or Do you think the risk factors that are
weaken the attacker during information mentioned for the macro-process of
system security operations. securing the information system are
rightly identified? If not, what would
Inadequate business recovery you suggest for improvement?
Restoring the information system consists

of putting it back into service. Generally, QUESTION NO. 11
this is a gradual process. If necessary, Do you think the mentioned control
during the attack, operations may also be measures are suitable? If not, what
performed via degraded manual proce- would you suggest for improvement?
dures, i.e. without using IT tools. When
the attack vectors have been eliminated,
a partial recovery of the information system QUESTION NO. 12
is possible, using the components not In particular, do you share the view
impacted. Thereafter, the integrity of the that is given regarding the protection
system will have to be re-established to measures for the integrity and the
enable full and normal operation of the confidentiality of data and systems?
information system.

Appendix: Classification of IT risk
Macro process Primary IT risk factors Secondary IT risk factors
• Inadequate understanding of issues

Insufficient involvement
• Inappropriate decisions
of the management body
• Insufficient monitoring
• Failure to anticipate business needs and technological

IT strategy inadequately defined or upgrades/issues/uses
aligned with the business strategy
• Inadequate tools and service levels
• Inadequate budget alignment with the strategy

Deficient budget management • Non-existent or insufficiently clear budget allocation
• Inappropriate oversight of expenditures
Roles and responsibilities of the IT • Poorly defined, allocated or communicated roles and responsibilities
and information security functions • Inadequate or insufficient staffing
• Lack of control over information system architecture (urbanisation)

Organising the IS Inadequate rationalisation of the IT • Inconsistent IT standards
(including the ISS) • Failure to manage obsolescence
• Inadequate contractual framework

• Overdependence
Inadequate Control of outsourcing
• Inadequate monitoring of service levels
• Inadequate reversibility procedure
• Business needs not in compliance with applicable laws

Statutory and regulatory • IT developments not in compliance
non-compliance with the business lines’ legal instructions
• IT standards not in compliance with applicable laws
• Non-existent or partial risk mapping

• Inadequate permanent control system
Inadequate risk management
• Inadequate detection and management of operational risk incidents
• Inadequate periodic control system

Appendix
Macro process Primary IT risk factors Secondary IT risk factors
• Inadequate means of production

Unsound operations management • Inadequate process for detecting errors and anomalies
(systems and networks) • Inadequate management of incidents/problems
• Non-compliance with service levels
• Inadequate continuity organisation

• Inadequate identification of unavailability scenarios
• Non-alignment of IT continuity with business continuity
Unsound management
of continuity of operations • Inadequate protection of means of production
and backup resources against accidents
• Inadequate continuity systems
Operating the IS • Inadequate testing
• Inadequately defined or applied change management standards

• Poor project management organisation
Inadequate change management • Functional and technical requirements not adequately
(projects, upgrades, fixes) taken into account
• Inadequate testing
• Improperly implemented changes
• Inadequate data standardisation

Poor data quality • The information system uses or generates erroneous data
• Inadequate data quality controls
Inadequate physical protection • Inadequate protection against intrusion into buildings

of facilities • Inadequate protection of IT equipment
Incomplete:
Inadequate identification
• asset inventory
of assets
• asset classification
Deficiencies in:
• Perimeter security systems
• Protection against malware
• Identity and access rights management
• Authentication of employees
Inadequate logical protection • Protection of the integrity of systems and data
of assets • Protection of the confidentiality of systems and data
Securing the IS
• Protection of availability
• Management of security patches
• Security review processes
• Security of outsourced solutions
• Information systems security awareness
Deficiencies in:
Inadequate process
• Trace collection and analysis
for detecting attacks
• Monitoring of unusual behaviour of users
Deficiencies in:
• Crisis management
Inadequate attack response system
• Containment of attacks
• Business recovery

It Risk

Uploaded by

Copyright:

Available Formats

You might also like

It Risk

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

It Risk

Uploaded by

Copyright:

Available Formats

March 2018

ACPR – Information technology risk 2

6 IT risk and its inclusion in operational risk

11 Organising the information system, including its security

23 Operating the information system (“build and run”)

32 Securing the information system

43 Appendix: Classification of IT risk

ACPR – Information technology risk 3

4 Drafted by its Insurance and

ACPR – Information technology risk 4

ACPR – Information technology risk 5

11 BCBS (2003): “Sound

ACPR – Information technology risk 6

requirements), supplemented “business” not based on an internal control system.

17 EBA (2011): “Guidelines on

ACPR – Information technology risk 7

This definition includes cybersecurity, but

ACPR – Information technology risk 8

Against what? IT MACRO-PROCESSES GENRATING IT RISK

Securing the information system

QUESTION NO. 1 Organisation-related risk factors include

ACPR – Information technology risk 9

ACPR – Information technology risk 10

ORGANISING THE INFORMATION SYSTEM (INCL. INFORMATION SYSTEM SECURITY)

Provide roles and

ACPR – Information technology risk 11

1 Involvement future needs of the business lines and

Although it does not have to be involved

ACPR – Information technology risk 12

Insufficient monitoring Failure to anticipate business needs

ACPR – Information technology risk 13

ACPR – Information technology risk 14

ACPR – Information technology risk 15

alert the management body of high-risk situa- 5 Rationalisation

ACPR – Information technology risk 16

ensuring that components are not added 6 Control of outsourcing

ACPR – Information technology risk 17

If a service provider acquires a predomi- It is therefore essential that service levels

ACPR – Information technology risk 18

of the IT function or a senior executive. In relations with customers. The information

Inadequate reversibility procedure Business needs not in compliance

ACPR – Information technology risk 19

IT standards applicable to programming Detection and management

8 Risk management It is essential that the institution identifies

ACPR – Information technology risk 20

done at least annually. In addition to the Inadequate detection and management

ACPR – Information technology risk 21

It is therefore essential that IT risks, including

ACPR – Information technology risk 22

OPERATING THE INFORMATION SYSTEM (“BUILD AND RUN”)

ACPR – Information technology risk 23

1 Operations management the equipment, must be appropriate to the

The means of production provide the Inadequate process

ACPR – Information technology risk 24

before an incident occurs. For example, Non-compliance with service levels

ACPR – Information technology risk 25

except in certain cases where no interruption based on formal coordination, supervision

11 Organising the information system, including its security

1 Involvement future needs of the business lines and

alert the management body of high-risk situa- 5 Rationalisation

ensuring that components are not added 6 Control of outsourcing

8 Risk management It is essential that the institution identifies

1 Operations management the equipment, must be appropriate to the

1 Physical protection of facilities good working order. Zoning measures

• Inadequate understanding of issues

• Failure to anticipate business needs and technological

• Inadequate budget alignment with the strategy

• Lack of control over information system architecture (urbanisation)

• Inadequate contractual framework

• Business needs not in compliance with applicable laws

• Non-existent or partial risk mapping

• Inadequate means of production

• Inadequately defined or applied change management standards

• Inadequate data standardisation

Inadequate physical protection • Inadequate protection against intrusion into buildings