Professional Documents
Culture Documents
It Risk
It Risk
It Risk
IT Risk
Discussion Paper
DRAFTED BY
Marc ANDRIES, David CARTEAU, Sylvie CORNAGGIA,
Pascale GINOLHAC, Cyril GRUFFAT, Corinne Le MAGUER
CONTRIBUTORS
Roméo FENSTERBANK, Thierry FRIGOUT,
Pierre HARGUINDEGUY, Christelle LACAZE
EXECUTIVE SUMMARY
The emergence of cyber-attacks in recent years has heightened concerns about IT risk.
These concerns are not specific to the banking and insurance sectors, but they are of
particular relevance to these sectors, which are essential components of a properly
functioning economy and key actors in protecting public interests.
To address these concerns, the supervisory authorities have gradually ramped up their
actions in this field. International bodies have developed new IT risk rules, and authorities,
such as the ACPR, acting in particular within the framework of the European Single
Supervisory Mechanism for the banking system, have strengthened their supervision.
This discussion paper emphasises that IT risk management is no longer a topic specific
to IT teams, but must be part of an overall approach to risk control and risk management
coordinated by the risk management function. Therefore, the operational risk management
reference framework must be refined to more effectively include all aspects of IT risk
within the recognised categories of operational risk. Under such an organisation, the
management body must be directly involved in ensuring the alignment of its IT strategy
with its risk appetite, but also in implementing and monitoring the risk management
framework.
Based on their supervisory experience, the various departments of the ACPR have developed
a definition and classification of IT risk that cover its various aspects and enable treating
it globally. Institutions supervised by the ACPR can use this classification to develop or
reinforce their own risk map. This classification covers the three main processes applicable
to implementation and management of information systems, i.e. issues in relation to the
organisation, proper functioning and security of information systems. For each of these
major processes, this discussion paper describes a set of risk factors, which are examined
on two levels to enable a fairly detailed analysis. For each risk factor, the main expected
measures for mitigating and controlling risks are presented. These measures are optional
and institutions can tailor them to their specific context. They illustrate the best practices
usually observed by the ACPR and they aim to create a common ground for controlling IT
risk management in the banking and insurance sectors.
4 Introduction
F
or several years, many international including guidelines to be followed by
bodies have focused on the growing supervisory authorities for adopting a uni-
IT risk in the banking and insurance form approach to assessing institutions’ IT
sectors. This emphasis is driven by two risks. 2 The European Insurance and
observations. Firstly, institutions’ operations Occupational Pensions Authority (EIOPA3)
now rely entirely on automated information has published an issues paper on cyber
systems, including for customer relations,1 risk4 and has undertaken a review of this
and these environments have become com- risk in conjunction with major players in
plex to manage. Secondly, even when all the insurance sector.
1 This is at times referred to as
the “digitisation” of banking precautions are taken, IT damage is a
and insurance operations.
major risk for these institutions’ operations. Among the various IT risks, cybersecurity
2 EBA (2017): “Guidelines on
ICT Risk Assessment under the In particular, the capacity of cyber-attacks risks have been given particular attention
Supervisory Review and
Evaluation process (SREP)”, to cause harm has steadily increased in by several authorities. The G7 has adop-
11 May 2017.
recent years. Whereas, initially, these ted high-level, non-binding principles
3 In French Autorité européenne
des assurances et des pensions attacks focused primarily on customer intended to provide guidance and har-
professionnelles (AEAPP).
All of these documents explicitly or implicitly in the ECB’s actions by making its off-site
recognise IT risk as an operational risk, as supervisors available to the SSM’s joint
documented and then regulated by the Basel supervisory teams and by having onsite
Committee on Banking Supervision (BCBS) inspections performed by the Banque de
from 2003. However, the inclusion and France’s inspectors. In the areas in which
treatment of IT risk within operational risk it has direct authority, such as “less-signifi-
still needs to be clarified for the same treat- cant institutions”, other banking sector enti-
ment principles to apply thereto. ties (in particular, finance companies and
payment service providers) and insurance,
On their side, the supervisory authorities the ACPR also carries out numerous actions
have also significantly ramped up their in connection with its ongoing supervision
actions in the IT risk field. Starting in and onsite inspections. The constant increase
November 2014, when the European in IT risks is an ongoing challenge that
Central Bank (ECB) acquired direct super- requires expanded resources and skills.
visory powers over the largest banks of To meet this challenge, the ACPR has conti-
Euro-zone (“significant institutions”), assisted nued its training actions and supplemented
by national supervisory authorities compri- the dedicated onsite inspections teams with
sing the Single Supervisory Mechanism a network of around 20 IT risk experts.
(SSM), it immediately initiated several off-site These experts represent the ACPR in various
supervisory actions and onsite inspections. international bodies working on IT risk and
Assessment questionnaires focusing on cybersecurity issues.
cybersecurity and IT outsourcing practices
enabled a quick evaluation of the strengths This discussion paper was drafted by IT
and weaknesses of the sector, which led to experts from the ACPR’s network. It aims
corrective actions. Numerous onsite inspec- to focus attention on IT risk issues deemed
tions, usually conducted by the national significant, both in terms of recognising
authorities, supplemented the process and and reducing such risks. It is a contribution
provided precise information on actions to to the discussion on how IT risk controls
be carried out. should be incorporated into the operatio-
nal risk management framework. Firstly,
This approach was already well-established the paper proposes a definition of IT risk,
in France because, in 1996, the Commission which is viewed as part of operational
bancaire (Banking Commission) had publi- risk. Secondly, this definition is supple-
shed a White paper on the security of infor- mented by a proposal for classifying IT
mation systems in credit institutions and, risk in a manner that covers all aspects
since 1995, it has had a unit dedicated to in a coherent manner. For each factor
risks in relation to information systems within included in this classification, the paper
its onsite inspection teams. On the strength explains what it deems to constitute sound
of this experience, the ACPR participated risk management.
12 BCBS (2006): “International 1 Regulatory status flexible so as to cover a wide variety of
Convergence of Capital
Measurement and Capital at the international level organisations and enable institutions to
Standards”, June 2006 (Basel
Committee Publications apply it in a manner that is proportionate
No. 128).
The concept of operational risk, which was to the breadth and complexity of
13 Directive 2013/36/EU of
the European Parliament and of originally devised by the banking authori- their activities.
the Council of 26 June 2013 on
access to the activity of credit ties, was then adopted by the insurance
institutions and the prudential
supervision of credit institutions
industry authorities. Since 2003, the Basel None of these documents explicitly
and investment firms (CRD IV
Directive). Regulation (EU)
Committee for Banking Supervision has addresses IT risk, although the various
No. 575/2013 of the European
Parliament and of the Council of
steadily expanded its recommendations on authorities are in agreement that it should
26 June 2013 on prudential the management of operational risk.11 It be included under “process, personnel
requirements for credit institutions
and investment firms and has also added capital requirements to and system failures”, for example in the
amending Regulation (EU)
No. 648/2012 (CRR, Article 4). enable institutions to deal with operational case of IT system breakdowns or errors,
14 Directive 2009/138/EC of incidents they may experience.12 To cover or under “external events” in the case of
the European Parliament and of
the Council of 25 November the multiple facets of operational risk, the cyber-attacks. This was due to the original
2009 on the taking-up and
pursuit of the business of Basel Committee has adopted a broad defi- reasoning of the standards-setting autho-
insurance and reinsurance
(Solvency II). Article 13 (33) nition that includes internal failures and rities, which considered IT tools, and
defines operational risk as the
“risk of loss arising from external events, and focuses on the risk of information systems as a whole, to be
inadequate or failed internal
processes, personnel or systems financial loss, whether direct or indirect. components at the service of institutions’
or from external events”.
According to the Committee, operational businesses, rather than an essential
15 Article 10 of the Arrêté du
3 novembre 2014 on the risk covers any “risk of loss resulting from concern. Under this approach, the most
internal control of companies
operating in the banking, inadequate or failed internal processes, important risks are those specifically
payment services and investment
services sector subject to the people and systems or from external events”. related to business operations, such as
supervision of the ACPR defines
operational risk as “the risk of This definition, with slightly different wor- credit, market or insurance risks. An IT
loss due to inadequate or failed
internal processes, personnel
ding, is now included in various legislative failure is thus primarily viewed in terms
and systems or external events,
including legal risk. In
and regulatory frameworks, notably the of its consequence on the business of its
particular, operational risk
includes risks associated with
European directives governing the banking user. The recognition of operational risk
events with a low probability of sector13 and the insurance sector.14 It has in the 2000s was a breakthrough insofar
occurrence but significant
impact, the risks of internal and also been incorporated into the French as a qualitative treatment (risk manage-
external fraud defined in Article
324 of the aforementioned banking laws.15 This framework has been ment and internal control), and later a
Regulation (EU) No. 575/2013,
and model-related risks”. intentionally designed to be broad and quantitative treatment (capital
The recent work focusing on IT risk is The ACPR General Secretariat has under-
therefore a significant development. There taken work to clarify the definition and
is a more explicit recognition of this risk treatment of IT risk. This cross-disciplinary
due to its growing and cross-disciplinary work, aimed at both the banking and
importance for all businesses. insurance sectors, was carried out by the
Nevertheless, although all regulators clas- ACPR’s network of IT experts. This work
sify it among operational risks, specific culminated in a definition and classifica-
guidance on defining and handling IT tion of IT risk intended to cover all aspects
risk has been slow to come. Accordingly, thereof. These elements are intended to
institutions have been given discretion in contribute to the work of various interna-
this area, but they must demonstrate that tional bodies, particularly in view of the
16 CRR, Article 324: internal they deal with all aspects of IT risk in Basel Committee’s revision of its Principles
fraud; external fraud;
employment practices and
accordance with the provisions applicable for the Sound Management of Operational
workplace safety; clients,
products and business practices;
to operational risk. This is not an easy Risk 18 and the IAIS’s revision of its
damage to physical assets;
business disruption and system
task. Banking and insurance institutions, Insurance Core Principles.
failures; execution, delivery and like all businesses, have long relied on
process management.
EBA included a definition in its guidelines customary term “IT risk” has been chosen
on the Supervisory Review and Evaluation and covers these various other terms.
Process (SREP)20, which need to be sup- In addition, this paper discusses three
plemented in light of experience and main risk areas that have been chosen
knowledge acquired in this area. to structure the risk analysis and treat-
ment approach: organisation and gover-
nance, proper functioning and quality,
IT RISK and information system security. This
Information system also covers all IT management processes
Failure or
and comprehensively targets the risk
Inadequate Insufficient
disruption in the
sécurity
factors underlying IT risk. It also provides
organisation operations
a framework for classifying cyber risk.
Classification of IT risk
CYBERSECURITY
This proposed classification of IT risk
What is it?
categorises in an orderly manner all
Measures identified risk factors for the three IT
Technical and human macro processes: organising the infor-
means
mation system (including its security),
operating the information system (“build
Of what sort? and run”), and securing the information
Prevention system. Primary and secondary IT risk
Detection factors have been identified for each of
Response these three macro processes.
on factors that may affect the proper func- institution is no longer exposed to these IT
tioning of the information system and thus risks. It must therefore continue to identify
impact the ability of an institution to conduct and control these risks pursuant to its ope-
its business. In particular, the classification rational risk management framework and
includes the risks of inadequate supervision internal control system.
of projects and changes, business continuity
failures, and poor data quality (customer The sections that follow describe the risk
data, reports to be submitted to regulators factors included in the proposed classifica-
or reports specific to institutions not intended tion and the measures deemed to be of use
to be made public). or necessary to control them. These risk
factors are defined as events or situations
Lastly, security-related risk factors cover all that may increase the probability of IT risk.
malicious attacks that impact the availability, The measures to control these risk factors
confidentiality and integrity of data and that are described in this paper are obviously
systems managed by the institution. These not exhaustive or mandatory. The primary
include risk factors such as inadequate intent is to establish a common analysis
identification and protection of IT assets, framework for all institutions that will enable
deficient detection systems and weak res- them to adopt sound practices for managing
ponse capacity to attacks. these risks. The ACPR may also use these
measures as a basis for its contributions to
The proposed classification is set out in the work of the various international bodies
detail in the appendix hereto. It is more in which it participates.
granular than the current classification of
the Basel Committee on Operational Risk
and is intended to complement it. Institutions
are free to use their own classification or
to use the one proposed by the ACPR. In
all cases, the full range of risks identified QUESTION NO. 3
should be covered, unless not justified by Do you think the ACPR’s proposal for
their organisation or business model. In this the classification of IT risk is suitable,
regard, it is worth noting that if all or part or do you have any proposal to
of an institution’s information system is out- improve it?
sourced, this does not mean that the
I
nformation system organisation refers to applicable to the institution. Lastly, a sound
the macro process covering all deci- and prudent organisation requires a risk
sion-making actions (sometimes referred management system that includes internal
to as “governance”), coordination (such as controls. These organisational actions are
defining a “strategy” and allocating the also important for the security of the infor-
corresponding resources), the allocation of mation system.
responsibilities within the entity, as well as
the policies and actions implemented to The sections that follow explain the primary
ensure proper management of the informa- and secondary risk factors that may impact
tion system (for example by reducing its information system organisation and secu-
complexity), control of outsourced functions, rity, as well as the main measures to control
and compliance of IT tools with the laws these risks.
Rationalisation
Statutory
of the Control of Risk
and regulator
information outsourcing management
compliance
system
It is therefore important to include users’ processes follow one another or are asso-
operational needs in strategic considera- ciated. Projects and maintenance should
tions, for example regarding the availability each receive a specific and well-identified
and security of environments. Obviously, budget allocation to avoid depriving
the strategy document will not describe either one of necessary funds. The
service levels with the same degree of detail resources made available should also
as a service level agreement (SLA). correspond to the deployment stages set
Nevertheless, it is important to conduct a out in the IT strategy.
global analysis of the institution’s operatio-
nal needs, for itself and for its customers Non-existent or insufficiently
and partners, so as to avoid compromising clear budget allocation
its business.
Without the required resources, the IT depart-
3 Budget management ment will be unable to properly manage the
information system. A documented process,
The budgetary process allocates the amounts binding on all departments of the institution,
required to implement the IT strategy that including those concerned with information
has been approved. These include expenses security, is essential to manage the process
(equipment, licences, services, training, of preparing and allocating IT budgets.
etc.) and human resources (internal or exter-
nal resources, including project manage- This process includes identifying functional
ment services). The budgets allocated must and technical requirements in relation to
then be monitored to make any necessary all applications, as well as those require-
adjustments or to redefine them if required. ments in relation to the operation of the
If the budget allocation process is not clearly information system and data security. Given
defined or if no such process exists, if the the life cycle of IT programs/projects,23 it
budget is not aligned with the strategy pre- is important to combine: (i) a multi-year
viously developed and/or if expenditures approach that allocates global budgets for
are not rigorously monitored, the financial large-scale programmes with (ii) an annual
resources available may not be used opti- approach that defines the budget for the
mally for the purposes of planned IT changes. coming year, including the share of major
programmes during the relevant year and
Inadequate budget alignment smaller projects that are considered a prio-
with strategy rity. It is important that all stakeholders be
involved in the process and that final deci-
The IT budget must enable implementation sions be taken by the management body.
of the IT strategy approved by the institu-
tion. If it is insufficient or allocated too late, Inappropriate oversight of expenditures
the strategy may not be implemented or
implementation may be delayed. Monitoring and controlling IT costs are essen-
tial to maximise the institution’s profitability,
23 In this paper, a programme
refers to a set of projects that are It is therefore advisable to make the two to report to the management body on the
coordinated in common due to
their highly complementary nature, processes consistent so as not to generate progress of projects and budget overruns and
which does not exclude individual
coordination of each project. discrepancies. Most frequently, the two to make any necessary adjustments.
Budget control requires monitoring overall able to interact directly with IT managers
expenditures, which is ordinarily done by who hold full and complete authority within
the financial function, as well as monitoring their remits.
by programme and by project, both on an
annual basis, against the allocation for the Therefore, the IT function should be in a posi-
year, and on a multi-year basis, against the tion to globally manage an institution’s infor-
budget originally attributed, adjusted, if mation system. Ordinarily, the IT department
necessary, after the programme or project includes the application development and
is launched. It is important that any budget maintenance teams, as well as the staff res-
overruns over a certain threshold be justified ponsible for operating system and network
and approved by the management body, or infrastructures. However, in some cases, the
that they be offset by management decisions. business lines and support functions have
A clear and up-to-date procedural framework their own development and maintenance
should provide for standardised procedures teams, and at times their own production
for managing expenditures, approving bud- teams, which may also be set up as IT depart-
get overruns, decision-making and informing ments. Accordingly, it is important that one
senior executives and the board. person be in charge of the IT function broadly
speaking, i.e. all teams, whether they are
4 Roles and responsibilities within the central IT department or the business
of the IT and information lines or functions. This manager must have
security functions full authority over the strategic directions of
the entire IT function, the overall budget, the
Although executive managers have full res- standards and procedures for ensuring sound
ponsibility for issues related to the informa- management and control of information sys-
tion system and its security, they need to tem risks. The head of the IT function should
rely on IT managers and their teams, who be sufficiently senior in the hierarchy, ideally
are referred to in this document as the “IT reporting directly to the management body,
function” and “information security func- to ensure that IT issues are properly considered
tion”. The information system will not be within the institution.
properly organised if these roles and res-
ponsibilities are not clearly defined and The information security function must also
allocated, if the managers’ skills profiles be clearly identified and granted full autho-
are not appropriate or if insufficient rity. This function, which is headed by the
resources are budgeted. chief information security officer (CISO),
originally focused on defining the information
Poorly defined, allocated or security policy, raising awareness of security
communicated roles and responsibilities issues among teams and contributing to risk
control, for example by conducting security
A clear division of responsibilities between studies or performing level-2 controls. During
the managers will facilitate efficient mana- its inspections, the ACPR has noted that this
gement of activities and avoid blockages. function is too often incorporated into the IT
As has been the case for other banking and function, whereas it is preferable that it be
insurance functions (risk, compliance), independent so as to enable it to give objec-
supervisors now increasingly expect to be tive opinions on IT security, as well as to
routine monitoring of the service, the bodies with outsourcing to foreign jurisdictions,
tasked with coordinating the relationship especially outside the European Union
and the type of information to be regularly (for example, with respect to data pro-
reported to the institution. The institution tection rules). Controlling the risk of
must be informed of chain outsourcing overdependence on one or more vendors
(sub-contractors), and it may require that requires consolidated oversight of
such chain outsourcing be authorised in contracts negotiated with vendors, as
advance. In all cases, the institution must well as approval by the management
ensure that such outsourcing does not gene- body if outsourced activities exceed a
rate any additional risk. Moreover, the dependence threshold to be defined. The
contract must include a right to audit the outsourcing policy should also specify
service, with possible onsite access, and it the conditions applicable to outsourcing
must describe the regulatory provisions (roles and responsibilities, the process
applicable to the service provider. This right for finding and selecting service provi-
of audit must not be unduly limited by res- ders, the contractual framework, and
trictive clauses (long notice periods, various service oversight procedures).
limitations). The contract should also grant
audit rights to the institution’s supervisory Inadequate monitoring of service levels
authorities. It may be useful for the institu-
tion’s legal department to approve standard Service levels are contractual commitments
clauses to ensure that all of the institution’s that a service provider makes to an institu-
contracts comply with the laws and regu- tion about the quality and security of IT
lations on outsourcing and protect the ins- services. If no service levels are set, or if
titution’s interests in a balanced manner. the expected performance levels are too
low, the institution will be unable to demand
Overdependence high-quality services.
It is therefore important that the user accep- identification and control mechanisms will
tance and testing phases verify compliance not be properly implemented. This may
with the law applicable to the institution, manifest itself as non-existent or partial
and that potential violations be detected and mapping, an inadequate permanent control
remedied. If the applicable law is amended system, inadequate handling of incidents,
significantly, the users responsible for pro- or inadequate periodic controls.
cessing must submit change orders to be
implemented by the IT engineers. RISK MANAGEMENT
Risk mapping
IT standards not in compliance
with applicable laws
Permanent control system
QUESTION NO. 6
In particular, do you share the view that
is given regarding the positioning and
the responsibilities of the Chief
information security officer?
T
his section deals with risks related to system installed, i.e. providing the service
the “information system operation” expected by users, especially in terms of
macro process, which includes all quality, reliability and availability. The same
actions in relation to the use and operation issues apply to “change” actions, where
of the existing system, as well as actions to the risk is that they will be unable to properly
develop new services or equipment (projects), provide the expected services. In recent
or simply actions to make corrections or years, particular attention has also been
moderate changes (corrective and upgrade paid to data quality.
maintenance). The operational management
of existing services is sometimes called “run” The following sections explain the pri-
and the delivery of new services (application mary and secondary risk factors that
projects, installation of infrastructures) is may disrupt operating processes, conti-
sometimes called “change” or “build”. nuity management, change manage-
ment, and data quality. The main
The aim of all of these actions is to ensure measures for controlling these risks are
the proper operation of the information also described.
Operations Change
management Continuity management Data quality
(sytems and management (projects, management
networks) upgrades,fixes)
identified as essential and critical in the the backup environment. Therefore, the
continuity plan. These infrastructures must backup environment should be used in
be operational in order to quickly switch actual situations by the business line teams
production over to them in accordance with for a sufficiently long period of time and
users’ requirements (RTO and RPO). Data on a range of matters that is representative
backups must be sufficiently frequent and of their activities (in particular, to enable
well-protected. Switchovers may be trigge- conducting end-of-period work, such as at
red for the entire information system, or for the end of a week or month). Backup envi-
certain components or applications. In addi- ronments should allow alternate production
tion, the possibility of regional disasters on at least one of the backup sites. The
must be taken into account, in particular results should be monitored at the appro-
by locating the production environment priate level and necessary corrective mea-
sufficiently far away from the backup envi- sures should be taken.
ronment. Moreover, it is particularly impor-
tant that the backup site have a power 3 Change management
supply from a different power generation (projects, upgrades, fixes)
source than that supplying the main site,
and that it not be exposed to the same IT “change” (a.k.a. “build”) refer to all
natural hazards as the main site (river floo- modifications made to a system, either to
ding, proximity to the same airport or indus- fix it or upgrade it (maintenance), or to
trial or chemical site, etc.). If this is the case, change or supplement it (project). Changes
a third site will be needed in order to may concern software and hardware. These
actually retain production capacity in all are obviously delicate processes because
unavailability scenarios. they are carried out on existing production.
Mismanaged changes will cause malfunc-
Inadequate testing tions. In this area, the risk factors to be
considered are inappropriate change mana-
The effectiveness and pertinence of business gement standards, poorly organized or
continuity plans and IT backup plans depend incompetently managed changes or pro-
on sufficiently regular implementation tes- jects, functional and technical requirements
ting. The testing of technical and organisa- not adequately taken into account, insuffi-
tional systems makes it possible to assess cient testing of new components, and impro-
the robustness of the planned solutions, in perly implemented changes.
accordance with the service levels approved
by users. Inadequately defined or applied
change management standards
It is important for continuity plans to be
tested comprehensively using a proven Because it is a tricky process, change
methodology, so as to obtain reasonable management is usually governed by ope-
assurance of the plans’ quality and effec- rational policies and procedures. Such
tiveness, including compliance with user policies provide, for example, that releases
requirements. Backup tests are truly perti- should be grouped in batches rather than
nent only if they include a switchover of implemented individually. A release for
production from the main environment to which proper guidelines have not been
adopted has greater exposure to the risk proper sequencing of the various perfor-
of erroneous operations. mance stages after the quality of delive-
rables has been verified. Finally, the choice
Therefore, complete and appropriate policies of staff is crucial, and it is necessary to
and procedures are recommended. They verify that they have the expertise required
should be implemented by specialised teams to perform the various tasks.
trained for this purpose within the entities.
The different types of changes should be Functional and technical requirements
defined, including standard changes and not adequately taken into account
urgent changes to correct serious malfunc-
tions. The description of treatments should Changes are made in response to the infor-
distinguish the various phases, including mation system upgrade needs expressed
recording, impact assessment, classification, by users. It is therefore crucial that the
prioritisation, validation stages, planning, changes meet such needs. In addition, tech-
testing and regression conditions. nical standards will also impose technical
Management of versions (releases) should requirements with respect to security, pro-
also be included in these processes. duction and network operation.
data will thus have a single and reliable source. of the data generated. Risk indicators pro-
A function or business line should be given duced for the management body and super-
responsibility for these glossaries and tasked visors should be based, to the extent possible,
with updating them and ensuring the data on automatically calculated indicators rather
definitions are pertinent. Similarly, to increase than approximate values. Lastly, it is impor-
uniformity among the various applications that tant that the available data be sufficiently
use similar data, and thereby facilitate data detailed and aggregated in accordance
aggregation, it is in the institution’s interest to with the criteria requested, in order to meet
undertake a data standardisation process. all significant users’ needs.
This process should involve business lines and
functions, as owners of the information system, Inadequate data quality controls
as well as the IT function, which is responsible
for the consistency of the information system Data quality must be regularly and tho-
as a whole. This standardisation process can roughly checked by users and control func-
usefully be supported by data dictionaries that tions. Otherwise, the institution may not
set out data definitions and syntax, and that detect situations in which erroneous data
apply to all user entities. is used or generated.
T
his section discusses the risks that system operation” macro process, as was
may affect the “information system done above, and the “information system
security” macro process, which security” macro process focuses on preventing
includes the various prevention and res- and responding to malicious attacks.
ponse actions that may be taken to thwart
security breaches. Customarily, these The sections below describe the main risk
breaches are described in terms of their factors that can impact the security of infor-
impact on the availability, integrity, confi- mation systems and, for each one, will
dentiality, and evidence or traceability of suggest risk reduction measures that can
data and operations. be implemented. The risk factors discussed
are due to inadequate physical protection
The issue of information system security has of facilities that enable intrusions, inade-
become increasingly important due to cyber quate identification of IT assets (i.e. the
threats, but is in fact not a new concern. various assets that comprise the information
Originally, it encompassed both accidents system, such as hardware, software and
(breakdowns, natural disasters) and malicious data), inadequate protection of these assets,
threats. Today, accidental threats are more inadequate detection of attacks, and inade-
commonly dealt with under the “information quate response to attacks.
to identify assets, and should describe the information system. Cyber-attackers have
location, function and ownership of each varied motives, such as realising a direct
asset. The inventory should also associate gain (fraud, theft, ransom, espionage) or
interrelated assets to make it possible to causing harm (disrupting normal operations,
quickly identify interactions and interde- sabotage, reputational damage). Regardless
pendencies, which would be useful for of the motives, these attacks may impact the
crisis management purposes. system’s availability (e.g. blocking a system),
integrity (manipulation of an asset), confi-
Incomplete asset classification dentiality (e.g. viewing or stealing data) or
traceability (e.g. deleting access rights
Classification consists of defining the level changes). Protective measures must therefore
of sensitivity of assets, which is used to deter- cover these various types of disruptions and
mine the protective measures to be imple- be adapted to the sensitivity of each asset.
mented and to quickly identify the assets to These measures can no longer be designed
be isolated and safeguarded in the event of individually. Current best practice is to repli-
an attack. The primary focus of this classifi- cate them at the various levels of the infor-
cation should be data and their associated mation system (e.g. by filtering communications
applications. The classification serves as the not only upon entry but also at other points
basis for assigning sensitivity levels to the in the system) in order to slow the progress
systems and network equipment used for of an attacker. This is known as the “defence-
these applications, as well as to the sites in-depth” concept. If the logical protection
where such equipment is installed, thereby of assets is inadequate, there is a risk that
providing a global picture, both logically an attacker may enter the information system
and physically, enabling the institution to and compromise it. This may be due to inade-
prioritise the protection of assets. quate perimeter security systems, inadequate
protection against malware, inadequate
For the classification to be complete and identity and access rights management,
pertinent, it must include all logical assets inadequate employee authentication, inade-
and be fully applicable to the physical assets. quate protection of systems and data integrity
Moreover, it should result from a formal ana- and confidentiality, inadequate protection of
lysis process approved by the owner of the systems and data availability, inadequate
relevant asset, and be reviewed periodically. management of security patches, inadequate
The asset sensitivity assessment should be security reviews, inadequately secured out-
performed against the following criteria: sourced solutions, or inadequate information
availability, integrity, confidentiality, tracea- systems security awareness.
bility and legal or regulatory obligations.
Financial and reputational impacts may also Inadequate perimeter security systems
be included in this sensitivity assessment.
Perimeter security consists of protecting the
3 Logical protection of assets information system from external intrusion
or of isolating internal zones. Due to the
Asset security relies primarily on a set of IT significant number of communications with
protection measures (“logical” measures) external parties, perimeter security includes
intended to prevent any breach of the channelling communication flows to a
also have regular accounts to perform eve- means chosen by employees should be
ryday tasks (access to corporate e-mail, standardised and adapted to their duties.
web browsing, etc.). Effective access rights Compliance with these rules should be regu-
management requires the use of profiles larly monitored. Granting temporary authen-
(business line and technical profiles) to stan- tication credentials should be closely
dardise and facilitate the granting of indi- supervised and secured (e.g. password
vidual rights. Any additional individual changed at the time of the first connection).
access rights, inconsistent with the user’s If static, authentication credentials
profile, must be justified, formally granted (passwords, tokens, etc.) must be renewed
and approved. In general, access rights to periodically. Any off-site access to the infor-
an asset should be approved by the owner mation system should require enhanced
of that asset, either directly or by a delegate. authentication procedures (for employees
It is important that access rights be consistent and exter nal ser vice providers).
at all times with the positions users hold. In Authentication secret elements need to be
particular, accreditations granted should appropriately protected.
be promptly deleted when an employee is
transferred or leaves the company. Best Inadequate protection of the integrity
practice in this area is to synchronise access of systems and data
rights management systems with human
resource management systems (or service System and data integrity safeguards are
contracts if applicable). Rights granted needed to prevent attackers from making
should be reviewed regularly to ensure they changes to information system components
continue to be justified. Similarly, the defi- that may affect its proper operation (inclu-
nition of profiles should be reviewed perio- ding its reliability) or security. Such actions
dically to determine if they remain may include changes to the system’s confi-
pertinent. gurations or access rights in order to carry
out an attack, or altering data for the benefit
Inadequate employee of the attacker.
authentication systems
To enhance the security of systems and to
Authentication consists of providing proof enable detection of any configuration
of identity, for example to access a piece change, whether by adding a programme
of hardware or an application. In compu- or changing the parameters of systems or
ting, the most common tool is a password applications, best practice dictates strictly
but it must be sufficiently secure to limiting the right to run software on equip-
prevent spoofing. ment (servers and workstations) and finger-
printing the servers’ “key” files. Another
It is therefore important to set up authenti- way to reduce the risk of compromising
cation systems adapted to the sensitivity of hardware is to reduce to a bare minimum
the assets to be accessed. Dual factor and/ the software installed thereon and its fea-
or dynamic authentication means should tures. This technique, called “hardening”,
be implemented for access to the most cri- mechanically reduces the number of sof-
tical assets. If necessary, the rules governing tware vulnerabilities that could be exploited
the complexity of confidential authentication by an attacker. Data and their associated
memory. Lastly, at the application level, for usually update their IT solutions very quickly
publicly available applications (Internet when security breaches are discovered. If
applications and services, mobile applica- an institution does not quickly change the
tions, etc.) the institution should take mea- versions it uses to take advantage of security
sures to prevent any attempt at reverse patches, it will be exposed to attacks. This
engineering. This practice seeks to recover task is facilitated if the institution has an
the source code of software in a usable up-to-date asset inventory (see section 5.2).
form for the purpose of counterfeiting it
(intellectual property infringement) or unders- Protecting the information system against
tanding its operation (e.g. to attack it). logical attacks requires promptly updating
security patches for all relevant assets.
Inadequate availability safeguards A monitoring procedure should be set up
to detect any vulnerabilities of the infor-
External attacks can make the information mation system and provide fixes as quickly
system unavailable, either by completely as possible. The configuration information
preventing access or simply by slowing it available in the asset inventory can be
down. Such cyber-attacks, called denial-of- used to verify the extent of vulnerabilities
service (DoS) attacks,28 which saturate and establish an update plan. This plan
external accesses to a system, have become should take into account the sensitivity level
frequent in recent years. These attacks cause of the assets. To avoid creating new vulne-
immediate disruption to users, and can rabilities, new hardware installed should
damage the reputation of institutions in the have editors’ support and up-to-date ver-
banking and insurance sectors. sions of security patches.
equipment connected to the Internet, which capabilities. After the outsourced services
is by definition more exposed, but also of have been set up, they must meet the same
internal equipment (servers). Targeted intru- security requirements as if they were per-
sion tests should supplement vulnerability formed by the institution itself. The outsour-
scanning to test the security of newly ins- cing contract should specify that the security
talled or upgraded hardware and applica- conditions applied by the service provider
tions. To obtain objective and reliable must comply with the institution’s security
results, these campaigns should be conduc- policies. The institution must monitor the
ted by external experts or independent third performance of outsourced services over
parties, using a variety of approaches and time, including any incidents. The institution
methodologies. Lastly, security-focused code must have audit rights that are not unduly
audits should be conducted to identify and limited by restrictive clauses (long notice
fix any potential vulnerability as quickly as periods). With respect to outsourced cloud
possible. computing services, the ACPR published a
number of data and systems security best
Inadequate security practices in July 2013,29 with which insti-
of outsourced solutions tutions are expected to comply, as well as
with the EBA recommendations issued in
It is common that service providers manage December 2017.30
part or all of the information system on
behalf of institutions. These service providers Inadequate information systems
may belong to the same group as the ins- security awareness
titution or may not be affiliated with it. In
either case, service providers act in the Raising the awareness of staff and mana-
name and on behalf of the institution, and gement about the security of information
the institution remains responsible for the systems is a prerequisite to creating a risk
management of its information system, inclu- culture on these issues. Such culture can be
ding its security. useful in thwarting malicious attacks, which
often target employees and managers, and
Therefore, protecting the security of the seek to manipulate them in order to hack
information system requires that the portions into the system (e.g. infected USB sticks or
outsourced be protected to the same extent email messages) or to carry out a fraud
as the rest of the system. For this purpose, (social engineering).
before any outsourcing, the institution must
conduct a risk analysis to which the control Awareness-raising actions are advisable to
functions, in particular the information secu- prevent such actions. They should supple-
rity function need to contribute. The mana- ment existing procedures by providing
gement body will decide on outsourcing information about risks and providing trai-
29 ACPR (2013): “The risks projects taking into account security condi- ning in best practices with respect to the
associated with cloud computing”,
July. https://acpr.banque-france. tions. The risk analysis should identify the use and protection of the information system.
fr/search-es?term=201307+Risque
s+associes+au+Cloud+computing relevant activities that are sensitive in nature, Specific training programmes for employees
30 https://www.eba.europa.eu/ and ensure that the service provider has with high privileges (administrators) or who
documents/10180/1712868/
Final+draft+Recommendations+o solutions that guarantee data confidentiality perform sensitive functions (developers)
n+Cloud+Outsourcing+%28EBA-
Rec-2017-03%29.pdf (e.g. by using encryption) and backup should also be scheduled regularly. To the
extent possible, awareness-raising actions Centre -SOC), which ideally should be ope-
should be extended to external staff, partners rational 24/7. These SIEM tools should
and customers. The effectiveness of each cover the entire information system, or at
action conducted should be evaluated, and least its components that interface with the
adjustments should be made if necessary. Internet and its components classified as
sensitive. Traces collected should be
4 Detection of attacks time-stamped, archived, and protected
against any attempted change. The most
Security can no longer be based solely on serious alerts should be handled by the
protective measures. The occurrence of monitoring team, which should stay
“silent”31 cyber-attacks demonstrates the constantly informed of new attack proce-
ability of attackers to intrude into an infor- dures or vulnerabilities exploited.33 The
mation system without being detected, in organisation in place should enable infor-
order to understand how it is organised mation to be shared about incidents detec-
and cause serious harm. Therefore, protec- ted by the various internal units. Exchanges
tive measures may not be sufficient and with peer institutions and the authorities
must be coupled with detection measures. should also be conducted.
These detection efforts usually focus on two
areas. The first is collecting and analysing Inadequate monitoring
events (“traces”) recorded by the hardware, of unusual behaviour of users
and the second is recognising unusual beha-
viour of users. If such detection tools are External users (e.g. customers connecting
not used, or if they are incomplete, the online) and internal users (employees per-
institution may be unable to detect or block forming operations, IT staff) use the func-
intrusions into its information system. tionalities of the information system intended
for their use. Malicious acts by them, or by
Inadequate trace collection and analysis attackers who usurp their rights, will result
in an abnormal use of these functionalities.
There are tools32 available for collecting, If mechanisms for monitoring abnormal
centralising and correlating events (“traces”) behaviour of users are not put in place, the
recorded by the various types of information institution’s information system risks being
system hardware (e.g. firewalls, network hacked without its knowledge.
routers, detection probes, as well as the
production systems), which can be used to Best practice is to monitor suspicious actions
monitor this equipment. This monitoring in applications, administrative tools,
may enable detecting intrusions or attemp- databases or any other sensitive environ-
ted intrusions into the information system ment within the organisation. This monito-
and thus providing prompt alerts. ring should be done in real time to enable
31 Such attack do not provoke
immediate disruption, but aim to greater responsiveness to attacks. Unusual
gain progressively access to the
different elements of the Best practices, especially for cybersecurity connections to the information system should
information system, in order to
maximize the attack. purposes, now require automatic tools for be monitored (connections at unusual times
32 E.g. security incident event collecting and analysing traces, as well as or dates like holidays, numerous connec-
management (SIEM) tools.
a monitoring team that can take action tions, access from new machines or Internet
33 This function may be
performed by the SOC. based thereon (such as a Security Operating addresses, etc.). Anomalies during the
authentication of external users (customers, proper functioning of the institution, the ope-
service providers) and internal users should rating methods to be implemented to mitigate
be recorded and analysed (e.g. multiple impacts and resume operations. The roles
attempts). Unusual behaviour of customers and responsibilities of decision-makers and
who use transactional sites (e.g. online key employees should be specified, and they
account management) should be detected. must be provided with the resources (pre-
High-value disbursement transactions should mises, equipment, communications or service
be monitored and blocking mechanisms providers) to meet and direct the operations.
may be activated to prevent numerous or This type of organisation is required for
high-value outflows. Copying and mass banking and insurance institutions, in parti-
delete functions on sensitive databases cular for dealing with a loss of resources
should be monitored or blocked, as well (buildings, employees, IT systems). If the
as privilege escalation functions on systems crisis management organisation does not
and databases. cover the various information system security
breach scenarios, institutions may not be
5 Response to attacks able to manage them effectively.
Roles and responsibilities of the IT • Poorly defined, allocated or communicated roles and responsibilities
and information security functions • Inadequate or insufficient staffing
Incomplete:
Inadequate identification
• asset inventory
of assets
• asset classification
Deficiencies in:
• Perimeter security systems
• Protection against malware
• Identity and access rights management
• Authentication of employees
Inadequate logical protection • Protection of the integrity of systems and data
of assets • Protection of the confidentiality of systems and data
Securing the IS
• Protection of availability
• Management of security patches
• Security review processes
• Security of outsourced solutions
• Information systems security awareness
Deficiencies in:
Inadequate process
• Trace collection and analysis
for detecting attacks
• Monitoring of unusual behaviour of users
Deficiencies in:
• Crisis management
Inadequate attack response system
• Containment of attacks
• Business recovery