IT Risk Discussion Paper

Home , IT risk, IT risk management, Risk IT

March 2018 IT Risk Discussion Paper

DRAFTED BY Marc ANDRIES, David CARTEAU, Sylvie CORNAGGIA, Pascale GINOLHAC, Cyril GRUFFAT, Corinne Le MAGUER

CONTRIBUTORS Roméo FENSTERBANK, Thierry FRIGOUT, Pierre HARGUINDEGUY, Christelle LACAZE EXECUTIVE SUMMARY

The emergence of cyber-attacks in recent years has heightened concerns about IT risk. These concerns are not specific to the banking and insurance sectors, but they are of particular relevance to these sectors, which are essential components of a properly functioning economy and key actors in protecting public interests.

To address these concerns, the supervisory authorities have gradually ramped up their actions in this field. International bodies have developed new IT risk rules, and authorities, such as the ACPR, acting in particular within the framework of the European Single Supervisory Mechanism for the banking system, have strengthened their supervision.

This discussion paper emphasises that IT risk management is no longer a topic specific to IT teams, but must be part of an overall approach to risk control and risk management coordinated by the risk management function. Therefore, the operational risk management reference framework must be refined to more effectively include all aspects of IT risk within the recognised categories of operational risk. Under such an organisation, the management body must be directly involved in ensuring the alignment of its IT strategy with its risk appetite, but also in implementing and monitoring the risk management framework.

Based on their supervisory experience, the various departments of the ACPR have developed a definition and classification of IT risk that cover its various aspects and enable treating it globally. Institutions supervised by the ACPR can use this classification to develop or reinforce their own risk map. This classification covers the three main processes applicable to implementation and management of information systems, i.e. issues in relation to the organisation, proper functioning and security of information systems. For each of these major processes, this discussion paper describes a set of risk factors, which are examined on two levels to enable a fairly detailed analysis. For each risk factor, the main expected measures for mitigating and controlling risks are presented. These measures are optional and institutions can tailor them to their specific context. They illustrate the best practices usually observed by the ACPR and they aim to create a common ground for controlling IT risk management in the banking and insurance sectors.

ACPR – Information technology risk 2 CONTENTS

4 Introduction

6 IT risk and its inclusion in operational risk 6 1 Regulatory status at the international level 7 2 The ACPR’s approach to defining and classifying IT risk

11 Organising the information system, including its security 12 1 Involvement of the management body 13 2 Alignment of IT strategy with the business strategy 14 3 Budget management 15 4 Roles and responsibilities of the IT and information security functions 16 5 Rationalisation of the information system 17 6 Control of outsourcing 19 7 Statutory and regulatory compliance 20 8 Risk management

23 Operating the information system (“build and run”) 24 1 Operations management (systems and networks) 25 2 Continuity of operations management 28 3 Change management (projects, upgrades, fixes) 30 4 Data quality

32 Securing the information system 33 1 Physical protection of facilities 33 2 Identification of assets 34 3 Logical protection of assets 39 4 Detection of attacks 41 5 Response to attacks

43 Appendix: Classification of IT risk

ACPR – Information technology risk 3 Introduction

or several years, many international including guidelines to be followed by bodies have focused on the growing supervisory authorities for adopting a uni- IT risk in the banking and insurance form approach to assessing institutions’ IT F 2 sectors. This emphasis is driven by two risks. The European Insurance and observations. Firstly, institutions’ operations Occupational Pensions Authority (EIOPA3) now rely entirely on automated information has published an issues paper on cyber systems, including for customer relations,1 risk4 and has undertaken a review of this and these environments have become com- risk in conjunction with major players in plex to manage. Secondly, even when all the insurance sector. 1 This is at times referred to as the “digitisation” of banking precautions are taken, IT damage is a and insurance operations. major risk for these institutions’ operations. Among the various IT risks, cybersecurity 2 EBA (2017): “Guidelines on ICT Risk Assessment under the In particular, the capacity of cyber-attacks risks have been given particular attention Supervisory Review and Evaluation process (SREP)”, to cause harm has steadily increased in by several authorities. The G7 has adop- 11 May 2017. recent years. Whereas, initially, these ted high-level, non-binding principles 3 In French Autorité européenne des assurances et des pensions attacks focused primarily on customer intended to provide guidance and har- professionnelles (AEAPP). 5 4 Drafted by its Insurance and equipment and therefore were discrete monise actions in this area, and conti- Reinsurance Stakeholder Group events that caused little overall disruption, nues these actions on several fronts to (IRSG): “Cyber Risk – Some Strategic Issues” (April 2016). they now directly target institutions’ IT envi- encourage the efforts of regulators in 5 G7 (2016): “Fundamental Elements of Cybersecurity for the ronments and can have major conse- the sector. The Committee on Payments Financial Sector”, October and quences, including systemic impacts, due and Market Infrastructures (CPMI)6 of G7 (2017): “Fundamental Elements for Effective Assessment to the increasing interdependency between the Bank for International Settlements of Cybersecurity in the Financial Sector”, October. the various financial players. and the International Organisation of 6 Committee on Payments and 7 Market Infrastructures (CPMI). Securities Commissions (IOSCO) have

7 International Organisation In response, the bodies that develop inter- published guidelines to improve the resi- of Securities Commissions (IOSCO). national standards applicable to the lience of market infrastructures to 8 8 CPMI-IOSCO (2016): banking and insurance sectors have begun cyber-attacks. The International ”Guidance on Cyber Resilience for Financial Market to articulate their expectations vis-à-vis the Association of Insurance Supervisors Infrastructures”, June. industry. The European Banking Authority (IAIS)9 has also published an issues 9 International Association of Insurance Supervisors (IAIS). (EBA) has published several documents paper on cyber risk for the insurance 10 IAIS (2016): “Issues Paper prescribing standards in relation to the IT sector,10 which will be followed by an on Cyber Risk to the Insurance Sector”, August. risks to which the banking sector is exposed, implementation document.

ACPR – Information technology risk 4 Introduction

All of these documents explicitly or implicitly in the ECB’s actions by making its off-site recognise IT risk as an operational risk, as supervisors available to the SSM’s joint documented and then regulated by the Basel supervisory teams and by having onsite Committee on Banking Supervision (BCBS) inspections performed by the Banque de from 2003. However, the inclusion and France’s inspectors. In the areas in which treatment of IT risk within operational risk it has direct authority, such as “less-signifi- still needs to be clarified for the same treat- cant institutions”, other banking sector enti- ment principles to apply thereto. ties (in particular, finance companies and payment service providers) and insurance, On their side, the supervisory authorities the ACPR also carries out numerous actions have also significantly ramped up their in connection with its ongoing supervision actions in the IT risk field. Starting in and onsite inspections. The constant increase November 2014, when the European in IT risks is an ongoing challenge that Central Bank (ECB) acquired direct super- requires expanded resources and skills. visory powers over the largest banks of To meet this challenge, the ACPR has conti- Euro-zone (“significant institutions”), assisted nued its training actions and supplemented by national supervisory authorities compri- the dedicated onsite inspections teams with sing the Single Supervisory Mechanism a network of around 20 IT risk experts. (SSM), it immediately initiated several off-site These experts represent the ACPR in various supervisory actions and onsite inspections. international bodies working on IT risk and Assessment questionnaires focusing on cybersecurity issues. cybersecurity and IT outsourcing practices enabled a quick evaluation of the strengths This discussion paper was drafted by IT and weaknesses of the sector, which led to experts from the ACPR’s network. It aims corrective actions. Numerous onsite inspec- to focus attention on IT risk issues deemed tions, usually conducted by the national significant, both in terms of recognising authorities, supplemented the process and and reducing such risks. It is a contribution provided precise information on actions to to the discussion on how IT risk controls be carried out. should be incorporated into the operational risk management framework. Firstly, This approach was already well-established the paper proposes a definition of IT risk, in France because, in 1996, the Commission which is viewed as part of operational bancaire (Banking Commission) had publi- risk. Secondly, this definition is supple- shed a White paper on the security of infor- mented by a proposal for classifying IT mation systems in credit institutions and, risk in a manner that covers all aspects since 1995, it has had a unit dedicated to in a coherent manner. For each factor risks in relation to information systems within included in this classification, the paper its onsite inspection teams. On the strength explains what it deems to constitute sound of this experience, the ACPR participated risk management.

ACPR – Information technology risk 5 IT risk and its inclusion in operational risk

11 BCBS (2003): “Sound Practices for the Management and Supervision of Operational Risk”, Basel Committee Publications No. 96, February.

12 BCBS (2006): “International 1 Regulatory status flexible so as to cover a wide variety of Convergence of Capital Measurement and Capital at the international level organisations and enable institutions to Standards”, June 2006 (Basel Committee Publications apply it in a manner that is proportionate No. 128). The concept of operational risk, which was to the breadth and complexity of 13 Directive 2013/36/EU of the European Parliament and of originally devised by the banking authori- their activities. the Council of 26 June 2013 on access to the activity of credit ties, was then adopted by the insurance institutions and the prudential supervision of credit institutions industry authorities. Since 2003, the Basel None of these documents explicitly and investment firms (CRD IV Directive). Regulation (EU) Committee for Banking Supervision has addresses IT risk, although the various No. 575/2013 of the European steadily expanded its recommendations on authorities are in agreement that it should Parliament and of the Council of 26 June 2013 on prudential the management of operational risk.11 It be included under “process, personnel requirements for credit institutions and investment firms and has also added capital requirements to and system failures”, for example in the amending Regulation (EU) No. 648/2012 (CRR, Article 4). enable institutions to deal with operational case of IT system breakdowns or errors, 14 Directive 2009/138/EC of incidents they may experience.12 To cover or under “external events” in the case of the European Parliament and of the Council of 25 November the multiple facets of operational risk, the cyber-attacks. This was due to the original 2009 on the taking-up and pursuit of the business of Basel Committee has adopted a broad defi- reasoning of the standards-setting autho- insurance and reinsurance (Solvency II). Article 13 (33) nition that includes internal failures and rities, which considered IT tools, and defines operational risk as the “risk of loss arising from external events, and focuses on the risk of information systems as a whole, to be inadequate or failed internal processes, personnel or systems financial loss, whether direct or indirect. components at the service of institutions’ or from external events”. According to the Committee, operational businesses, rather than an essential 15 Article 10 of the Arrêté du 3 novembre 2014 on the risk covers any “risk of loss resulting from concern. Under this approach, the most internal control of companies operating in the banking, inadequate or failed internal processes, important risks are those specifically payment services and investment services sector subject to the people and systems or from external events”. related to business operations, such as supervision of the ACPR defines operational risk as “the risk of This definition, with slightly different wor- credit, market or insurance risks. An IT loss due to inadequate or failed internal processes, personnel ding, is now included in various legislative failure is thus primarily viewed in terms and systems or external events, including legal risk. In and regulatory frameworks, notably the of its consequence on the business of its particular, operational risk European directives governing the banking user. The recognition of operational risk includes risks associated with events with a low probability of sector13 and the insurance sector.14 It has in the 2000s was a breakthrough insofar occurrence but significant impact, the risks of internal and also been incorporated into the French as a qualitative treatment (risk manage- external fraud defined in Article 324 of the aforementioned banking laws.15 This framework has been ment and internal control), and later a Regulation (EU) No. 575/2013, and model-related risks”. intentionally designed to be broad and quantitative treatment (capital

ACPR – Information technology risk 6 IT risk and its inclusion in operational risk

requirements), supplemented “business” not based on an internal control system. risks and were extended to various events Furthermore, these standards are not that could impact business support func- necessarily pertinent to the corporate tions (including the IT function). The exten- governance system that the banking and sive and in-depth business continuity work financial regulators require institutions to carried out around 2005 also focused on put in place. Supervisory authorities will more robust measures in this area to ensure that institutions’ IT risk manage- improve fault tolerance, but did not ment framework is not entirely decided change the general operational risk and deployed by the IT department, but framework. Apart from a broad all-en- require that this aspect be properly inte- compassing definition, operational risk grated into the general operational risk continues to be classified into seven (dis- management framework. cretionary) categories, none of which, individually or combined, truly fit the 2 The ACPR’s approach to defining varied aspects of IT risk.16 and classifying IT risk

The recent work focusing on IT risk is The ACPR General Secretariat has under- therefore a significant development. There taken work to clarify the definition and is a more explicit recognition of this risk treatment of IT risk. This cross-disciplinary due to its growing and cross-disciplinary work, aimed at both the banking and importance for all businesses. insurance sectors, was carried out by the Nevertheless, although all regulators clas- ACPR’s network of IT experts. This work sify it among operational risks, specific culminated in a definition and classifica- guidance on defining and handling IT tion of IT risk intended to cover all aspects risk has been slow to come. Accordingly, thereof. These elements are intended to institutions have been given discretion in contribute to the work of various interna- this area, but they must demonstrate that tional bodies, particularly in view of the

16 CRR, Article 324: internal they deal with all aspects of IT risk in Basel Committee’s revision of its Principles fraud; external fraud; employment practices and accordance with the provisions applicable for the Sound Management of Operational workplace safety; clients, 18 products and business practices; to operational risk. This is not an easy Risk and the IAIS’s revision of its damage to physical assets; task. Banking and insurance institutions, Insurance Core Principles. business disruption and system failures; execution, delivery and like all businesses, have long relied on process management.

17 EBA (2011): “Guidelines on sound IT management principles publi- Definition of IT risk Internal Governance (GL44)”, shed by various international standards section E.30.2.2, September.

18 BCBS (2011): “Principles for bodies, such as the International At the outset, it seems important to have the sound management of operational risk”, June. Organization for Standardization (ISO), a clear definition of IT risk that is pertinent

19 “Any risks that emanate to which some banking regulations them- from the standpoint of IT activities, as well from the use of electronic data 17 and its transmission, including selves refer. However, these standards, as with respect to customary operational technology tools such as the internet and telecommunications which have been developed by IT pro- risk analysis concepts. To date, there is networks. It also encompasses physical damage that can be fessionals, do not share the conceptual no such definition in the regulations appli- caused by cybersecurity framework established by banking and cable to the banking and insurance sec- incidents, fraud committed by misuse of data, any liability financial regulators. The concepts of risk tors. The IAIS refers to a definition arising from data storage, and the availability, integrity and management, although similar, are not proposed by insurance sector professio- confidentiality of electronic information − be it related to exactly the same and, for example, are nals (The CRO Forum).19 In 2014, the individuals, companies, or governments”.

ACPR – Information technology risk 7 IT risk and its inclusion in operational risk

EBA included a definition in its guidelines customary term “IT risk” has been chosen on the Supervisory Review and Evaluation and covers these various other terms. Process (SREP)20, which need to be sup- In addition, this paper discusses three plemented in light of experience and main risk areas that have been chosen knowledge acquired in this area. to structure the risk analysis and treatment approach: organisation and governance, proper functioning and quality, IT RISK and information system security. This

Information system also covers all IT management processes Failure or and comprehensively targets the risk Inadequate Insufficient disruption in the factors underlying IT risk. It also provides organisation sécurity operations a framework for classifying cyber risk.

This definition includes cybersecurity, but Incident resulting in a loss is not limited to it. Cybersecurity refers to an approach designed to protect The definition proposed in this paper against and respond to attacks against aims to cover all aspects of risk, inclu- all or part of the information system, and ding aspects in relation to information thus does not cover all IT risks. Therefore, system governance and organisation. cybersecurity should be included in the The ACPR’s definition is: “IT risk” (or approach to treating IT risk and not the “information and communication tech- other way around. For its work, the ACPR nology risk” (ICT) or “information system uses the definition of cybersecurity adop- risk”) is the risk of loss arising from an ted by the ECB. inadequate organisation, failure, or insufficient security of the information According to this definition, “cybersecu- system, which includes all systems equip- rity is the set of controls and organisa- ment, networks and human resources tional measures, as well as the resources devoted to processing the institution’s (human, technical, etc.) used to protect information. This definition is consistent the components of the information system with an operational risk approach and communication networks against all because, if the risk is realised, it results logical attacks, whether carried out in a loss (or near-miss, opportunity cost, through physical or logical security undue gain or additional costs). This breaches. These controls and measures definition is broad in scope and applies include prevention, detection and res-

20 EBA SREP GL (2014): to the information system as a whole, ponse to any malicious IT activity targe- “Information and communication ting components of the information technology (ICT) risk” means the i.e. its technical systems and organisa- current or prospective risk of tion, as well as the human resources system, and potentially affecting the losses due to the inappropriateness or failure of involved in data processing. It also confidentiality, integrity or availability the hardware and software of technical infrastructures, which applies regardless of the term used of systems and data, as well as the tra- can compromise the availability, integrity, accessibility and (information system risk, ICT risk or IT ceability of operations performed on security of such infrastructures and of data. risk). For reasons of convenience, the these systems and networks”.

ACPR – Information technology risk 8 IT risk and its inclusion in operational risk

Classification of IT risk CYBERSECURITY This proposed classification of IT risk What is it? categorises in an orderly manner all Measures identified risk factors for the three IT Technical and human macro processes: organising the infor- means mation system (including its security), operating the information system (“build Of what sort? and run”), and securing the information Prevention system. Primary and secondary IT risk Detection factors have been identified for each of Response these three macro processes.

Against what? IT MACRO-PROCESSES GENRATING IT RISK Malicious attempts against the SI’s: • confidentiality Organising the information sytem • integrity • availability • traceability Operating the information system (“build and run”)

Securing the information system

QUESTION NO. 1 Organisation-related risk factors include Do you think the definition of IT risk is situations of inadequate decision-making suitable, or do you have any proposal and overall supervision, which can lead to improve it? to poor IT management, inadequate support for business needs, and unsound QUESTION NO. 2 management of IT risk in general. Do you share the opinion that cyber- risks fall in IT risks and that a Operation-related risk factors are conside- comprehensive approach of all those red in the broad sense of the term, i.e. risk is advisable? including operations and projects, business continuity and data quality. They all focus

ACPR – Information technology risk 9 IT risk and its inclusion in operational risk

on factors that may affect the proper func- institution is no longer exposed to these IT tioning of the information system and thus risks. It must therefore continue to identify impact the ability of an institution to conduct and control these risks pursuant to its ope- its business. In particular, the classification rational risk management framework and includes the risks of inadequate supervision internal control system. of projects and changes, business continuity failures, and poor data quality (customer The sections that follow describe the risk data, reports to be submitted to regulators factors included in the proposed classifica- or reports specific to institutions not intended tion and the measures deemed to be of use to be made public). or necessary to control them. These risk factors are defined as events or situations Lastly, security-related risk factors cover all that may increase the probability of IT risk. malicious attacks that impact the availability, The measures to control these risk factors confidentiality and integrity of data and that are described in this paper are obviously systems managed by the institution. These not exhaustive or mandatory. The primary include risk factors such as inadequate intent is to establish a common analysis identification and protection of IT assets, framework for all institutions that will enable deficient detection systems and weak res- them to adopt sound practices for managing ponse capacity to attacks. these risks. The ACPR may also use these measures as a basis for its contributions to The proposed classification is set out in the work of the various international bodies detail in the appendix hereto. It is more in which it participates. granular than the current classification of the Basel Committee on Operational Risk and is intended to complement it. Institutions are free to use their own classification or to use the one proposed by the ACPR. In all cases, the full range of risks identified QUESTION NO. 3 should be covered, unless not justified by Do you think the ACPR’s proposal for their organisation or business model. In this the classification of IT risk is suitable, regard, it is worth noting that if all or part or do you have any proposal to of an institution’s information system is out- improve it? sourced, this does not mean that the

ACPR – Information technology risk 10 Organising the information system, including its security

nformation system organisation refers to applicable to the institution. Lastly, a sound the macro process covering all deci- and prudent organisation requires a risk I sion-making actions (sometimes referred management system that includes internal to as “governance”), coordination (such as controls. These organisational actions are defining a “strategy” and allocating the also important for the security of the infor- corresponding resources), the allocation of mation system. responsibilities within the entity, as well as the policies and actions implemented to The sections that follow explain the primary ensure proper management of the informa- and secondary risk factors that may impact tion system (for example by reducing its information system organisation and secu- complexity), control of outsourced functions, rity, as well as the main measures to control and compliance of IT tools with the laws these risks.

ORGANISING THE INFORMATION SYSTEM (INCL. INFORMATION SYSTEM SECURITY)

Provide roles and Decisions responsabilities of of the Budget IT strategy the IT and management management information body security functions

Rationalisation Statutory of the Control of Risk and regulator information outsourcing management compliance system

ACPR – Information technology risk 11 Organising the information system, including its security

1 Involvement future needs of the business lines and of the management body support or control functions, and ensuring they have the appropriate technological Due to their technical nature, or for cultural resources when needed. Information reasons, the “management body” (which system quality and control must be is the European regulatory reference to included in strategic choices. If the mana- both senior executives and boards or gement body inadequately understands equivalent21 ) may be tempted to disregard these issues, there may be delays in IT issues and choose to rely entirely on IT adapting to change or situations where managers.22 However, if the IT managers control over the information system is do not have an accurate vision of the not maintained. overall issues the company faces, or if they are not properly supervised, there is a risk It is therefore essential that senior execu- that they may not be able to provide IT tives and independent directors unders- services that are adequate for the tand the information system development company’s business. It is therefore important and management issues relevant to the that corporate governance principles, proper functioning of their institution. emphasising managerial responsibility and If they lack expertise in this area, they fostering clear and transparent decision- should, for example, schedule working making processes, also be applied to IT meetings with internal and external spe- activities. In other words, the management cialists dedicated to these matters. body, which is responsible for the proper functioning of the institution, must be Inappropriate decisions involved in decisions relating to the information system and must ensure IT risks Appropriate involvement of the management are controlled. body requires that it controls decisions relating to information system maintenance and The ACPR’s IT experts have identified three upgrades. Otherwise, poor decisions may risk factors generated by inadequate be taken, resulting in an inadequate infor- involvement of the management body. mation system.

Although it does not have to be involved in every decision, it is important that the INVOLVEMENT OF THE MANAGEMENT BODY management body sets the policies applicable to the information system. These Inadequate understanding of issues policy choices should be based on a Inappropriate decisions solid risk analysis in line with the risk 21 In this document, the words management system and the risk appetite “the management body” Insufficient monitoring refer both to senior executives that has been approved. It is essential (“Direction générale” in French) and to the supervisory body that major decisions relating to the infor- of the institution, like the Board (“conseil d’administration” Inadequate understanding of issues mation system, which involve the business or “conseil de surveillance” in French, or any similar body). lines or may generate significant risk, 22 Or, more broadly, Maintaining and developing an infor- be taken by senior executives under the on the Information Technology Department. mation system requires anticipating the supervision of the board.

ACPR – Information technology risk 12 Organising the information system, including its security

Insufficient monitoring Failure to anticipate business needs and technological upgrades/issues/uses If the management body does not closely monitor the proper functioning and security IT upgrades often take several years and of the institution’s information system, it will must be properly anticipated. Unless be difficult to react quickly in the event of based on a specific strategy that combines an operational or security incident. the variety of needs and foresees technological developments, upgrades to the Complete information on quality, perfor- information system may be erratic and mance, project schedules and security main- unable to service the institution’s require- tenance indicators is therefore essential to ments in a timely manner. enable the management body to fulfil its responsibilities. These indicators should not Therefore, it is important for IT managers, be monitored solely by IT managers. The in conjunction with the business lines and management body can of course focus on with the approval of the management regularly monitoring certain key indicators body, to formally adopt a genuine IT that are deemed pertinent with respect to strategy in line with the institution’s strate- the defined strategy, risk control or oversight gic objectives. To be pertinent, the IT of a particular service. strategy must anticipate medium-term needs and developments and set concrete 2 Alignment of IT strategy objectives for managing them. Ordinarily, with the business strategy this should be the product of a formal process that includes consultations with Information technologies evolve constantly. the business lines and functions about These developments can provide institu- their needs, and incorporates IT risk mana- tions with new opportunities, but may also gement (e.g. risks in relation to complexity generate new risks. IT strategy, including and security). Thereafter, its implementa- with respect to security issues, is a com- tion should be closely supervised to ensure ponent of institutions’ overall strategy. Its objectives are achieved, anticipate diffi- objective is to meet the needs of the culties and make necessary adjustments. business lines and support functions, but It is also important to update the strategy it is also increasingly at the core of insti- annually to reflect new needs. If the ins- tutions’ strategy to maintain or gain a titution is a member of a group, it is impor- competitive advantage through the use tant that its strategy is consistent with that of technological developments. If the ins- of its group. titution does not define an IT strategy, or if the strategy is not aligned with the needs Inadequate tools and service levels of the business lines, the information system may ultimately fail to meet the insti- If an institution has no IT strategy or if the tution’s requirements, which could strategy is not pertinent, there is a risk that compromise its ability to achieve its com- the IT department will not appropriately mercial and financial objectives. The sec- take users’ needs into account and that the tions below discuss the risk factors that institution will not be able to conduct its have been identified in this area. business optimally.

ACPR – Information technology risk 13 Organising the information system, including its security

It is therefore important to include users’ processes follow one another or are asso- operational needs in strategic considera- ciated. Projects and maintenance should tions, for example regarding the availability each receive a specific and well-identified and security of environments. Obviously, budget allocation to avoid depriving the strategy document will not describe either one of necessary funds. The service levels with the same degree of detail resources made available should also as a service level agreement (SLA). correspond to the deployment stages set Nevertheless, it is important to conduct a out in the IT strategy. global analysis of the institution’s operational needs, for itself and for its customers Non-existent or insufficiently and partners, so as to avoid compromising clear budget allocation its business. Without the required resources, the IT depart- 3 Budget management ment will be unable to properly manage the information system. A documented process, The budgetary process allocates the amounts binding on all departments of the institution, required to implement the IT strategy that including those concerned with information has been approved. These include expenses security, is essential to manage the process (equipment, licences, services, training, of preparing and allocating IT budgets. etc.) and human resources (internal or external resources, including project manage- This process includes identifying functional ment services). The budgets allocated must and technical requirements in relation to then be monitored to make any necessary all applications, as well as those require- adjustments or to redefine them if required. ments in relation to the operation of the If the budget allocation process is not clearly information system and data security. Given defined or if no such process exists, if the the life cycle of IT programs/projects,23 it budget is not aligned with the strategy pre- is important to combine: (i) a multi-year viously developed and/or if expenditures approach that allocates global budgets for are not rigorously monitored, the financial large-scale programmes with (ii) an annual resources available may not be used opti- approach that defines the budget for the mally for the purposes of planned IT changes. coming year, including the share of major programmes during the relevant year and Inadequate budget alignment smaller projects that are considered a prio- with strategy rity. It is important that all stakeholders be involved in the process and that final deci- The IT budget must enable implementation sions be taken by the management body. of the IT strategy approved by the institution. If it is insufficient or allocated too late, Inappropriate oversight of expenditures the strategy may not be implemented or implementation may be delayed. Monitoring and controlling IT costs are essential to maximise the institution’s profitability, 23 In this paper, a programme refers to a set of projects that are It is therefore advisable to make the two to report to the management body on the coordinated in common due to their highly complementary nature, processes consistent so as not to generate progress of projects and budget overruns and which does not exclude individual coordination of each project. discrepancies. Most frequently, the two to make any necessary adjustments.

ACPR – Information technology risk 14 Organising the information system, including its security

Budget control requires monitoring overall able to interact directly with IT managers expenditures, which is ordinarily done by who hold full and complete authority within the financial function, as well as monitoring their remits. by programme and by project, both on an annual basis, against the allocation for the Therefore, the IT function should be in a posi- year, and on a multi-year basis, against the tion to globally manage an institution’s infor- budget originally attributed, adjusted, if mation system. Ordinarily, the IT department necessary, after the programme or project includes the application development and is launched. It is important that any budget maintenance teams, as well as the staff res- overruns over a certain threshold be justified ponsible for operating system and network and approved by the management body, or infrastructures. However, in some cases, the that they be offset by management decisions. business lines and support functions have A clear and up-to-date procedural framework their own development and maintenance should provide for standardised procedures teams, and at times their own production for managing expenditures, approving bud- teams, which may also be set up as IT depart- get overruns, decision-making and informing ments. Accordingly, it is important that one senior executives and the board. person be in charge of the IT function broadly speaking, i.e. all teams, whether they are 4 Roles and responsibilities within the central IT department or the business of the IT and information lines or functions. This manager must have security functions full authority over the strategic directions of the entire IT function, the overall budget, the Although executive managers have full res- standards and procedures for ensuring sound ponsibility for issues related to the informa- management and control of information sys- tion system and its security, they need to tem risks. The head of the IT function should rely on IT managers and their teams, who be sufficiently senior in the hierarchy, ideally are referred to in this document as the “IT reporting directly to the management body, function” and “information security func- to ensure that IT issues are properly considered tion”. The information system will not be within the institution. properly organised if these roles and responsibilities are not clearly defined and The information security function must also allocated, if the managers’ skills profiles be clearly identified and granted full autho- are not appropriate or if insufficient rity. This function, which is headed by the resources are budgeted. chief information security officer (CISO), originally focused on defining the information Poorly defined, allocated or security policy, raising awareness of security communicated roles and responsibilities issues among teams and contributing to risk control, for example by conducting security A clear division of responsibilities between studies or performing level-2 controls. During the managers will facilitate efficient mana- its inspections, the ACPR has noted that this gement of activities and avoid blockages. function is too often incorporated into the IT As has been the case for other banking and function, whereas it is preferable that it be insurance functions (risk, compliance), independent so as to enable it to give objec- supervisors now increasingly expect to be tive opinions on IT security, as well as to

ACPR – Information technology risk 15 Organising the information system, including its security

alert the management body of high-risk situa- 5 Rationalisation tions. As cyber risks grow, the role of the of the information system CISO becomes increasingly crucial and the position should be placed high in the hie- Over time, information systems undergo rarchy. Attaching it to the risk management significant development as new tools are function is preferable in order to give it the constantly added and old ones are retained, latitude to give independent opinions that at times partially. The information systems prevail over those of the IT function and the of banking and insurance institutions are business lines. Such positioning would be now vast sets of applications, systems and also be more consistent with its responsibility networks that may be difficult to map due for level-2 controls, which must be inde- to their complexity. Various factors create pendent of the first-level controls performed a risk of loss of control over the information by the IT function. system. These include a lack of control over the architecture of the information system, Inadequate or insufficient staffing inconsistent IT standards and a failure to manage obsolescence. Senior executives’ choice of the persons appointed to head the IT and IT security functions is essential for the proper organi- RATIONALISATION sation of the information system. These OF THE INFORMATION SYSTEM functions must also have sufficient staff or Control over information system they risk being unable to perform their architecture (urbanisation) duties, to the detriment of the institution’s Consistence of IT standards proper operation and security.

Management of obsolescence It is important that the persons chosen to head the IT and IT security functions have the requisite experience and professional expertise because these positions require strong technical and managerial skills. These Lack of control over information prerequisites also apply to all IT staff, and system architecture (urbanisation) it is desirable to adopt a formal human resources management policy in this area When an information system becomes that specifies the target distribution of inter- highly developed, an architectural nal and external staff, as well as the key approach, sometimes called “urbanisation”, functions for which it is necessary to main- is needed to avoid chaotic uncontrollable tain sufficient in-house expertise, including growth. The principle is similar to that of to supervise core functions that are out- the development of big cities. Applications sourced. It can be supplemented by a skills and systems that work together are grouped management policy that defines staff trai- together to simplify and better control their ning objectives, in particular obtaining interactions. This work usually requires map- professional certifications and providing ping and inventorying the components of additional training on technological and the information system. Application and business developments. systems architects are responsible for

ACPR – Information technology risk 16 Organising the information system, including its security

ensuring that components are not added 6 Control of outsourcing to the information system in a disorganised manner. They can identify areas of weakness Because institutions may need skills or a and make recommendations on optimising workforce they do not have in-house, IT acti- and upgrading the information system. vities are often outsourced to service providers, which may belong to the same group Inconsistent IT standards as the institution, or which may be third-party companies. Risks of insufficiently supervised Uncontrolled development of an informa- outsourcing may arise if the contractual tion system can occur if the actions of framework is poorly defined, if dependence systems developers and engineers are on a vendor is not controlled, if the expected insufficiently guided by design, develop- service levels are not rigorously monitored ment, production and security standards. and if changes in vendors are not antici- The aim of these standards is to harmonise pated sufficiently in advance to activate practices and prohibit the use of unap- contractual reversibility procedures. proved solutions within the institution. Different standards apply to different acti- Inadequate contractual framework vities: applications development, production and commissioning of network An inappropriate contractual framework, solutions. To be fully effective, these stan- i.e. a non-existent, incomplete, invalid, dards must be harmonised by the central unbalanced or imprecise contractual IT function in order to avoid diverse or framework, may mean that the institution inconsistent practices within the various will not obtain the expected service, which entities comprising the IT function (e.g. may be detrimental to the proper operation by the IT departments of the various sub- or security of its information system. sidiaries of a group). The management body should approve Failure to manage obsolescence major outsourcing projects on the basis of the opinions expressed by the various IT technologies evolve rapidly and must control functions, including the IT security constantly be updated to avoid the risk function. The contract and its associated that the information system will no longer documents should serve as the reference be able to be maintained. This is a that defines the rights and obligations of demanding task because it requires the institution and the service provider. Such paying close attention to the frequent contract is required, even if services are version changes of software and systems outsourced within the same group. It is used, which involves, for example, par- important for the contract to describe in ticularly careful oversight of IT assets. detail the nature of the service, expected More fundamentally, institutions should service levels, permanent controls to be regularly replace applications that use executed, incident handling and business old programming languages that are no continuity procedures, IT security require- longer used by developers. Security requi- ments, contractual reversibility conditions, rements may also justify regularly upda- the roles and responsibilities of the contrac- ting technologies used. ting parties, the contacts responsible for

ACPR – Information technology risk 17 Organising the information system, including its security

routine monitoring of the service, the bodies with outsourcing to foreign jurisdictions, tasked with coordinating the relationship especially outside the European Union and the type of information to be regularly (for example, with respect to data pro- reported to the institution. The institution tection rules). Controlling the risk of must be informed of chain outsourcing overdependence on one or more vendors (sub-contractors), and it may require that requires consolidated oversight of such chain outsourcing be authorised in contracts negotiated with vendors, as advance. In all cases, the institution must well as approval by the management ensure that such outsourcing does not gene- body if outsourced activities exceed a rate any additional risk. Moreover, the dependence threshold to be defined. The contract must include a right to audit the outsourcing policy should also specify service, with possible onsite access, and it the conditions applicable to outsourcing must describe the regulatory provisions (roles and responsibilities, the process applicable to the service provider. This right for finding and selecting service provi- of audit must not be unduly limited by res- ders, the contractual framework, and trictive clauses (long notice periods, various service oversight procedures). limitations). The contract should also grant audit rights to the institution’s supervisory Inadequate monitoring of service levels authorities. It may be useful for the institution’s legal department to approve standard Service levels are contractual commitments clauses to ensure that all of the institution’s that a service provider makes to an institu- contracts comply with the laws and regu- tion about the quality and security of IT lations on outsourcing and protect the ins- services. If no service levels are set, or if titution’s interests in a balanced manner. the expected performance levels are too low, the institution will be unable to demand Overdependence high-quality services.

If a service provider acquires a predomi- It is therefore essential that service levels nant position due to the scope of the IT be contractually defined and that they be activities it performs for an institution, the monitored on an ongoing basis by a dedi- institution may find it difficult to impose its cated team of the institution, both by ana- requirements, including if service deterio- lysing the dashboards set up in agreement rates. Outsourcing to service providers with the vendor and by handling event abroad, especially outside Europe, may occurrences, if necessary, by agreeing an expose institutions to an inadequately action plan. This arrangement is most effec- supervised legal environment. tive if a joint steering committee, comprising representatives of the institution and the Developing an outsourcing policy that is vendor, is set up and tasked with monitoring approved by the management body pro- service quality. The steering committee vides a framework that defines the acti- should be chaired by a manager whose vities the institution is willing to outsource, hierarchical level is consistent with the sen- and those that should be retained in-house sitivity of the outsourced activity. For the due to their sensitive nature. Such policy most sensitive activities, it is advisable for should assess the legal risks associated the chair of this committee to be the head

ACPR – Information technology risk 18 Organising the information system, including its security

of the IT function or a senior executive. In relations with customers. The information addition, holding meetings of a technical system may be non-compliant if the business committee, comprising members with the lines’ expression of needs is inconsistent appropriate hierarchical level, may be a with the applicable law, if IT developments useful practice. Finally, a process should do not follow the legal specifications set by be set up for escalating degraded service the business lines, or if production standards quality or business relationship issues to the or techniques are in violation of the appli- IT department or senior executives. cable law.

Inadequate reversibility procedure Business needs not in compliance with applicable laws Changing vendors in the IT field is relatively complex because it usually entails taking Users are responsible for defining their over an existing service, while guaranteeing information system needs. If they do not users continuity of service with equivalent comply with the legal requirements appli- service levels, as well as recovering archives cable to their activity, the expression of their covering a long period. needs may include non-compliant requirements, which will then be incorporated into Therefore, this process requires appropriate the information system and cause the insti- advance planning, taking into account tution to be in breach of the law. budgetary constraints, respecting the timetable for activating the reversibility clause Preventing such risk requires a project mana- with the outgoing vendor, and precisely gement methodology that includes a stage defining the work to be performed. Some at which it is determined that the business of this work will be taken over by a new lines’ expression of needs is in compliance service provider, or by the institution if the with the legal requirements applicable to the activity is brought in-house, whereas other institution, as well as with the institution’s work may require specific treatment, for internal procedures, for example if they are example in the form of a project to be stricter. Ordinarily, the legal department budgeted and planned. should be consulted and its agreement obtained with respect to the needs expressed. 7 Statutory and regulatory compliance IT developments not in compliance with the business lines’ legal instructions Like any undertaking, institutions must comply with the laws applicable to their business. The IT engineers should, in principle, comply Therefore, in terms of organisation, the IT with the user’s requirements and, therefore, solutions institutions use cannot be deve- incorporate the legal provisions applicable loped by IT engineers autonomously, without to their activity if they have been properly consideration for the legal obligations appli- formulated. If not, the institution will have cable to the institution. Otherwise, the ins- a non-compliant information system. titution risks breaching the laws governing Moreover, legal requirements may change its business, which is unacceptable and over time, thereby rendering the information could also prove highly detrimental to its system non-compliant.

ACPR – Information technology risk 19 Organising the information system, including its security

It is therefore important that the user accep- identification and control mechanisms will tance and testing phases verify compliance not be properly implemented. This may with the law applicable to the institution, manifest itself as non-existent or partial and that potential violations be detected and mapping, an inadequate permanent control remedied. If the applicable law is amended system, inadequate handling of incidents, significantly, the users responsible for pro- or inadequate periodic controls. cessing must submit change orders to be implemented by the IT engineers. RISK MANAGEMENT

IT standards not in compliance Risk mapping with applicable laws Permanent control system

IT standards applicable to programming Detection and management and operating rules may include provisions of operational risk incidents inconsistent with an institution’s legal obli- Periodic control system gations, for example concerning personal data protection or data retention periods. These standards should not preclude com- Non-existent or partial risk mapping pliance with the needs expressed by users. They should be regularly updated to make Identifying and regularly assessing IT risks them consistent with these obligations. are prerequisites for adopting risk control measures. Otherwise, such measures may To prevent such situations, the institution not be adopted or may be inappropriate, must regularly verify that its standards meaning institutions will be inadequately are compliant with the law applicable to prepared and have a greater exposure its business. to risk.

8 Risk management It is essential that the institution identifies and compiles a classification of its inherent The management body should be able to and residual IT risks, both within business rely on an effective operational risk mana- lines and support functions, including the gement system that covers all IT risks. In IT department. This inventory should cover accordance with the law, this system must all physical assets (data centres, offices, be based on a risk map and a regular risk agencies, etc.), logical assets (online or assessment, and incorporate risk control smartphone banking, cloud, etc.), activities and monitoring measures. These control (business lines and support functions), measures should include internal controls publics (employees, customers, service at several independent levels to allow cross- providers, partners) and tools (applications, checks. If the operational risk management networks, etc.), and should be consistent system does not fully take IT risks into with the institution’s risk appetite, as account, it will be incomplete and non-com- approved by the management body. pliant with regulatory obligations. Moreover, Mapping business processes and support it will not reflect all risks to which the insti- functions is a prerequisite for identifying tution is exposed, and the IT risk and updating these risks, and should be

ACPR – Information technology risk 20 Organising the information system, including its security

done at least annually. In addition to the Inadequate detection and management mapping of processes and risks, which of operational risk incidents ideally should be computerised to facilitate its updating, consolidation and use, it is Operational risk incidents should be moni- important to define risk reduction measures, tored to measure an institution’s losses whether organisational, technical or and to take remedial measures. IT inci- control-based. Furthermore, cross- dents are expected to be included in ope- disciplinary risks should be identified and rational risk oversight if they meet the included in the mapping for each activity. definition of operational risk.24 If IT inci- It is also essential to clearly define the dents, including security incidents, are responsibilities of the IT function and of not included in operational risk oversight, other activities due to the fact that the this risk will not be assessed completely, business lines and support functions are which could impact the quality of risk exposed to certain IT risks that are managed mitigation measures, and cause the insti- by the IT department. tution to hold insufficient capital to deal with such incidents. Inadequate permanent control system Therefore, it is expected that IT incidents A permanent control system with two distinct that meet the criteria defined will be incor- levels of controls is necessary to avoid risk porated into the operational incidents situations. This permanent control system database. If necessary, an incident repor- should encompass the various information ting threshold can be established, but it system implementation and management should be set low enough to detect signi- processes to ensure that any failures are ficant incidents. Aggregating multiple detected in a timely manner. similar low-magnitude incidents is a good practice that enables detecting and cor- It is important that the permanent control recting malfunctions before a major inci- of IT risks, including information security, dent occurs. In addition, it is important be included in the institution’s permanent that action plans be adopted in response control plan. This plan must cover all risks to these incidents and that the manage- identified and be updated periodically. ment body be regularly informed about First-level controls should be performed by the most significant incidents and the operational staff and level-2 controls should associated action plans. be performed by teams independent of the IT function. The frequency of controls should Inadequate periodic control system be modulated depending on the risk level, but controls should be performed at least The institution’s periodic control system once a year. Action plans should be esta- provides a third level of controls of all blished to remedy any deficiencies disco- processes implemented. If it does not vered during the controls. A tool should cover all information system processes, 24 Generating a financial gain catalogue the control plan and the results the management body may not be pro- or loss, whether or not realised (lost profits, near-miss), or a of controls as a means of informing the vided with independent information on non-financial gain or loss (e.g. man-days devoted to management body and facilitating their the risk status and corrective measures re-establishing service after an IT breakdown). monitoring of controls. taken in this area.

ACPR – Information technology risk 21 Organising the information system, including its security

It is therefore essential that IT risks, including information security risks, be included in the institution’s audit plan and that they be QUESTION NO. 4 reviewed by specially trained auditors, Do you think the risk factors that are either as part of general audits or pursuant mentioned for the macro-process of to specific assignments. Furthermore, the organising the information system are findings should prompt recommendations rightly identified? If not, what would you and action plans, the most critical of which suggest for improvement? should be approved and monitored by the executive managers. The management body QUESTION NO. 5 must receive sufficient, regularly updated Do you think the mentioned control information on the IT risks assessed by the measures are suitable? If not, what periodic control system. would you suggest for improvement?

QUESTION NO. 6 In particular, do you share the view that is given regarding the positioning and the responsibilities of the Chief information security officer?

ACPR – Information technology risk 22 Operating the information system (“build and run”)

his section deals with risks related to system installed, i.e. providing the service the “information system operation” expected by users, especially in terms of T macro process, which includes all quality, reliability and availability. The same actions in relation to the use and operation issues apply to “change” actions, where of the existing system, as well as actions to the risk is that they will be unable to properly develop new services or equipment (projects), provide the expected services. In recent or simply actions to make corrections or years, particular attention has also been moderate changes (corrective and upgrade paid to data quality. maintenance). The operational management of existing services is sometimes called “run” The following sections explain the pri- and the delivery of new services (application mary and secondary risk factors that projects, installation of infrastructures) is may disrupt operating processes, conti- sometimes called “change” or “build”. nuity management, change management, and data quality. The main The aim of all of these actions is to ensure measures for controlling these risks are the proper operation of the information also described.

OPERATING THE INFORMATION SYSTEM (“BUILD AND RUN”)

Operations Change management Continuity management Data quality (sytems and management (projects, management networks) upgrades,fixes)

ACPR – Information technology risk 23 Operating the information system (“build and run”)

1 Operations management the equipment, must be appropriate to the (systems and networks) operational needs imposed by the service levels expected by users. In addition, the IT operations, also called “production”, capacity of resources used must be moni- consist of running the computers on which tored to allow sufficient time for expansion applications are installed. These compu- without compromising increased use of the ters, as well as their connecting equipe- information system (e.g. number of users ments, are called systems and network able to connect to the system, computing environments. Improper operations mana- power, storage space). gement of these systems and networks may result in more or less serious disruptions Sound management of the means of pro- that can impact the quality of service production requires up-to-date inventories. vided to users. Inventory management consists of referen- cing and centralising all information system The ACPR’s IT experts have identified several hardware and software, in order to have risk factors that may lead to unsound ope- a complete picture and to be able to verify rations management. These may include that the equipment installed is adequate for deficiencies in the means of production, in the needs identified. The characteristics of the process for detecting errors and ano- each piece of equipment should be malies, or in the process for resolving inci- recorded, such as version numbers, licences dents and problems. This also includes the installed and the technical specificities of risk that service levels expected by users the various components. This will facilitate will not be met. compliance with technical standards, and the obsolescence management of ageing Inadequate means of production components will be optimised.

The means of production provide the Inadequate process resources necessary for proper operation for detecting errors and anomalies of the information system. If they are not properly resourced, for example with equip- Processing errors and anomalies disrupt ment that is sufficient in number and with proper operation of the information system adequate power, the information system by reducing availability (delays, interrup- may not be able to operate properly, in tions) or data quality. Therefore, promptly particular at peak times. Furthermore, if the detecting them is crucial. configurations of this equipment are not up to date or are inappropriate for the institu- Detection is one of the primary tasks of the tion’s needs, disruptions may occur or secu- operations staff who monitor production. rity may be impaired. They can increasingly rely on detection tools that automate monitoring. Specialised teams It is therefore important that the choice of can also be tasked with these actions to equipment that will comprise the operating improve response capacity. It is advisable environment is properly assessed before to install error detection tools at various levels new solutions are released. The technical of the information system in order to identify characteristics, in particular the power of various types of technical malfunctions, even

ACPR – Information technology risk 24 Operating the information system (“build and run”)

before an incident occurs. For example, Non-compliance with service levels detecting abnormally long response times may enable anticipating an interruption of Service levels define users’ expectations the information system. The detection tools with respect to the operation of the infor- should cover all equipment to facilitate com- mation system (e.g. availability periods, prehensive oversight. possible interruption periods, data backup frequency, switchover to backup systems). Inadequate management Service levels are agreed for operating of incidents and problems conditions and, more broadly, for overall performance of the service. Regardless of When detected, incidents25 should be any incident, problem or improper hard- managed so as to restore proper operation ware configuration, unsound operations of the information system as quickly as pos- management may make it impossible for sible and minimise downtime. Problem26 the systems and network administrators to management, which complements incident keep commitments to users. management, consists of diagnosing the cause of repetitive or difficult to resolve incidents, Systems and network operating processes putting in place measures to prevent them are ordinarily set out in formal operational from reoccurring, and mitigating the impact procedures that enable their administrators of problems that cannot be avoided. Therefore, to rigorously monitor the various opera- it is essential for these two processes to be tions in normal service and degraded effective in order to minimise service degra- service situations. In addition, it is impor- dation and loss of user confidence. tant that service levels be formally set out in service agreements with end users. It is advisable that these processes be for- These agreements should specify the moni- mally expressed as operational procedures. toring criteria and expected satisfaction The various incident and problem handling levels for these services, with respect to stages, from detection to resolution, should service quality and availability. be performed by specialised teams, whose Documenting expected service levels in actions must be documented to ensure they contracts is useful for measuring whether are properly completed. Scaling based on users’ needs have been met. Indicators sensitivity levels enables prioritising. Problem should be used to monitor commitments management is closely related to incident and take necessary corrective actions. management, and uses similar tools, classification criteria and priorities. Resolution 2 Continuity is generally easier if facilities, information of operations management flows and critical services have been map- ped and inventoried. The resolution of inci- Operations continuity refers to the measures dents and problems should be monitored and resources implemented to ensure the 25 The Information Technology Infrastructure Library (ITIL) by the committees tasked with monitoring availability of the information system in defines an incident as “an unplanned interruption to an service quality. Succinct reports should be accordance with the needs expressed by information technology (IT) service or reduction in quality of submitted to the management body to users. Services generally operate in accor- an IT service”. enable them to mobilise the appropriate dance with availability periods that vary 26 ITIL defines a problem as the cause of an incident. teams and allocate sufficient resources. depending on the nature of the activities,

ACPR – Information technology risk 25 Operating the information system (“build and run”)

except in certain cases where no interruption based on formal coordination, supervision is tolerated. In any case, the systems and and decision-making policies and proce- networks must be fully available during the dures. This requires that the roles and res- availability periods to enable applications ponsibilities in crisis management situations to function with adequate response times. be clearly defined. The involvement and Otherwise, the system will be unavailable approval of the management body is neces- or experience slowdowns, thereby disrup- sary to ensure that the continuity system is ting user activity. aligned with the institution’s strategy, that sufficient budgetary and human resources The information system may risk unavaila- are allocated, and that employees and their bility if the institution does not have an managers are committed to the process. adequate organisation in place to manage Ordinarily, a methodology, an effective its service continuity system, or if it has not crisis management structure and an appro- correctly identified the various unavailability priate communication policy complete the scenarios, or if the means of production or system. The institution should have a business backup systems are inadequately protected continuity plan that includes an IT backup against accidents, or if its IT continuity sys- plan. tem is inadequate, does not correspond to the system planned for users, or has not Inadequate identification been tested sufficiently. of unavailability scenarios

Inadequate continuity organisation The continuity plans are customarily based on loss of assets scenarios, including systems Institutions must set up an organisation to and networks malfunctions of varying dura- manage their service continuity framework, tions. The IT backup plan should describe in accordance with regulatory requirements. the procedures for activating backup This framework is twofold with a component resources under these various scenarios. If specific to the continuity of users’ activities the scenarios defined do not identify all (fall back premises) and an IT backup com- possible disturbances or misevaluate the ponent (switchover to a backup site). This consequences, the continuity management system should describe the actions to be system may not adequately respond to an taken to ensure the continuity of the business unforeseen breakdown, which will prevent processes deemed essential, and the neces- users from continuing their activities. sary resources to be implemented in the event of a crisis. This reduces the risk of To prevent such situations, it is necessary business interruption or information system to perform impact assessments for users’ malfunctions to an acceptable level for the businesses (in particular, at the regulatory, institution. If the organisation set up is inade- legal, commercial, financial and reputatio- quate, the institution may not have available nal levels) based on the various scenarios backup resources in the event of a failure of unavailability of premises, information of its main equipment. systems, staff, energy, telecommunications and key vendors. Service continuity requi- It is therefore important that the organisation rements are normally defined on the basis set up to manage service continuity be of the “maximum tolerable period of

ACPR – Information technology risk 26 Operating the information system (“build and run”)

disruption” and the “maximum allowable dependent on electricity to power equipment data loss”. For the production teams, the and water for air conditioning. A wide former translates into a “recovery time objec- variety of accidents and natural disasters tive” (RTO), which defines the maximum may severely impact them (fires, floods, recovery time, and the latter translates into earthquakes, plane crashes, chemical pol- a “recovery point objective” (RPO), which lution, electromagnetic pollution, etc.). expresses the maximum allowable period between an incident and the date of the It is therefore important for institutions to most recent data backup. rigorously select the locations for their data centres, avoiding areas exposed to natural Non-alignment of IT continuity hazards (e.g. flooding or seismic areas) or with business continuity neighbouring risks (airports, chemical sites, etc.). They should also equip their data The IT backup plan describes the continuity centres with devices to detect accidents and arrangements for IT production. It should minimise potential damage, in particular be part of the institution’s overall business fire (detection, extinction) and water leaks continuity plan, which also describes the from the air conditioning system. These backup resources available to users. The devices must be properly resourced, regu- IT backup plan must therefore be consistent larly tested and kept in good working order. with the business continuity plan; These protective devices are not only neces- otherwise, there is a risk that it will be sary on the premises housing the hardware, inadequate to enable continuity of essen- but also in the rooms housing electrical tial or critical applications. equipment and telecommunication servers. It is also advisable to develop a compre- To avoid any discrepancy resulting in hensive safety policy, for example, prohi- inadequate IT backup resources, the IT biting the storage of flammable materials, backup plan must be based on impact such as cardboard, in machinery rooms or assessments for users’ businesses and their nearby premises. corresponding service recovery times (expressed as RTO and RPO). Any discre- Inadequate continuity systems pancies that may result from a known defi- ciency of backup resources must be brought In accordance with the IT backup plan, the to the attention of the management body institution must be able to switch operation for a decision on user needs or the allo- of its information system over to a backup cation of additional resources. infrastructure if its main system becomes unavailable. If it has poorly resourced its Inadequate protection of means backup equipment, it may not be able to of production and backup resources run the applications it needs. If its backups against accidents are not recent enough, it may lose significant quantities of important data. Data centres are particularly vulnerable to accidents and damage that may affect hard- Therefore, the backup infrastructure equip- ware and thus disrupt the proper operation ment must be properly resourced to be able of the information system. These sites are to run the applications and functionalities

ACPR – Information technology risk 27 Operating the information system (“build and run”)

identified as essential and critical in the the backup environment. Therefore, the continuity plan. These infrastructures must backup environment should be used in be operational in order to quickly switch actual situations by the business line teams production over to them in accordance with for a sufficiently long period of time and users’ requirements (RTO and RPO). Data on a range of matters that is representative backups must be sufficiently frequent and of their activities (in particular, to enable well-protected. Switchovers may be trigge- conducting end-of-period work, such as at red for the entire information system, or for the end of a week or month). Backup envi- certain components or applications. In addi- ronments should allow alternate production tion, the possibility of regional disasters on at least one of the backup sites. The must be taken into account, in particular results should be monitored at the appro- by locating the production environment priate level and necessary corrective mea- sufficiently far away from the backup envi- sures should be taken. ronment. Moreover, it is particularly important that the backup site have a power 3 Change management supply from a different power generation (projects, upgrades, fixes) source than that supplying the main site, and that it not be exposed to the same IT “change” (a.k.a. “build”) refer to all natural hazards as the main site (river floo- modifications made to a system, either to ding, proximity to the same airport or indus- fix it or upgrade it (maintenance), or to trial or chemical site, etc.). If this is the case, change or supplement it (project). Changes a third site will be needed in order to may concern software and hardware. These actually retain production capacity in all are obviously delicate processes because unavailability scenarios. they are carried out on existing production. Mismanaged changes will cause malfunc- Inadequate testing tions. In this area, the risk factors to be considered are inappropriate change mana- The effectiveness and pertinence of business gement standards, poorly organized or continuity plans and IT backup plans depend incompetently managed changes or pro- on sufficiently regular implementation tes- jects, functional and technical requirements ting. The testing of technical and organisa- not adequately taken into account, insuffi- tional systems makes it possible to assess cient testing of new components, and impro- the robustness of the planned solutions, in perly implemented changes. accordance with the service levels approved by users. Inadequately defined or applied change management standards It is important for continuity plans to be tested comprehensively using a proven Because it is a tricky process, change methodology, so as to obtain reasonable management is usually governed by ope- assurance of the plans’ quality and effec- rational policies and procedures. Such tiveness, including compliance with user policies provide, for example, that releases requirements. Backup tests are truly perti- should be grouped in batches rather than nent only if they include a switchover of implemented individually. A release for production from the main environment to which proper guidelines have not been

ACPR – Information technology risk 28 Operating the information system (“build and run”)

adopted has greater exposure to the risk proper sequencing of the various perfor- of erroneous operations. mance stages after the quality of delive- rables has been verified. Finally, the choice Therefore, complete and appropriate policies of staff is crucial, and it is necessary to and procedures are recommended. They verify that they have the expertise required should be implemented by specialised teams to perform the various tasks. trained for this purpose within the entities. The different types of changes should be Functional and technical requirements defined, including standard changes and not adequately taken into account urgent changes to correct serious malfunctions. The description of treatments should Changes are made in response to the infor- distinguish the various phases, including mation system upgrade needs expressed recording, impact assessment, classification, by users. It is therefore crucial that the prioritisation, validation stages, planning, changes meet such needs. In addition, tech- testing and regression conditions. nical standards will also impose technical Management of versions (releases) should requirements with respect to security, pro- also be included in these processes. duction and network operation.

Poor project management organisation A methodology shared by all stakeholders should be followed to collect and approve Successful change management, and espe- the users’ functional requirements. Technical cially project management, depends to a requirements that restrict the possibility of large extent on setting up a solid organisa- meeting functional needs must be made tion and on the expertise of the teams in known to and be accepted by users. charge. Applying a work methodology also Technical requirements specific to the ope- helps to guide the process. Failure to control ration of the systems and networks must be the work can cause delays and generate taken into account by the technical admi- additional costs, or may result in a deterio- nistrators at the earliest stages in the design ration in expected functionalities. and development of new equipment.

In particular, the roles and responsibilities Inadequate testing of each participant should be clearly defined in order to ensure a solid organisation. Testing is a mechanism for ensuring that Committees that monitor the work and coor- changes meet the needs approved, both dinate the various parties can provide over- functionally and technically. sight of deadlines, costs and quality, and facilitate decision-making. Major projects Functional and technical acceptances should be monitored by a sponsor res- verify that the changes are adequate. It ponsible for ensuring they progress smoo- is important that they be comprehensive thly. A communication system for the various and are carried out pursuant to formal parties involved will reduce misunderstan- procedures, and that the results thereof dings that can be a source of errors or are documented in reports shared with delays. Applying a project management all stakeholders. Corrective actions should methodology is advisable because it ensures be taken if significant anomalies are

ACPR – Information technology risk 29 Operating the information system (“build and run”)

discovered. Minor anomalies can be financial assets. This requirement is also considered non-fatal for commissioning important for risk calculation data, which and be fixed later. Non-regression testing is used by the management body to manage should be performed systematically to the business and by supervisors to supervise avoid unwanted side effects. A pre-pro- it. Therefore, poor quality data can be par- duction environment as similar as possible ticularly detrimental, both for conducting to the production environment will enable business if the institution does not use verifying the adequacy of new compo- reliable data, and for monitoring risks if nents (functionalities, performance). the indicators used are erroneous. Data may be of poor quality if data standardi- Improperly implemented changes sation and definitions are inadequate, or if the information system uses or generates Releasing changes is particularly delicate erroneous data. Inadequate controls may because if it not correctly carried out, it can also explain a data quality problem. create disruptions to the system in place, with potentially very damaging consequences if Inadequate data standardisation rollback is difficult. The information systems of banks and insu- It is therefore important to follow a very rance institutions often comprise multiple rigorous release process. Planned software applications. If they were designed at diffe- and hardware deployments should follow rent times and for new needs on each occa- formal procedures that aim to ensure a sion, the concepts they use (e.g. “borrower”, satisfactory level of availability. These proce- “insured”) may not always be defined in dures should include rollback methods in the same way, making it difficult to compare the event of a defect. Customarily, a change or aggregate data. Ordinarily, the most timetable is adopted in order to group commonly used terms should be managed changes and implement them at times when by establishing unique “glossaries”, which experienced staff are present and outside are to be used throughout the institution. normal service periods (e.g. on weekends). Similarly, data “standardisation” means If necessary, qualified experts should be homogenising, and unifying if possible, the on call and managers should be reachable definitions of similar concepts used in the event of an anomaly. throughout the information system. If the institution does not use glossaries for its 4 Data quality most commonly shared data, or if it has not undertaken a standardisation process, the One of the most important requirements for various components of its information system an information system is that its data be may use non-comparable data or data that accurate, i.e. it corresponds to the data cannot be aggregated, thereby depriving inputs expected and/or changes thereto as it of a consolidated picture of its business a result of processing performed by the and risks. information system do not generate errors. This is particularly important for the infor- For this reason, glossaries should be created mation systems of banking and insurance for the concepts most commonly used by the institutions, which hold personal data and institution. The various applications using this

ACPR – Information technology risk 30 Operating the information system (“build and run”)

data will thus have a single and reliable source. of the data generated. Risk indicators pro- A function or business line should be given duced for the management body and super- responsibility for these glossaries and tasked visors should be based, to the extent possible, with updating them and ensuring the data on automatically calculated indicators rather definitions are pertinent. Similarly, to increase than approximate values. Lastly, it is impor- uniformity among the various applications that tant that the available data be sufficiently use similar data, and thereby facilitate data detailed and aggregated in accordance aggregation, it is in the institution’s interest to with the criteria requested, in order to meet undertake a data standardisation process. all significant users’ needs. This process should involve business lines and functions, as owners of the information system, Inadequate data quality controls as well as the IT function, which is responsible for the consistency of the information system Data quality must be regularly and tho- as a whole. This standardisation process can roughly checked by users and control func- usefully be supported by data dictionaries that tions. Otherwise, the institution may not set out data definitions and syntax, and that detect situations in which erroneous data apply to all user entities. is used or generated.

The information system uses Therefore, the verification of data generated or generates erroneous data and activity or risk monitoring reports should be based on automated and manual controls If the information system uses inaccurate input that enable detecting any anomalies and data, it is likely that it will generate inaccurate setting up action plans to fix them. output data. Moreover, regardless of the quality of the source data, if there are processing errors in the system, the data generated will be erroneous. Data errors are not due QUESTION NO. 7 solely to accuracy issues; they may also be Do you think the risk factors that are the result of inappropriate or incomplete data, mentioned for the macro-process of or data that is unavailable at the time of pro- operating the information system are cessing. The risk of errors also increases if an rightly identified? If not, what would automated process is reprocessed manually. you suggest for improvement?

Users should test data suitability before it is QUESTION NO. 8 released and, thereafter, should check it Do you think the mentioned control regularly. Audit trails will enable reconstruc- measures are suitable? If not, what tion of processing and the steps taken to would you suggest for improvement? make changes, thereby providing a history of changes made to information from its QUESTION NO. 9 original form to its final form. Manual treat- In particular, do you share the view ments should be limited as much as possible that is given regarding the test mode and should be thoroughly and regularly for the switchover to the disaster verified. Production incidents should be ana- recovery site? lysed to assess their impact on the quality

ACPR – Information technology risk 31 Securing the information system

his section discusses the risks that system operation” macro process, as was may affect the “information system done above, and the “information system T security” macro process, which security” macro process focuses on preventing includes the various prevention and res- and responding to malicious attacks. ponse actions that may be taken to thwart security breaches. Customarily, these The sections below describe the main risk breaches are described in terms of their factors that can impact the security of infor- impact on the availability, integrity, confi- mation systems and, for each one, will dentiality, and evidence or traceability of suggest risk reduction measures that can data and operations. be implemented. The risk factors discussed are due to inadequate physical protection The issue of information system security has of facilities that enable intrusions, inade- become increasingly important due to cyber quate identification of IT assets (i.e. the threats, but is in fact not a new concern. various assets that comprise the information Originally, it encompassed both accidents system, such as hardware, software and (breakdowns, natural disasters) and malicious data), inadequate protection of these assets, threats. Today, accidental threats are more inadequate detection of attacks, and inade- commonly dealt with under the “information quate response to attacks.

SECURING THE INFORMATION SYSTEM

Physical Logical Response Identification Detection protection of protection to attacks of assets of attacks facilities of assets

ACPR – Information technology risk 32 Securing the information system

1 Physical protection of facilities good working order. Zoning measures should supplement the security system The protection of buildings against malicious within the premises by restricting access intrusion has become increasingly important to various areas on a “need to know” in recent years to deal with new types of basis. The security systems should be syn- attacks, whether violent or surreptitious. An chronised to enable correlating events. intrusion onto the premises can result in the The event logs of the various components theft and destruction of physical assets, and of the security system should be kept for may facilitate a logical intrusion into the the time periods required to complete all information system if malware is installed necessary investigations. that can spy on, sabotage or replace the information of the institution, its customers Inadequate protection of IT equipment or its partners. Such intrusions are possible if the measures taken to protect buildings or Hardware safeguards should comple- access to IT equipment are inadequate. ment anti-intrusion systems. Critical physical assets, such as servers, Inadequate protection administration consoles, network hard- against intrusion into buildings ware, electrical equipment, keys, etc., require enhanced protection using addi- Protective measures are crucial for premises tional and specific security devices (e.g. in which systems and network infrastructures cages around servers, locked bays, and are housed (data centres). They may also be specific video surveillance). necessary for commercial or administrative premises which, although not as critical, never- 2 Identification of assets theless contain the institution’s workstations, network accesses and documentation. An inadequate inventory of IT assets may be detrimental to information system security It is advisable not to identify data centres management because homogeneous and with signs that describe the use and appropriate security measures may not be ownership of the premises. Access thereto taken pre-emptively or the response to an should be restricted to a small group of attack may be deficient. The relevant risk persons in order to reduce risks. Strict factors are an incomplete inventory or clas- procedures should regulate access to faci- sification of assets. lities, including for service providers appointed to maintain equipment. These Incomplete asset inventory procedures should grant access only to persons who have been properly sche- An inventory of IT assets is necessary to duled, identified and accredited. In gene- identify the most critical assets for users ral, premises should be protected by and the assets that are most exposed to perimeter security barriers (fences, gates, cyber-attacks. This inventory should include security doors, badge controls, etc.) and “business line” assets (e.g. applications, intrusion detection systems (video surveil- data) and “support” assets (e.g. premises, lance, alarms, etc.). This equipment must hardware), and should be kept up to date. be regularly tested and maintained in It should include all information necessary

ACPR – Information technology risk 33 Securing the information system

to identify assets, and should describe the information system. Cyber-attackers have location, function and ownership of each varied motives, such as realising a direct asset. The inventory should also associate gain (fraud, theft, ransom, espionage) or interrelated assets to make it possible to causing harm (disrupting normal operations, quickly identify interactions and interde- sabotage, reputational damage). Regardless pendencies, which would be useful for of the motives, these attacks may impact the crisis management purposes. system’s availability (e.g. blocking a system), integrity (manipulation of an asset), confi- Incomplete asset classification dentiality (e.g. viewing or stealing data) or traceability (e.g. deleting access rights Classification consists of defining the level changes). Protective measures must therefore of sensitivity of assets, which is used to deter- cover these various types of disruptions and mine the protective measures to be imple- be adapted to the sensitivity of each asset. mented and to quickly identify the assets to These measures can no longer be designed be isolated and safeguarded in the event of individually. Current best practice is to repli- an attack. The primary focus of this classifi- cate them at the various levels of the infor- cation should be data and their associated mation system (e.g. by filtering communications applications. The classification serves as the not only upon entry but also at other points basis for assigning sensitivity levels to the in the system) in order to slow the progress systems and network equipment used for of an attacker. This is known as the “defence- these applications, as well as to the sites in-depth” concept. If the logical protection where such equipment is installed, thereby of assets is inadequate, there is a risk that providing a global picture, both logically an attacker may enter the information system and physically, enabling the institution to and compromise it. This may be due to inade- prioritise the protection of assets. quate perimeter security systems, inadequate protection against malware, inadequate For the classification to be complete and identity and access rights management, pertinent, it must include all logical assets inadequate employee authentication, inade- and be fully applicable to the physical assets. quate protection of systems and data integrity Moreover, it should result from a formal ana- and confidentiality, inadequate protection of lysis process approved by the owner of the systems and data availability, inadequate relevant asset, and be reviewed periodically. management of security patches, inadequate The asset sensitivity assessment should be security reviews, inadequately secured out- performed against the following criteria: sourced solutions, or inadequate information availability, integrity, confidentiality, tracea- systems security awareness. bility and legal or regulatory obligations. Financial and reputational impacts may also Inadequate perimeter security systems be included in this sensitivity assessment. Perimeter security consists of protecting the 3 Logical protection of assets information system from external intrusion or of isolating internal zones. Due to the Asset security relies primarily on a set of IT significant number of communications with protection measures (“logical” measures) external parties, perimeter security includes intended to prevent any breach of the channelling communication flows to a

ACPR – Information technology risk 34 Securing the information system

limited number of obligatory passage It is therefore important to deploy anti- points, then filtering and reviewing the malware devices on all hardware and sof- content of incoming and outgoing commu- tware: messaging gateways (scanning nications. In recent years, this protection attachments, detecting executable files), has been criticised on the grounds that it Internet access gateways, network access has become nearly impossible to implement points for partners, etc. These devices must due to the multiplicity of communication be activated and kept up to date. Any excep- channels and flows. Nevertheless, perimeter tions must follow formal guidelines and be security continues to be a key tool for effec- approved. Protective devices must themsel- tively protecting the information system, ves be protected against any attempt by although it should be supplemented by other users to disable or uninstall them. The use measures, including detection measures of several separate security suites within within the system. the information system prevents the exploi- tation of a weakness or vulnerability of a It is therefore expected that systems provi- particular tool. ding perimeter security for the information system will be set up to prevent any unau- Inadequate identity thorised attempt to access the information and access rights management system, or at least the applications and data identified as sensitive. Devices for filtering Access rights to the information system network traffic (e.g. firewalls), comprising should normally be granted to users on a monitoring and blocking rules, should be “need-to-know” basis. They protect legiti- deployed, and the most sensitive assets mate use of the system and are components should be logically isolated within the infor- of user identification management. Access mation system or cut off therefrom. The rights should be granted by the institution effectiveness of perimeter security systems on the basis of its employees’ status and should be regularly reassessed and such duties. Therefore, access rights should be systems should be adapted as necessary. updated whenever employees are hired, leave or change position. Similar principles Inadequate protection against malware should apply to information system components managed by external providers. If Malware is the most frequent vector for this is not done, or if the rights granted are cyber-attacks. It can be used to collect infor- too broad or incorrectly updated, attackers mation that may facilitate future intrusion may be able to more easily spoof them and (technical, organisational or procedural hack into the information system. information), compromise the integrity of systems or data (website defacement, data To enable all actions on the information encryption followed by a ransom request), system to be attributed to a given person, disrupt the availability of applications (sabo- internal and external staff must be identified tage) or, more directly, may be used to steal by name or unique identifier. The use of confidential information (espionage). If an generic accounts to access servers, appli- institution does not install safeguards against cations and data must be restricted and malware, the security of its information sys- formally supervised. Employees with pri- tem may be severely compromised. vileged accounts (e.g. administrators) should

ACPR – Information technology risk 35 Securing the information system

also have regular accounts to perform eve- means chosen by employees should be ryday tasks (access to corporate e-mail, standardised and adapted to their duties. web browsing, etc.). Effective access rights Compliance with these rules should be regu- management requires the use of profiles larly monitored. Granting temporary authen- (business line and technical profiles) to stan- tication credentials should be closely dardise and facilitate the granting of indi- supervised and secured (e.g. password vidual rights. Any additional individual changed at the time of the first connection). access rights, inconsistent with the user’s If static, authentication credentials profile, must be justified, formally granted (passwords, tokens, etc.) must be renewed and approved. In general, access rights to periodically. Any off-site access to the infor- an asset should be approved by the owner mation system should require enhanced of that asset, either directly or by a delegate. authentication procedures (for employees It is important that access rights be consistent and external service providers). at all times with the positions users hold. In Authentication secret elements need to be particular, accreditations granted should appropriately protected. be promptly deleted when an employee is transferred or leaves the company. Best Inadequate protection of the integrity practice in this area is to synchronise access of systems and data rights management systems with human resource management systems (or service System and data integrity safeguards are contracts if applicable). Rights granted needed to prevent attackers from making should be reviewed regularly to ensure they changes to information system components continue to be justified. Similarly, the defi- that may affect its proper operation (inclu- nition of profiles should be reviewed perio- ding its reliability) or security. Such actions dically to determine if they remain may include changes to the system’s confi- pertinent. gurations or access rights in order to carry out an attack, or altering data for the benefit Inadequate employee of the attacker. authentication systems To enhance the security of systems and to Authentication consists of providing proof enable detection of any configuration of identity, for example to access a piece change, whether by adding a programme of hardware or an application. In compu- or changing the parameters of systems or ting, the most common tool is a password applications, best practice dictates strictly but it must be sufficiently secure to limiting the right to run software on equip- prevent spoofing. ment (servers and workstations) and finger- printing the servers’ “key” files. Another It is therefore important to set up authenti- way to reduce the risk of compromising cation systems adapted to the sensitivity of hardware is to reduce to a bare minimum the assets to be accessed. Dual factor and/ the software installed thereon and its fea- or dynamic authentication means should tures. This technique, called “hardening”, be implemented for access to the most cri- mechanically reduces the number of sof- tical assets. If necessary, the rules governing tware vulnerabilities that could be exploited the complexity of confidential authentication by an attacker. Data and their associated

ACPR – Information technology risk 36 Securing the information system

applications can be protected against logically segregated or isolated from other attempted alteration in several different environments to reduce uncontrolled access ways. It is advisable for applications to be from a development or testing environment designed securely by including automatic that is typically less secure. Furthermore, the controls for creating, modifying, and dele- data accessible from testing or development ting sensitive data. Moreover, applications environments can be anonymised; better can be configured to require dual validation yet, such data could be entirely fictitious to (“four eyes” principle) for important opera- avoid the risk of disclosing real data. To tions (e.g. approving a payment). When reduce the risk that data may be accessed data is transported and stored, its integrity by unauthorised third parties, the right to can be protected by “sealing” tools and view or manipulate production data must applications that can be used to verify that be supervised and access records kept. This data has not been altered. Usually, the seal measure particularly applies to service pro- is calculated by a function called “hashing”, viders such as web hosts, managed service possibly after adding a “salt”, to prevent providers and software solution publishers, “dictionary” attacks (“rainbow tables”). which may have extensive rights over pro- However, to be fully effective and secure, duction environments without the institution these tools should comply with the current knowing precisely who has access to its recommendations of the Agence Nationale data. In addition, the most sensitive data pour la Sécurité des Systèmes d’Information should be protected throughout its life cycle: (“ANSSI” - National Information Systems when it is input and displayed (e.g. partially Security Agency). Lastly, and specifically or totally hidden), as well as during storage for web services offered by institutions, and transport (encryption). It may also be protections can be applied to websites advisable to encrypt network communications against the risk of website defacement.27 end-to-end, i.e. both on public networks and internal networks (between applications). In Inadequate protection all cases, to be fully effective and secure, of the confidentiality of systems and data these cryptographic tools should also comply with the current recommendations of Measures to protect the confidentiality of the ANSSI. data, whether in relation to applications (e.g. customer databases) or hardware The hardware that hosts data or allows (e.g. configuration data), aim to prevent access to data must also be protected. This unauthorised access (reading) or theft is particularly true for nomadic devices (copying). In either case, the legal (breach (laptops) and mobile devices (phones, of regulatory obligations), financial (com- tablets), to which specific measures can be pensation for losses, sanctions) and repu- applied to prevent unauthorised access to tational consequences may be disastrous the device or its contents, such as the encryp- for an institution. tion of internal storage media or, if possible, requiring a password to start the equipment. To prevent data disclosures or theft, produc- More generally, it is good practice to have 27 See Annex B1 of the ANSSI’s tion data should be protected and the transfer procedures for disposing of equipment at General Security Guidelines (https:// www.ssi.gouv.fr/entreprise/ thereof to other environments should be res- the end of their life cycle that logically and/ reglementation/confiance-numerique/ le-referentiel-general-de-securite-rgs/). tricted. Production environments should be or physically destroy any information in

ACPR – Information technology risk 37 Securing the information system

memory. Lastly, at the application level, for usually update their IT solutions very quickly publicly available applications (Internet when security breaches are discovered. If applications and services, mobile applica- an institution does not quickly change the tions, etc.) the institution should take mea- versions it uses to take advantage of security sures to prevent any attempt at reverse patches, it will be exposed to attacks. This engineering. This practice seeks to recover task is facilitated if the institution has an the source code of software in a usable up-to-date asset inventory (see section 5.2). form for the purpose of counterfeiting it (intellectual property infringement) or unders- Protecting the information system against tanding its operation (e.g. to attack it). logical attacks requires promptly updating security patches for all relevant assets. Inadequate availability safeguards A monitoring procedure should be set up to detect any vulnerabilities of the infor- External attacks can make the information mation system and provide fixes as quickly system unavailable, either by completely as possible. The configuration information preventing access or simply by slowing it available in the asset inventory can be down. Such cyber-attacks, called denial-of- used to verify the extent of vulnerabilities service (DoS) attacks,28 which saturate and establish an update plan. This plan external accesses to a system, have become should take into account the sensitivity level frequent in recent years. These attacks cause of the assets. To avoid creating new vulne- immediate disruption to users, and can rabilities, new hardware installed should damage the reputation of institutions in the have editors’ support and up-to-date ver- banking and insurance sectors. sions of security patches.

The protection of the information system Inadequate security reviews from attacks against its availability should rely primarily on the same continuity mana- Security reviews refer to measures that test gement systems as those discussed in the effectiveness of defences implemented connection with the proper operation of the (“intrusion tests”) or check for vulnerabilities information system (see section 4.2). To by observing hardware and software confi- prevent DDoS attacks, the institution can gurations (“vulnerability scans” and “code use filtering solutions to recognise legitimate reviews”). Institutions are increasingly using requests. If a website for customers is these techniques to supplement their protective attacked, it may be beneficial to be able measures. This enables testing the chances to activate a separate site that is a copy of that an attacker may be able to circumvent the first site or that is used solely to post defences. Without such reviews, the institution information, and which is accessible at a may incorrectly conclude that the measures different address than the site under attack. it has implemented are adequate.

Inadequate management Therefore, it is recommended that regular of security patches security reviews be conducted to verify that 28 If the attacker uses a large the IT assets have no weaknesses that can number of devices to attempt to connect to the system, the attack Cyber-attacks often exploit security vulne- be exploited. This should include periodic is called a distributed denial-of- service (DDoS) attack. rabilities in software or hardware. Publishers vulnerability scanning campaigns of

ACPR – Information technology risk 38 Securing the information system

equipment connected to the Internet, which capabilities. After the outsourced services is by definition more exposed, but also of have been set up, they must meet the same internal equipment (servers). Targeted intru- security requirements as if they were per- sion tests should supplement vulnerability formed by the institution itself. The outsour- scanning to test the security of newly ins- cing contract should specify that the security talled or upgraded hardware and applica- conditions applied by the service provider tions. To obtain objective and reliable must comply with the institution’s security results, these campaigns should be conduc- policies. The institution must monitor the ted by external experts or independent third performance of outsourced services over parties, using a variety of approaches and time, including any incidents. The institution methodologies. Lastly, security-focused code must have audit rights that are not unduly audits should be conducted to identify and limited by restrictive clauses (long notice fix any potential vulnerability as quickly as periods). With respect to outsourced cloud possible. computing services, the ACPR published a number of data and systems security best Inadequate security practices in July 2013,29 with which insti- of outsourced solutions tutions are expected to comply, as well as with the EBA recommendations issued in It is common that service providers manage December 2017.30 part or all of the information system on behalf of institutions. These service providers Inadequate information systems may belong to the same group as the ins- security awareness titution or may not be affiliated with it. In either case, service providers act in the Raising the awareness of staff and mana- name and on behalf of the institution, and gement about the security of information the institution remains responsible for the systems is a prerequisite to creating a risk management of its information system, inclu- culture on these issues. Such culture can be ding its security. useful in thwarting malicious attacks, which often target employees and managers, and Therefore, protecting the security of the seek to manipulate them in order to hack information system requires that the portions into the system (e.g. infected USB sticks or outsourced be protected to the same extent email messages) or to carry out a fraud as the rest of the system. For this purpose, (social engineering). before any outsourcing, the institution must conduct a risk analysis to which the control Awareness-raising actions are advisable to functions, in particular the information secu- prevent such actions. They should supple- rity function need to contribute. The mana- ment existing procedures by providing gement body will decide on outsourcing information about risks and providing trai- 29 ACPR (2013): “The risks projects taking into account security condi- ning in best practices with respect to the associated with cloud computing”, July. https://acpr.banque-france. tions. The risk analysis should identify the use and protection of the information system. fr/search-es?term=201307+Risque s+associes+au+Cloud+computing relevant activities that are sensitive in nature, Specific training programmes for employees 30 https://www.eba.europa.eu/ and ensure that the service provider has with high privileges (administrators) or who documents/10180/1712868/ Final+draft+Recommendations+o solutions that guarantee data confidentiality perform sensitive functions (developers) n+Cloud+Outsourcing+%28EBA- Rec-2017-03%29.pdf (e.g. by using encryption) and backup should also be scheduled regularly. To the

ACPR – Information technology risk 39 Securing the information system

extent possible, awareness-raising actions Centre -SOC), which ideally should be ope- should be extended to external staff, partners rational 24/7. These SIEM tools should and customers. The effectiveness of each cover the entire information system, or at action conducted should be evaluated, and least its components that interface with the adjustments should be made if necessary. Internet and its components classified as sensitive. Traces collected should be 4 Detection of attacks time-stamped, archived, and protected against any attempted change. The most Security can no longer be based solely on serious alerts should be handled by the protective measures. The occurrence of monitoring team, which should stay “silent”31 cyber-attacks demonstrates the constantly informed of new attack proce- ability of attackers to intrude into an infor- dures or vulnerabilities exploited.33 The mation system without being detected, in organisation in place should enable infor- order to understand how it is organised mation to be shared about incidents detec- and cause serious harm. Therefore, protected by the various internal units. Exchanges tive measures may not be sufficient and with peer institutions and the authorities must be coupled with detection measures. should also be conducted. These detection efforts usually focus on two areas. The first is collecting and analysing Inadequate monitoring events (“traces”) recorded by the hardware, of unusual behaviour of users and the second is recognising unusual behaviour of users. If such detection tools are External users (e.g. customers connecting not used, or if they are incomplete, the online) and internal users (employees per- institution may be unable to detect or block forming operations, IT staff) use the func- intrusions into its information system. tionalities of the information system intended for their use. Malicious acts by them, or by Inadequate trace collection and analysis attackers who usurp their rights, will result in an abnormal use of these functionalities. There are tools32 available for collecting, If mechanisms for monitoring abnormal centralising and correlating events (“traces”) behaviour of users are not put in place, the recorded by the various types of information institution’s information system risks being system hardware (e.g. firewalls, network hacked without its knowledge. routers, detection probes, as well as the production systems), which can be used to Best practice is to monitor suspicious actions monitor this equipment. This monitoring in applications, administrative tools, may enable detecting intrusions or attemp- databases or any other sensitive environ- ted intrusions into the information system ment within the organisation. This monito- and thus providing prompt alerts. ring should be done in real time to enable 31 Such attack do not provoke immediate disruption, but aim to greater responsiveness to attacks. Unusual gain progressively access to the different elements of the Best practices, especially for cybersecurity connections to the information system should information system, in order to maximize the attack. purposes, now require automatic tools for be monitored (connections at unusual times

32 E.g. security incident event collecting and analysing traces, as well as or dates like holidays, numerous connec- management (SIEM) tools. a monitoring team that can take action tions, access from new machines or Internet 33 This function may be performed by the SOC. based thereon (such as a Security Operating addresses, etc.). Anomalies during the

ACPR – Information technology risk 40 Securing the information system

authentication of external users (customers, proper functioning of the institution, the ope- service providers) and internal users should rating methods to be implemented to mitigate be recorded and analysed (e.g. multiple impacts and resume operations. The roles attempts). Unusual behaviour of customers and responsibilities of decision-makers and who use transactional sites (e.g. online key employees should be specified, and they account management) should be detected. must be provided with the resources (pre- High-value disbursement transactions should mises, equipment, communications or service be monitored and blocking mechanisms providers) to meet and direct the operations. may be activated to prevent numerous or This type of organisation is required for high-value outflows. Copying and mass banking and insurance institutions, in parti- delete functions on sensitive databases cular for dealing with a loss of resources should be monitored or blocked, as well (buildings, employees, IT systems). If the as privilege escalation functions on systems crisis management organisation does not and databases. cover the various information system security breach scenarios, institutions may not be 5 Response to attacks able to manage them effectively.

As provided in the cybersecurity mana- Therefore, it is important that crisis management principles, the security of infor- gement procedures adapted to cyber risk mation systems requires, in addition to be adopted and be regularly tested and protection and detection measures, also adjusted. These procedures should cover setting up an attack response and infor- the various cyber-attack scenarios and their mation system security recovery consequences in terms of availability, confi- approach. Several steps are required, dentiality, integrity and traceability. They starting with containing the system com- should provide for coordinated action with ponents affected, eliminating malware, external stakeholders (partners, customers) returning to service in degraded mode and, if necessary, the competent authorities. and, finally, rebuilding a healthy and They should include communication mea- fully functioning information system. sures (media, partners, customers) and These various operations require a crisis information measures (the management management organisation, which of body, supervisors). course should be set up in advance. Therefore, the risk factors that may Deficiencies in containment of attacks prevent an appropriate response to attacks are related to failures in these Containing an attack consists in stopping various processes, whether crisis mana- the attack from spreading, then eliminating gement, or containing attacks, or resu- the attack vectors, such as malware, used ming operations. by the attacker. This is a prerequisite to resuming operations and preventing the Deficiencies in crisis management attack from spreading uncontrollably.

The crisis management organisation should Dedicated operational teams, such as a be based on procedures that indicate, depen- Computer Security Incident Response Team ding on the various scenarios impacting the (CSIRT) should be responsible for incident

ACPR – Information technology risk 41 Securing the information system

response. These teams should be tasked Restoring an information system impacted with stopping attacks and eliminating the by an attack requires procedures established effects thereof. They should have the in advance, that are regularly tested and expertise and authority to determine what reviewed. These procedures should prioritise applications to shut down and what recovery actions and ensure the integrity networks to disconnect, if necessary. of restored systems and data. Whenever required, these teams should be able to draw on additional external expertise, for which contracts have been entered into. Ideally, these teams should QUESTION NO. 10 be able to set up decoys to distract or Do you think the risk factors that are weaken the attacker during information mentioned for the macro-process of system security operations. securing the information system are rightly identified? If not, what would Inadequate business recovery you suggest for improvement?

Restoring the information system consists of putting it back into service. Generally, QUESTION NO. 11 this is a gradual process. If necessary, Do you think the mentioned control during the attack, operations may also be measures are suitable? If not, what performed via degraded manual proce- would you suggest for improvement? dures, i.e. without using IT tools. When the attack vectors have been eliminated, a partial recovery of the information system QUESTION NO. 12 is possible, using the components not In particular, do you share the view impacted. Thereafter, the integrity of the that is given regarding the protection system will have to be re-established to measures for the integrity and the enable full and normal operation of the confidentiality of data and systems? information system.

ACPR – Information technology risk 42 Appendix: Classification of IT risk

Macro process Primary IT risk factors Secondary IT risk factors

• Inadequate understanding of issues Insufficient involvement • Inappropriate decisions of the management body • Insufficient monitoring

• Failure to anticipate business needs and technological IT strategy inadequately defined or upgrades/issues/uses aligned with the business strategy • Inadequate tools and service levels

• Inadequate budget alignment with the strategy Deficient budget management • Non-existent or insufficiently clear budget allocation • Inappropriate oversight of expenditures

Roles and responsibilities of the IT • Poorly defined, allocated or communicated roles and responsibilities and information security functions • Inadequate or insufficient staffing

• Lack of control over information system architecture (urbanisation) Organising the IS Inadequate rationalisation of the IT • Inconsistent IT standards (including the ISS) • Failure to manage obsolescence

• Inadequate contractual framework • Overdependence Inadequate Control of outsourcing • Inadequate monitoring of service levels • Inadequate reversibility procedure

• Business needs not in compliance with applicable laws Statutory and regulatory • IT developments not in compliance non-compliance with the business lines’ legal instructions • IT standards not in compliance with applicable laws

• Non-existent or partial risk mapping • Inadequate permanent control system Inadequate risk management • Inadequate detection and management of operational risk incidents • Inadequate periodic control system

ACPR – Information technology risk 43 Appendix

Macro process Primary IT risk factors Secondary IT risk factors

• Inadequate means of production Unsound operations management • Inadequate process for detecting errors and anomalies (systems and networks) • Inadequate management of incidents/problems • Non-compliance with service levels

• Inadequate continuity organisation • Inadequate identification of unavailability scenarios • Non-alignment of IT continuity with business continuity Unsound management of continuity of operations • Inadequate protection of means of production and backup resources against accidents • Inadequate continuity systems Operating the IS • Inadequate testing

• Inadequately defined or applied change management standards • Poor project management organisation Inadequate change management • Functional and technical requirements not adequately (projects, upgrades, fixes) taken into account • Inadequate testing • Improperly implemented changes

• Inadequate data standardisation Poor data quality • The information system uses or generates erroneous data • Inadequate data quality controls

Inadequate physical protection • Inadequate protection against intrusion into buildings of facilities • Inadequate protection of IT equipment

Incomplete: Inadequate identification • asset inventory of assets • asset classification

Deficiencies in: • Perimeter security systems • Protection against malware • Identity and access rights management • Authentication of employees Inadequate logical protection • Protection of the integrity of systems and data of assets • Protection of the confidentiality of systems and data Securing the IS • Protection of availability • Management of security patches • Security review processes • Security of outsourced solutions • Information systems security awareness

Deficiencies in: Inadequate process • Trace collection and analysis for detecting attacks • Monitoring of unusual behaviour of users

Deficiencies in: • Crisis management Inadequate attack response system • Containment of attacks • Business recovery

ACPR – Information technology risk 44