What is a useful definition to use when trying to identity and manage an Enterprise's Critical IT systems in the context of a financial services industry? What dimensions or questions should be considered to "score" and arrive at an objective assessment of whether a system should be regarded as critical?
Sort by:
You can have business continuity plan in align and also proper governance of data usages.
Financial Services companies are a key to the overall financial system and in order to ensure they have robust controls and standards, they operate on a number of key financial systems which they also at times term as core systems. These core systems not only act as a database of the financial companies but also act as a record keeping tools for their business. A number of such tools are also used to ensure the regulatory and compliance requirements of the industry and the jurisdiction where they do business, is met. These companies will have a technique called 'Business Impact Analysis' which will list down all these key systems which are critical and also includes the turn around time for these systems in case of disruption. Another important question to consider is within what time these critical systems should be resumed back. Some would have 1-4 hours SLA while some less critical would have 12-24 hours SLA.
You should focus on few categories:
Impact Analysis.
Regulatory Importance.
Business Continuity.
Data Sensitivity.
Interconnectedness.
Testing and Monitoring.
Recovery and Contingency Planning.
Board and Executive Oversight.
Third-Party Risks.
In each category think about potential requirements in case of issues and how would you react to them.
Example questions:
What is the Financial Impact?
Will we have a Compliance issues?
What types of data is stored on critical systems?
thank you Przemyslaw
In the financial services industry, critical IT systems are those that are vital to core operations and can significantly impact business, customers, financial stability, or regulatory compliance if disrupted. To assess their criticality, consider factors like business impact, regulatory requirements, data sensitivity, dependencies, recovery objectives, historical performance, and stakeholder input. A comprehensive evaluation based on these dimensions can help objectively identify and manage critical IT systems.
thanks for your thoughts Hemant. Any thoughts on how time/duration should be brought into the consideration? E.g. an outside of some capabilities for a few hours may be tolerable, however eventually they have a major impact.
Today I see security has highly score objective for financial service industry. It very important to secure the data of customer along with other information of organization.