The interagency Federal Financial Institutions Examination Council (FFIEC) has issued the attached statement on risk management of client/server computer systems. The statement addresses the risks and fundamental controls associated with a client/server environment. Financial institutions are increasingly placing more emphasis on departmental level client/server computer systems to develop, deliver and maintain critical information systems. Accordingly, it is important for senior management to understand the risks associated with this technology and to implement sound risk management policies, practices and controls for client/server systems. Client/server computer systems are typically controlled at the business unit level. As such, management may implement client/server systems that have not been developed in a standardized, controlled environment. Key fundamental controls inherent in the traditional systems may be overlooked or neglected in an effort to quickly bring client/server systems into production. This more abbreviated approach can expose the institution to increased transaction, reputation, and strategic risks. Management should ensure that appropriate risk management practices are in place for all information systems. Standard development methodologies that ensure appropriate controls need to be followed for all information systems, regardless of the methodology, platform or technology used. During regular supervisory reviews, examiners will review each institution's client/server computer systems for appropriate controls. For more information, please contact your Division of Supervision regional office. Nicholas J. Ketcha Jr. Director Attachment Distribution: FDIC-Supervised Banks (Commercial and Savings) Note: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C. 20434 (202-416-6949).
Attachment RISK MANAGEMENT OF CLIENT/SERVER SYSTEMS
To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior management of each FFIEC Agency, and all examining personnel.
PURPOSE
The purpose of this document is to alert the Boards of Directors and senior management of financial institutions to risks associated with client/server computing and to encourage the development and implementation of sound policies, practices, or procedures and controls over client/server computing environments.
BACKGROUND
The traditional approach to data processing for banking functions has been to develop and use large mainframe or midrange systems which are expensive to acquire and maintain. These systems require special physical environments and lengthy application development processes. Application developers have not always kept up with development requests that would allow financial institutions to provide faster delivery of services and products. End-users, who need immediate solutions, have become frustrated with this traditional approach to data processing. New technology is now available, at a perceived cost savings, that could satisfy end-user demand for more timely management information system solutions.
End-user needs have led to increasing acquisitions of computers and commercial off-the shelf programs by departments, business units, and individuals to reduce their dependence on a centralized data processing environment. However, this strategy has its own limits. For example, stand-alone computers make it difficult to share information with other information systems. This problem is being solved by the development of high-speed data transmission and network file servers in client/server computing.
As a result, financial institutions are now processing mission-critical applications including funds transfer, branch automation, general ledger reporting, security portfolio accounting, and customer relationship management on client/server systems. Additionally, independent service providers (service bureaus) are also utilizing this new technology by providing these systems as part of their servicing operations to financial institutions.
POLICY STATEMENT
It is the responsibility of the Board of Directors of financial institutions to develop and adopt appropriate policies, practices, or procedures covering management's responsibilities and controls for all areas of client/server computing activities. Management must recognize that the implementation of controls is just as important in the client/server environment as in the mainframe environment. The institution's strategic planning should clearly define the technological and control architecture. End-users and auditors must have a prominent role in the acquisition, development, and implementation of all client/server computing environments.
The existence of policies, practices, or procedures and the management supervision of client/server activities will be evaluated by examiners during regular supervisory reviews of the institution.
DEFINITION
Client/server computing is a method of allocating data processing resources in a network so that computing power is distributed among workstations in the network. This type of computing allows integrated applications (general ledger, demand deposit accounting, loans, etc.) to share system and data resources using cooperative processing. Cooperative processing differs from traditional mainframe or distributed system processing in that each processing component is mutually dependent.
CONCERNS
The proliferation of client/server technology introduces new risks as well as benefits. In today's competitive environment, client/server technology can be a strategic initiative of the organiza tion, and therefore is not just a technological concern, it is also a business concern. Customer demand for flexible and timely management information has fostered its growth. Faster delivery of services, ability to leverage emerging technology, autonomy of end-users, and productivity gains from re-engineering the work flow are all potential benefits.
The client/server architecture has not evolved to the point where controls are inherent in the design, maintenance, and operation of the system. Controls are more difficult to implement effectively due to the distributed, decentralized and complex nature of the client/server environment. The tables that appear later in the paper illustrate some of the risks and controls that have been associated with client/server computing.
The appendix to this issuance identifies components and characteristics of client/server computing. SECURITY Supervisory Concerns | Controls | Adequate physical security for critical hardware components may not be present due to the distributed nature of the environment and the slow development of security conscious cultures in the client/server arena.
Inadvertent or intentional unauthorized end-user access to software and data presents greater risk of loss in client/server environments due to a potential dependence on the end-user to implement some system functions. | Adequate steps should be taken to ensure protection from unauthorized access, use of, or changes to, systems or data. Procedures should be implemented to ensure the privacy and confidentiality of information. |
COMPUTER OPERATION Supervisory Concerns | Controls | Disaster recovery and business continuation plans may be incomplete or outdated due to more frequent changes to hardware and software resources. Exposure to system failures may be increased due to easier software virus infiltration in a distributed environment. Incomplete hardware and software inventories could result in additional exposures in the form of unidentified network operations and/or the lack of adequate insurance coverage. Management information systems that rely on client/server systems could become incomplete or inadequate due to the lack of adequate operational controls. The lack of or inadequate network configuration diagrams could result in ineffective management oversight. | Procedures should be adequate to ensure the timely, accurate, and complete processing of information. Management should ensure that critical systems and operations are recoverable in the event of a disruption in service. |
IMPLEMENTATION AND MAINTENANCE Supervisory Concerns | Controls | Internal control considerations could be neglected due to the shortened time frames commonly found in the development of client/server systems. System failures resulting in weaknesses not identified in pre-implementation testing are more likely to occur than in mainframe environments. There are increased risks from unauthorized modification of application programs due to the distributed location of the client and its applications. Application development costs may consistently be underestimated if a system development life cycle methodology is not used. Failure to re-engineer the work flow in the design phase of the application may limit management's ability to optimize the benefits from this technology. | Appropriate procedures including a system development life cycle methodology should be included in new and existing client/server systems. |
SYSTEMS SOFTWARE Supervisory Concerns | Controls | In this heterogenous environment (i.e., consisting of multiple platforms), there is an increased vulnerability to incompatibilities in installed software versions. Thus modifications may cause inconsistent operating results. | Management should ensure that systems are properly tested and approved and that modifications are properly implemented. Management should determine that adequate version control procedures are properly implemented. |
DATABASE MANAGEMENT SOFTWARE Supervisory Concerns | Controls | Database integrity may be corrupted by deficiencies in the quality of the implementation and the administration of database management systems. Lack of database integrity is of greater concern due to concurrent updates of distributed databases which may not have properly established locking capabilities. Unauthorized access to the data could occur as a result of inadequate database administration or improper data ownership. | Management should ensure that controls are implemented to ensure the integrity of transactions. Management should ensure that systems are properly tested and approved and that modifications are properly implemented. Management should determine that adequate version control procedures are properly implemented.
Management should determine that the database management system has adequate recovery capabilities.
|
MIDDLEWARE
Supervisory Concerns | Controls | System integrity may be adversely effected due to multiple operating environments attempting to interact concurrently. Lack of proper software change procedures across multiple platforms could result in a loss of system integrity. | Management should ensure that controls are implemented to ensure the integrity of the client/server networks. Management should ensure that systems are properly tested and approved and that modifications are properly implemented. Management should determine that adequate version control procedures are properly implemented.
|
APPENDIX
RISK MANAGEMENT OF CLIENT/SERVER SYSTEMS
CLIENT/SERVER COMPONENTS AND CHARACTERISTICS
Components of client/server computing include :
· CLIENT A client (front-end) is a single PC or workstation associated with software that provides computer and presentation services as an interface to server resources. Presentation is usually provided by visually enhanced processing software known as a Graphical User Interface (GUI).
· SERVER A server (back-end) is one or more multi-user computer(s), usually a mainframe or a minicomputer, although it could be a PC. Server functions include any centrally supported role, such as file sharing, printer sharing, database access and management, communication services, facsimile services, application development, and others. Multiple functions may be supported by a single server.
· MIDDLEWARE This is a client/server specific term used to describe a unique class of software employed by client/server applications. This software resides between an application and the network, and manages the interaction between the GUI front-end and data servers in the back- end. It facilitates the client/server connections over the network and also allows client applications to access and update remote databases and mainframe files.
Characteristics of client/server computing include :
· DISTRIBUTED Most commonly, a server is a distinct computer that serves from a few to any number of client systems. It is feasible to have clients and servers on the same computer. The server may be in the same room as its clients, or it may be across town or around the world. · DECENTRALIZED Client/server systems are typically installed, administered, and operated by a business unit, rather than a centralized computing facility. · COMPLEX Client/server systems usually involve multiple clusters of computers linked by high-speed communication lines. |