Guidelines for the Appropriate Management of Information System Risks by Supervised Entities

---

Based on Article 15, point 7 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette Nos. 145/05 and 12/12), the Management Board of the Croatian Financial Services Supervisory Agency, at its meeting held on 21 December 2022, adopted

GUIDELINES FOR THE APPROPRIATE MANAGEMENT OF INFORMATION SYSTEM RISKS BY SUPERVISED ENTITIES

I. INTRODUCTORY PROVISIONS

1. Meaning of Terms Supervised entities (hereinafter: entities) are defined by Article 2 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette Nos. 140/05 and 12/12) as all legal or natural persons engaged in providing financial services, advising on the financial market, selling, intermediating, or managing users' assets.

Information system of entities (hereinafter: IS) is a system of mutually connected organizational, technological, and human elements of entities involved in data processing processes, aimed at managing information necessary to achieve business objectives.

Information technology (hereinafter: IT) is an element of the IS, whose purpose is the automation of data processing. IT includes:

• hardware components: o personal, portable, and server computers as well as peripheral devices such as keyboards, displays, etc., o "smart" mobile devices, o active and passive network and telecommunications equipment, o data storage media, o supporting infrastructure, such as power supplies, air conditioning units, cables, etc.
• software components: o operating systems, o databases, o system servers such as email servers, etc., o system applications, o business applications, o development tools.

Users of the information system (hereinafter: IS users) are all legal and natural persons who, as employees of the entity, external collaborators, clients, regulatory institutions, or in any other role, participate in data processing processes.

Data processing encompasses all manual or automated activities related to data throughout their entire lifecycle, such as:

• collection,
• input,
• storage,
• transmission,
• review,
• display,
• transformation,
• combination or integration,
• retrieval,
• archiving,
• analysis,
• protection,
• enabling access and making available,
• blocking, and
• deletion or destruction.

Information system resources (hereinafter: IS resources) enable the execution of data processing processes, appropriate to business needs, and include:

• data and information,
• IS business users,
• entity employees authorized to manage the IS and IT,
• external collaborators participating in IS and IT management,
• information technology,
• specialized knowledge,
• contracts and licenses,
• internal acts and other documentation, and
• financial resources.

Information system risk (hereinafter: IS risk) refers to the probability that a specific threat exploiting vulnerabilities of IS resources will have a negative impact on the entity's operations.

Information system risk management (hereinafter: IS risk management) is a continuous process encompassing:

• identification of IS resources,
• identification of threats to IS resources,
• identification of vulnerabilities of IS resources,
• assessment of IS risks and their potential adverse effects,
• selection of measures for handling assessed IS risks,
• implementation of measures for handling assessed IS risks,
• monitoring of assessed IS risks and implemented measures to reduce them, and
• improvement of the risk management process.

Sensitive data or information refers to those data or information whose compromise in terms of confidentiality, integrity, or availability would cause negative consequences for the entity's operations.

2. Objectives, Purpose and Scope 2.1. Objectives Entities subject to the supervision of the Croatian Financial Services Supervisory Agency (hereinafter: HANFA) are exposed to operational risks in their operations, which include IS risks. By adopting and publishing the Guidelines for the Appropriate Management of Information System Risks by Supervised Entities (hereinafter: Guidelines), HANFA aims to achieve the following objectives:

• development of entities' awareness of IS risks, with particular emphasis on risks related to the use of IT, and
• familiarization of supervised entities with good practices for mitigating IS risks.

HANFA expects that the understanding and application of measures and procedures described in the Guidelines will contribute to the quality of IS risk management by entities, thereby reducing their overall exposure to operational risks.

2.2. Purpose The Guidelines are intended for entities, and especially:

• members of the management boards of entities,
• responsible persons in organizational units for IT management of entities,
• persons responsible for IS/IT security of entities,
• persons responsible for managing relationships with external IT service providers of entities,
• persons responsible for managing the business continuity process of entities, and
• persons performing internal control functions of entities.

HANFA may additionally prescribe criteria and procedures for IS and IS risk management for certain groups of entities through other acts, which should be considered when understanding and applying the Guidelines. Furthermore, acts prescribed by the European Union relating to risk management concerning the use of IS should also be taken into account.

2.3. Scope The Guidelines cover the following:

1. Key aspects of IS risk management:
   • basic principles of IS risk management,
   • identification, assessment, and treatment of IS risks, and
   • protection against cyber threats and IS risks.
2. Measures and procedures for reducing IS risks:
   • organization and management of the IS,
   • development and maintenance of the IS,
   • internal controls and audits of the IS,
   • change management in the IS,
   • outsourcing of IS processes,
   • business continuity and disaster recovery,
   • physical and environmental security,
   • logical access controls,
   • computer network security,
   • security of portable devices and data storage media,
   • raising awareness of IS security,
   • incident management,
   • management of operational and system records, and
   • protection against malicious code.

II. KEY ASPECTS OF INFORMATION SYSTEM RISK MANAGEMENT

1. Basic Principles of Information System Risk Management Risk management processes are an integral part of daily operations. Entities, at a minimum, experientially and intuitively recognize risks threatening the achievement of business objectives and take measures to reduce these risks to an acceptable level. A systematic approach to identifying and applying measures and procedures through the risk management process can bring additional advantages compared to an intuitive or experiential approach, such as:

• higher quality protection of important business processes and resources,
• lower probability of overlooking risks to which the entity is exposed,
• lower probability of non-compliance with applicable regulations,
• higher quality support for business decision-making,
• lower probability of inefficient spending on protective measures,
• reduced time spent managing protective measures and others.

The following Guidelines describe the basic procedures in the systematic process of identifying, assessing, and treating risks. The focus of the IS risk management process is on information, as the most important IS resource. The type and purpose of information depend on the industry, market, products, and services offered, as well as many other factors. Examples of information that entities may manage in their operations include:

• information about offered products and services,
• information about clients,
• information about monetary transactions, etc.

The availability of accurate and timely information can influence the making of correct business decisions, as well as compliance with applicable regulations. The availability of sensitive information to unauthorized persons may lead to loss of competitive advantage, loss of client confidence, and also non-compliance with applicable regulations.

From the perspective of information security, information has three key properties whose compromise represents a risk to entity operations:

1. Confidentiality is the property of information being available exclusively to persons and systems with valid authorization. Some examples of consequences of compromising information confidentiality are:
   • loss of competitive advantage (e.g., by revealing new product characteristics to competitors),
   • loss of client confidence (e.g., by leaking clients' personal data to the public),
   • non-compliance with applicable regulations (e.g., leaking clients' personal data may constitute a violation of personal data protection regulation),
   • financial losses (e.g., leaking clients' personal data may trigger client lawsuits and result in monetary payments to cover compensation claims).
2. Integrity is the property of information that there is reasonable confidence in its accuracy, or that it has not been unauthorized or unforeseen modified by accidental or intentional action, which also includes subsequent addition, modification, or deletion of information without traceable records of the performed activities. Some examples of consequences of compromising information integrity are:
   • making incorrect business decisions (e.g., due to erroneous information presented in an important management report),
   • loss of client confidence (e.g., due to incorrectly calculated and charged service or product price),
   • non-compliance with applicable regulations (e.g., due to inaccurate information in reports intended for the regulator).
3. Availability is the property of information being accessible to authorized persons and systems when needed and within an acceptable timeframe. Some examples of consequences of compromising information availability are:
   • inability to deliver products and services to clients (e.g., due to unavailability of information about contractual relationships with clients),
   • non-compliance with applicable regulations (e.g., due to unavailability of information needed to compile reports that must be submitted to the regulator within a given timeframe),
   • inability to fulfill contractual obligations (e.g., due to unavailability of information about transaction accounts or the inability to issue payment orders).

Adverse effects of IS risks result from the compromise of the aforementioned information properties, and arise from the action of threats, which realize these adverse effects by exploiting IS resource vulnerabilities. For this reason, it is important to identify threats and vulnerabilities of IS resources and assess IS risks and their adverse effects, against which appropriate measures should be applied by implementing suitable measures.

2. Identification, Assessment and Treatment of Information System Risks The basic prerequisite for identifying and assessing IS risks is the knowledge of business objectives, business strategy, and entity business processes, so that the real impact of IS risks on operations can be assessed. Furthermore, it is necessary to identify all IS resources that play a role in achieving business objectives and strategy, as well as supporting business processes, and then assess their importance in these roles. It is particularly important to understand the interdependencies of IS resources. For example, if some information is critical for a key business process, the database server on which that information is stored will be critical, as well as the operating system and the server computer itself, but also the network equipment that enables information availability via a personal computer to the end user.

IS risks arise from the action of threats. Threats are usually divided, depending on their place of origin, into internal and external. Some internal threats may be:

• internal fraud,
• unauthorized access to information from within,
• theft of IS resources,
• errors in data entry into applications,
• unconscious disclosure of confidential information.

Some external threats may be:

• hacking attacks,
• malicious code,
• social engineering,
• epidemics,
• natural disasters.

Identified threats must be placed in the context of IS resource vulnerabilities, which some threats may exploit to cause an adverse effect. Some vulnerabilities may be:

• lack of protection against malicious code,
• inappropriate firewall configuration,
• access to business applications not controlled by user identity verification,
• employees have a low level of IS security awareness,
• lack of an uninterruptible power supply system.

Ultimately, by knowing vulnerabilities, threats, and their adverse effects on operations, IS risks can be assessed through two of their fundamental properties:

• the probability that a threat will exploit IS resource vulnerabilities, and
• the level of adverse effect if the threat successfully exploits the vulnerability.

An example of the described process may look as follows:

• The service sales process to clients depends on the availability of client information, which includes data such as name, surname, address, type of contracted service, etc.
• Client information is stored on a database server. A power outage, which occurs on average four times a year for four hours, would cause the database server to stop working, as an uninterruptible power supply system has not been implemented.
• As long as the database server does not function, the entity is unable to provide services to clients and thus remains without potential financial revenues, with a high probability of compromising reputation and client confidence.

The decision on how to handle IS risks usually depends on the risks themselves and the value of exposed processes and resources. Risk management approaches can generally be divided into:

• Avoidance - implies mitigating risks by eliminating the risky process or IS resource. Following the previous example, the entity concluded that its risk was unacceptable, as well as the financial costs of investing in an uninterruptible power supply system, and decided to remove the database server from use and keep all client information on paper documents. In this way, the vulnerability that could be exploited by the threat of power supply interruption is eliminated.
• Reduction - implies mitigating risks by implementing measures that reduce the risk. Following the previous example, the entity concluded that its risk was unacceptable. By analyzing the costs of purchasing and annual maintenance of the uninterruptible power supply system, the entity concluded that the costs are lower than potential lost revenues and losses caused by compromised reputation, and decides on implementation, thereby reducing the identified risk.
• Acceptance - implies accepting potential consequences of the adverse effect of the risk. Following the previous example, the entity is aware of the risk but has concluded that the costs of purchasing and annual maintenance of the uninterruptible power supply system are higher than potential lost revenues and losses caused by compromised reputation, and decides to accept the risk without implementing additional measures.
• Transfer - implies transferring the consequences of the adverse effect of the risk to other physical or legal persons. For example, by insuring a key resource with an insurance company against various adverse events.

Some risks cannot be deemed acceptable regardless of the costs of implementing control measures – for example, risks that result in endangering human lives or the commission of criminal offenses.

III. MEASURES AND PROCEDURES FOR REDUCING INFORMATION SYSTEM RISKS The following Guidelines describe some measures that belong to good practices for reducing IS risks, with particular emphasis on those recommended regardless of the properties of the entity's IS. The method of implementing recommendations and selecting technical solutions to be used is decided by the entities themselves, based on their own risk assessment, guided by the principle of proportionality to identify optimal solutions for their IS.

1. Organization and Management of Information Systems 1.1. Management of the Supervised Entity The functioning of an entity's IS depends to a large extent on management support. Management is responsible for organization, strategic decision-making, resource allocation, and the adoption of rules and procedures in the context of IS management, which includes processes outsourced to external service providers. If the entity's management is not appropriately involved in IS management, the entity may be exposed to risks such as misalignment of business development strategy and IS development, as well as inefficient spending on IS development and maintenance.

To reduce IS risks, the entity's management applies the following measures and procedures:

• Establishment of an appropriate organizational structure necessary for IS functionality and security, in accordance with the entity's business objectives.
• Ensuring resources necessary for appropriate IS functionality and security, particularly in the context of qualified staff, hardware, software, and supporting infrastructure.
• Appointment of a responsible person for managing IT processes and operations.
• Ensuring continuous management awareness of relevant facts related to IS functionality and security, either through informal communication with persons responsible for IS functionality and security or through a formal reporting system.
• Alignment of IS development strategy with the entity's business strategy.

According to their own risk assessment, the entity's management may additionally apply the following measures and procedures:

• Formation of an IS management committee. It is common practice for the IS management committee to include responsible persons from business organizational units and internal control systems, along with management members and persons responsible for IS security and functionality. The committee's work is manifested through joint meetings, where key questions of IS functionality and security are discussed. In this way, communication between participants is facilitated, problems in mutual cooperation are resolved, and the alignment of actions of organizational units responsible for ensuring IS functionality and security with other organizational units is improved.
• Separation of the IS security management function from other IS-related responsibilities. Security and functional objectives of the IS may conflict in some situations, hence the practice of separating these functions by assigning them to different persons.
• Separation of mutually inconsistent duties in the IT management process, for example, system administrator from application programmer, application programmer from database administrator, system administrator from network administrator, etc. Assigning these functions to different employees allows them greater focus on their specialized duties, while simultaneously limiting potential damage that could result from intentional adverse action by any of the employees mentioned in the example.
• Formation of an internal control system for IS. Internal controls, in the form of internal audit, risk assessment, or compliance functions, which are independent from other responsibilities related to IS functionality or security, can contribute to higher quality IS risk management.
• Documentation and adoption of policies, rules, standards, guidelines, instructions, and work procedures in the IS.

1.2. Human Resources Human action, intentional or unintentional, can expose the IS to significant risks. Examples of threats resulting from human action are:

• errors in application usage,
• unconscious or intentional disclosure of confidential data,
• errors in IS development and maintenance,
• inappropriate handling of computer equipment, etc.

To reduce the adverse effects of threats resulting from human action, it is necessary to ensure that employees:

• have appropriate knowledge and skills regarding the use of business applications.
• have appropriate knowledge and skills regarding the use of other IT resources they use in performing work tasks, such as Internet, email, etc.
• employees responsible for IS management, development, and maintenance have appropriate knowledge and skills for the duties they perform.
• employees have an appropriate level of IS security awareness.

According to their own risk assessment, entities may additionally apply the following measures:

• Establishment of a candidate verification process. The process may include verification of the truthfulness of statements regarding work experience and education, verification of criminal records, etc. Such and similar verifications reduce the possibility of employing persons who could pose a security risk to the IS.
• Establishment of a continuous employee education process aimed at raising awareness of IS security, which may include planning and conducting education and collecting feedback from participants.

2. Development and Maintenance of Information Systems 2.1. Maintenance of Information Technology Hardware, software, and supporting infrastructure require continuous maintenance to ensure their appropriate functionality. Unmaintained infrastructure may be exposed to various threats, such as:

• errors in the functioning of operating systems and applications,
• failures in computers and network equipment,
• failures in supporting infrastructure,
• increased exposure to various forms of cyber attacks, etc.

To reduce the adverse effects of threats resulting from inappropriate IT maintenance, it is necessary to:

• Ensure appropriate maintenance of hardware, software, and supporting infrastructure, in the form of upgrades and correction of software errors, regular servicing of hardware and supporting infrastructure, replacement of obsolete and worn-out components, etc.
• Limit authorization for changes to hardware, software, and supporting infrastructure exclusively to persons with appropriate specialized knowledge and skills.
• Appropriately monitor key indicators of IT functionality, such as security notifications on network and other parts of the IS, free capacity of data storage media, availability of server computer system resources, etc.

2.2. Application Development Appropriate functionality and security of business applications are extremely important for the overall functionality and security of the IS. Therefore, it is particularly important to pay attention to the development of key business and other applications throughout the entire development cycle. Deficiencies in development can result in exposure to various threats, such as:

• misalignment of application features with business process needs,
• incompatibility of applications with other IT components,
• unauthorized access to sensitive data,
• errors in the functioning of applications and other IS components,
• increased exposure to various forms of cyber threats, etc.

To reduce the adverse effects of threats resulting from inappropriate application development approach, it is necessary to:

• Involve end users of applications in the application specification development process, so that features such as user interface, input and output data, etc., are defined in advance.
• Plan security controls during the development phase, such as user identification and resource access authorization, cryptographic mechanisms, input data controls, output data controls, etc.
• Protect application source code from unauthorized access.
• Test the functionality and security of new and modified applications before their inclusion in normal production. In addition to testing system and integration features, the functionality testing process must also include end users and collect feedback.