Guidelines on Appropriate Risk Management for Information Systems of Supervised Entities

---

Based on Article 15, point 7 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette No. 145/05 and 12/12), the Management Board of the Croatian Financial Services Supervisory Agency adopted on 21 December 2022 at its meeting:

GUIDELINES ON APPROPRIATE RISK MANAGEMENT FOR INFORMATION SYSTEMS OF SUPERVISED ENTITIES

I. INTRODUCTORY PROVISIONS

1. Meaning of Terms Supervised entities (hereinafter: entities) are defined in Article 2 of the Act on the Croatian Financial Services Supervisory Agency (Official Gazette No. 140/05 and 12/12) as all legal or natural persons engaged in providing financial services, advising on the financial market, selling, brokering, or managing assets of financial service users.

Information system of entities (IS) is a system of mutually connected organizational, technological, and human elements of entities involved in data processing processes, aiming to manage information necessary for achieving business objectives.

Information technology (IT) is an element of IS, whose purpose is the automation of data processing. IT includes: • hardware components:

• personal, portable and server computers as well as peripheral devices such as keyboards, screens, etc.,
• smart mobile devices,
• active and passive network and telecommunications equipment,
• data storage media,
• supporting infrastructure, such as electrical power supplies, air conditioning units, cables, etc. • software components:
• operating systems,
• databases,
• system servers such as email servers, etc.,
• system applications,
• business applications,
• development tools.

Users of the information system (IS users) are all legal and natural persons who, as employees of the entity, external collaborators, clients, regulatory institutions, or in any other role, participate in data processing processes.

Data processing encompasses all manual or automated activities related to data throughout their entire lifecycle, such as: • collection, • input, • storage, • transfer, • viewing, • display, • transformation, • combining or integrating, • retrieval, • archiving, • analysis, • protection, • enabling access and making available, • blocking, and • deletion or destruction.

Information system resources (IS resources) enable the implementation of data processing processes appropriate to business needs, and include: • data and information, • business users of the IS, • entity employees authorized to manage the IS and IT, • external collaborators participating in the management of the IS and IT, • information technology, • professional knowledge, • contracts and licenses, • internal acts and other documentation, as well as • financial resources.

Information system risk (IS risk) refers to the probability that a specific threat, by exploiting vulnerabilities of IS resources, will have a negative impact on the entity's operations.

Information system risk management (IS risk management) is a continuous process encompassing: • identification of IS resources, • identification of threats to IS resources, • identification of vulnerabilities of IS resources, • assessment of IS risks and their potential adverse impact, • selection of measures for handling assessed IS risks, • application of measures for handling assessed IS risks • monitoring of assessed IS risks and applied measures for their reduction, as well as • improvement of the risk management process.

Sensitive data or information refers to those data or information whose impairment of confidentiality, integrity, or availability would cause negative consequences for the entity's operations.

2. Objectives, Purpose and Scope 2.1. Objectives Entities subject to the supervision of the Croatian Financial Services Supervisory Agency (Hanfa) are exposed in their operations to operational risks, which include IS risks. By adopting and publishing the Guidelines, Hanfa aims to achieve the following objectives: • development of entities' awareness regarding IS risks, with particular emphasis on risks related to the use of IT, and • informing supervised entities about good practices for mitigating IS risks. Hanfa expects that understanding and applying the measures and procedures described in the Guidelines will contribute to the quality of IS risk management by entities, thereby reducing entities' overall exposure to operational risks.

2.2. Purpose The Guidelines are intended for entities, and especially: • members of entity management boards, • responsible persons in organizational units for managing entity IT, • persons responsible for the security of entity IS or IT, • persons responsible for managing relationships with external IT service providers, • persons responsible for managing the business continuity process of entities, and • persons performing internal control functions of entities. Hanfa may additionally prescribe criteria and procedures for IS and IS risk management by other acts for certain groups of entities, which should be considered when understanding and applying the Guidelines. Furthermore, acts prescribed by the European Union relating to risk management concerning IS use should also be taken into account.

2.3. Scope The Guidelines cover the following:

1. Key aspects of IS risk management: • fundamental principles of IS risk management, • identification, assessment, and handling of IS risks, • protection against cyber threats and IS risks
2. Measures and procedures for reducing IS risks: • organization and management of the IS, • development and maintenance of the IS, • internal controls and audits of the IS • change management in the IS, • IS process outsourcing, • business continuity and disaster recovery, • physical and environmental security, • logical access controls, • computer network security, • security of portable devices and data storage media, • increasing awareness of IS security • incident management, • management of operational and system records, as well as • protection against malicious code.

II. KEY ASPECTS OF INFORMATION SYSTEM RISK MANAGEMENT

1. Fundamental Principles of Information System Risk Management Risk management processes are an integral part of daily operations. Entities, at the very least, experientially and intuitively recognize risks threatening the achievement of business objectives and take measures to bring these risks down to an acceptable level. A systematic approach to identifying and applying measures and procedures, through the risk management process, can bring additional advantages compared to the intuitive or experiential approach, such as: • higher quality protection of important business processes and resources, • lower probability of overlooking risks to which the entity is exposed, • lower probability of non-compliance with applicable regulations, • higher quality support for business decision-making, • lower probability of inefficient spending on protective measures, • less time spent on managing protective measures, and others. The Guidelines below describe the basic procedures in the systematic process of identifying, assessing, and treating risks. The focus of the IS risk management process is on information, as the most important IS resource. The type and purpose of information depends on the industry, market, products and services offered, and many other factors. Examples of information that entities can manage in their operations include: • information on offered products and services, • customer information, • information on monetary transactions, and the like. The availability of accurate and timely information can affect the making of correct business decisions, as well as compliance with applicable regulations. Unauthorized access to sensitive information can lead to loss of competitive advantage, loss of customer confidence, and also non-compliance with applicable regulations.

Viewed from the perspective of information security, information has three key properties whose impairment represents a risk to entity operations:

1. Confidentiality is the property of information that it is available exclusively to persons and systems with valid authorization. Some examples of consequences of impaired information confidentiality are: • loss of competitive advantage (e.g., by disclosing new product characteristics to competitors), • loss of customer confidence (e.g., by leaking customers' personal data into the public domain), • non-compliance with applicable regulations (e.g., leaking customers' personal data may constitute a violation of personal data protection regulation), • financial losses (e.g., leaking customers' personal data may trigger customer lawsuits and result in monetary payments to cover compensation claims).
2. Integrity is the property of information that there is reasonable confidence in its accuracy, or that it has not been unauthorized or unforeseen modified by accidental or intentional action, which also implies subsequent addition, modification, or deletion of information without a traceable record of the performed activities. Some examples of consequences of impaired information integrity are: • making incorrect business decisions (e.g., due to inaccurate information presented in an important management report), • loss of customer confidence (e.g., due to incorrectly calculated and charged service or product price), • non-compliance with applicable regulations (e.g., due to inaccurate information in reports intended for the regulator).
3. Availability is the property of information that it is available to authorized persons and systems when needed and within an acceptable timeframe. Some examples of consequences of impaired information availability are: • inability to deliver products and services to customers (e.g., due to unavailability of information on customer contractual relationships), • non-compliance with applicable regulations (e.g., due to unavailability of information necessary for compiling reports that must be submitted to the regulator within a set deadline), • inability to fulfill contractual obligations (e.g., due to unavailability of information on transaction accounts or the inability to issue payment orders). Adverse effects of IS risks result from the impairment of the aforementioned information properties, and arise from the operation of threats, which realize these adverse effects by exploiting vulnerabilities of IS resources. For this reason, it is important to identify threats and vulnerabilities of IS resources and assess IS risks and their adverse effects, according to which appropriate measures should be applied.

2. Identification, Assessment and Handling of Information System Risks A basic prerequisite for identifying and assessing IS risks is knowing the business objectives, business strategy, and business processes of the entity, so that the real impact of IS risks on operations can be assessed. Furthermore, it is necessary to identify all IS resources that play a role in achieving business objectives and strategy, as well as supporting business processes, and then assess their importance in these roles. It is particularly important to understand the interdependencies of IS resources. For example, if some information is critical for a key business process, the database server on which that information is stored will also be critical, as well as the operating system and the server computer itself, but also the network equipment that enables information availability via a personal computer to the end user. IS risks arise from the operation of threats. Threats are usually divided, depending on their place of origin, into internal and external. Some internal threats may include: • internal fraud, • unauthorized access to information from within, • theft of IS resources, • errors in data entry into applications, • unintentional disclosure of confidential information. Some external threats may include: • hacking attacks, • malicious code, • social engineering, • epidemics, • natural disasters. Identified threats must be placed in the context of vulnerabilities of IS resources, which some threats may exploit to cause an adverse effect. Some vulnerabilities may include: • lack of protection against malicious code, • inappropriate firewall configuration, • access to business applications is not controlled by user identity verification, • employees have a low level of awareness regarding IS security, • lack of an uninterruptible power supply system.

Ultimately, by knowing vulnerabilities, threats, and their adverse effects on operations, IS risks can be assessed through two of their fundamental properties: • probability that a threat will exploit an IS resource vulnerability, and • level of adverse impact if the threat successfully exploits the vulnerability. An example of the described process may look as follows: • The customer service delivery process depends on the availability of customer information, which includes data such as first name, last name, address, type of contracted service, and the like. • Customer information is stored on a database server. A power outage, which occurs on average four times a year for a duration of four hours, would cause the database server to stop working, as an uninterruptible power supply system has not been implemented. • As long as the database server does not function, the entity is unable to provide services to customers and thus remains without potential financial revenues, with a high probability of impaired reputation and customer confidence. The decision on how to handle IS risks generally depends on the risks themselves and the value of exposed processes and resources. Risk management approaches can generally be divided into: • Avoidance - implies mitigating risks by eliminating the risky process or IS resource. Following the previous example, the entity concluded that its risk was unacceptable, as well as the financial costs of investing in an uninterruptible power supply system, and decided to remove the database server from use and keep all customer information on paper documents. In this way, the vulnerability that could be exploited by the threat of power supply interruption is eliminated. • Reduction - implies mitigating risks by implementing measures that reduce the risk. Following the previous example, the entity concluded that its risk was unacceptable. By analyzing the costs of purchasing and annual maintenance of the uninterruptible power supply system, the entity concluded that the costs are lower than potential lost revenues and losses caused by impaired reputation, and decides to implement it, thereby reducing the identified risk. • Acceptance - implies accepting the potential consequences of the adverse effect of the risk. Following the previous example, the entity is aware of the risk but has concluded that the costs of purchasing and annual maintenance of the uninterruptible power supply system are higher than potential lost revenues and losses caused by impaired reputation, and decides to accept the risk without implementing additional measures. • Transfer - implies transferring the consequences of the adverse effect of the risk to other physical or legal persons. For example, by insuring a key resource with an insurance company against various adverse events. Some risks cannot be deemed acceptable regardless of the costs of implementing control measures – for example, risks that result in endangering human lives or committing criminal offenses.

III. MEASURES AND PROCEDURES FOR REDUCING INFORMATION SYSTEM RISKS The Guidelines below describe some measures that belong to good practices for reducing IS risks, with particular emphasis on those recommended regardless of the properties of the entity's IS. The entities themselves decide on the implementation method of recommendations and the choice of technical solutions that may be used, based on their own risk assessment, guided by the principle of proportionality to identify optimal solutions for their IS.

1. Organization and Management of the Information System 1.1. Entity Management Board The functioning of the entity's IS largely depends on the support of the entity management board. The management is responsible for organization, strategic decision-making, resource allocation, and making rules and procedures in the context of IS management, which includes processes outsourced to external service providers. If the entity's management is not appropriately involved in IS management, the entity may be exposed to risks such as misalignment of business development strategy and IS development, as well as inefficient spending on IS development and maintenance. To reduce IS risks, the entity management board applies the following measures and procedures: • Establishment of an appropriate organizational structure necessary for IS functionality and security, in accordance with the entity's business objectives. • Ensuring resources necessary for appropriate IS functionality and security, primarily in the context of professional staff, hardware, software, and supporting infrastructure. • Appointment of a responsible person for managing IT processes and operations. • Ensuring continuous awareness of the management regarding relevant facts related to IS functioning and security, either through informal communication with persons responsible for IS functioning and security or through a formal reporting system. • Alignment of IS development strategy with the entity's business strategy.

According to its own risk assessment, the entity management board may additionally apply the following measures and procedures: • Formation of an IS management committee. It is common practice for responsible persons from business organizational units and internal control systems, along with management members and persons responsible for IS security and functionality, to participate in the work of the IS management committee. The committee's work is manifested through joint meetings, where key questions of IS functionality and security are discussed. In this way, communication between participants is facilitated, problems in mutual cooperation are resolved, and the alignment of actions of organizational units responsible for ensuring IS functionality and security with other organizational units is improved. • Separation of the IS security management function from other tasks related to IS. Security and functional objectives of the IS may conflict in some situations, hence the practice of separating these functions by assigning them to different persons. • Separation of mutually incompatible duties in the IT management process, for example, system administrator from application programmer, application programmer from database administrator, system administrator from network administrator, and others. Assigning these functions to different employees allows them greater focus on the duties for which they are specialized, while simultaneously limiting potential damage that could result from intentional harmful action by one of the employees mentioned in the example. • Formation of an internal control system for IS. Internal controls, in the form of internal audit, risk assessment, or compliance functions, which are independent from other tasks related to IS functionality or security, can contribute to higher quality IS risk management. • Documentation and adoption of policies, rules, standards, guidelines, instructions, and work procedures in the IS. 1.2. Human Resources Human action, intentional or unintentional, can expose the IS to significant risks. Examples of threats resulting from human action are: • errors in working with applications, • unintentional or intentional disclosure of confidential data, • errors in IS development and maintenance, • improper handling of IT equipment, and others. To reduce adverse effects of threats resulting from human action, it is necessary to ensure that employees: • have appropriate knowledge and skills regarding the use of business applications. • have appropriate knowledge and skills regarding the use of other IT resources they use when performing work tasks, such as Internet, electronic mail, and the like. • employees responsible for IS management, development, and maintenance have appropriate knowledge and skills for the duties they perform. • employees have an appropriate level of awareness regarding IS security. According to their own risk assessment, entities may additionally apply the following measures: • Establishment of a candidate verification process. The process may include verification of the truthfulness of statements regarding work experience and education, verification of criminal records, and the like. Such and similar verifications reduce the possibility of employing persons who could pose a security risk to the IS. • Establishment of a continuous employee education process aimed at increasing awareness of IS security, which may include planning and implementing education as well as collecting feedback from participants.

2. Development and Maintenance of the Information System 2.1. Information Technology Maintenance Hardware, software and supporting infrastructure require continuous maintenance to ensure their appropriate functionality. Unmaintained infrastructure may be exposed to various threats, such as: • errors in the functioning of operating systems and applications, • failures in computers and network equipment, • failures in supporting infrastructure, • increased exposure to various forms of cyber attacks, and others. To reduce adverse effects of threats resulting from inappropriate IT maintenance, it is necessary to: • Ensure appropriate maintenance of hardware, software and supporting infrastructure, in the form of upgrades and correction of software errors, regular servicing of hardware and supporting infrastructure, replacement of obsolete and worn-out components, and the like. • Limit modification authorizations for hardware, software and supporting infrastructure exclusively to persons who have the appropriate professional knowledge and skills. • Appropriately monitor key IT functionality indicators, such as security notifications on network and other parts of the IS, free capacity of data storage media, availability of server computer system resources, and the like. 2.2. Application Development Appropriate functionality and security of business applications are extremely important for the overall functionality and security of the IS. Therefore, it is particularly important to pay attention to the development of key business and other applications throughout the entire development cycle. Deficiencies in development can result in exposure to various threats, such as: • misalignment of application features with business process needs, • incompatibility of applications with other IT components, • unauthorized access to sensitive data, • errors in the functioning of applications and other IS components, • increased exposure to various forms of cyber threats, and others. To reduce adverse effects of threats resulting from inappropriate application development approaches, it is necessary to: • Involve end-users in the application specification drafting process, so that features such as user interface, input and output data, and the like are defined in advance. • Plan security controls during the development phase, such as user identification and resource authorization, cryptographic mechanisms, input data controls, output data controls, and the like. • Protect application source code from unauthorized access. • Test the functionality and security of new and modified applications before their inclusion in normal production. In addition to testing system and integration features, end-users must also be included in the functional testing process and feedback obtained.