Financial Intermediary Institutions - Requirements for the Administration of Information Technology Areas.
This is to communicate to the Financial Intermediary Institutions, that, for the administration of the Information Technology Areas, a Management System must be adopted, which includes the best practices on the subject. For this purpose, these areas should consider as a guideline, the principles established in the COBIT (Control Objectives for Information and Related Technology) reference framework provided by the Information Systems Audit and Control Foundation (ISACF) in the United States of America.
The Superintendency of Financial Intermediary Institutions (Superintendencia de Instituciones de Intermediación Financiera) will evaluate such management system, considering the four domains described in COBIT which are detailed as follows:
1. Planning and Organization - Covers strategic and tactic aspects and analyzes the way Information Technology contributes to the accomplishment of the business objectives. It also refers to the planning, communication and administration for attaining strategic objectives, placing emphasis in the coordination between upper management, Information Technology services' users and the Information Technology area.
2. Aquisition and Implementation - Covers the identification, development or acquisition of technological solutions and their consecuent implementation and integration in the business process. It also covers change and maintenace of the existing systems, to guarantee the continuity of their life cycle.
3. Delivery and Support - It refers to the effective delivery or provision of services that are required for the Information Technology area, covering traditional systems operation, security, operations continuity, recovery and training aspects, as well as all the procedures and processes that are needed.
4. Monitoring - The Information Technology processes must be evaluated in a regular manner, to ensure the compliance of quality, security and control requirements. This domain covers the participation of internal and external audit, to guarantee the independence of the judgements and conclusions prepared by the Information Technology management, that are related to the controls performed over the processes.
For the purposes of this evaluation, the Superintendency (Superintendencia) will consider the application of procedures that cover an gradual adjustment to the direction in a general manner, paying attention to the particular characteristics of each entity.
Juan Pedro Cantera
Banco Central del Uruguay - Secretaría de Gerencia General
J.P.Fabini 777 esq. Florida - CP 11100 - Montevideo, Uruguay