Home > News & Events > Financial Institution Letters
Financial Institution Letters
October 8, 1996
|TO:|| CHIEF EXECUTIVE OFFICER
|SUBJECT:|| Interagency Statement on the Risks to
Financial Institutions Involving Client/Server Computer
| The interagency Federal Financial Institutions Examination
Council (FFIEC) has issued the attached statement on risk
management of client/server computer systems. The statement
addresses the risks and fundamental controls associated
with a client/server environment.
Financial institutions are increasingly placing more emphasis on departmental level client/server computer systems to develop, deliver and maintain critical information systems. Accordingly, it is important for senior management to understand the risks associated with this technology and to implement sound risk management policies, practices and controls for client/server systems.
Client/server computer systems are typically controlled at the business unit level. As such, management may implement client/server systems that have not been developed in a standardized, controlled environment. Key fundamental controls inherent in the traditional systems may be overlooked or neglected in an effort to quickly bring client/server systems into production. This more abbreviated approach can expose the institution to increased transaction, reputation, and strategic risks.
Management should ensure that appropriate risk management practices are in place for all information systems. Standard development methodologies that ensure appropriate controls need to be followed for all information systems, regardless of the methodology, platform or technology used.
During regular supervisory reviews, examiners will review each institution's client/server computer systems for appropriate controls. For more information, please contact your Division of Supervision regional office.
Distribution: FDIC-Supervised Banks (Commercial and Savings)
Note: Paper copies of FDIC financial institution letters may be obtained through the FDIC's Public Information Center, 801 17th Street, N.W., Room 100, Washington, D.C. 20434 (202-416-6949).
Attachment RISK MANAGEMENT OF CLIENT/SERVER SYSTEMS
To: Chief Executive Officers of all Federally Supervised Financial Institutions, Senior management of each FFIEC Agency, and all examining personnel.
The purpose of this document is to alert the Boards of Directors and senior management of financial institutions to risks associated with client/server computing and to encourage the development and implementation of sound policies, practices, or procedures and controls over client/server computing environments.
The traditional approach to data processing for banking functions has been to develop and use large mainframe or midrange systems which are expensive to acquire and maintain. These systems require special physical environments and lengthy application development processes. Application developers have not always kept up with development requests that would allow financial institutions to provide faster delivery of services and products. End-users, who need immediate solutions, have become frustrated with this traditional approach to data processing. New technology is now available, at a perceived cost savings, that could satisfy end-user demand for more timely management information system solutions.
End-user needs have led to increasing acquisitions of computers and commercial off-the shelf programs by departments, business units, and individuals to reduce their dependence on a centralized data processing environment. However, this strategy has its own limits. For example, stand-alone computers make it difficult to share information with other information systems. This problem is being solved by the development of high-speed data transmission and network file servers in client/server computing.
As a result, financial institutions are now processing mission-critical applications including funds transfer, branch automation, general ledger reporting, security portfolio accounting, and customer relationship management on client/server systems. Additionally, independent service providers (service bureaus) are also utilizing this new technology by providing these systems as part of their servicing operations to financial institutions.
It is the responsibility of the Board of Directors of financial institutions to develop and adopt appropriate policies, practices, or procedures covering management's responsibilities and controls for all areas of client/server computing activities. Management must recognize that the implementation of controls is just as important in the client/server environment as in the mainframe environment. The institution's strategic planning should clearly define the technological and control architecture. End-users and auditors must have a prominent role in the acquisition, development, and implementation of all client/server computing environments.
The existence of policies, practices, or procedures and the management supervision of client/server activities will be evaluated by examiners during regular supervisory reviews of the institution.
Client/server computing is a method of allocating data processing resources in a network so that computing power is distributed among workstations in the network. This type of computing allows integrated applications (general ledger, demand deposit accounting, loans, etc.) to share system and data resources using cooperative processing. Cooperative processing differs from traditional mainframe or distributed system processing in that each processing component is mutually dependent.
The proliferation of client/server technology introduces new risks as well as benefits. In today's competitive environment, client/server technology can be a strategic initiative of the organiza tion, and therefore is not just a technological concern, it is also a business concern. Customer demand for flexible and timely management information has fostered its growth. Faster delivery of services, ability to leverage emerging technology, autonomy of end-users, and productivity gains from re-engineering the work flow are all potential benefits.
The client/server architecture has not evolved to the point where controls are inherent in the design, maintenance, and operation of the system. Controls are more difficult to implement effectively due to the distributed, decentralized and complex nature of the client/server environment. The tables that appear later in the paper illustrate some of the risks and controls that have been associated with client/server computing.
The appendix to this issuance identifies components and characteristics of client/server computing. SECURITY
RISK MANAGEMENT OF CLIENT/SERVER SYSTEMS
CLIENT/SERVER COMPONENTS AND CHARACTERISTICS
Components of client/server computing include:
· CLIENT A client (front-end) is a single PC or workstation associated with software that provides computer and presentation services as an interface to server resources. Presentation is usually provided by visually enhanced processing software known as a Graphical User Interface (GUI).
· SERVER A server (back-end) is one or more multi-user computer(s), usually a mainframe or a minicomputer, although it could be a PC. Server functions include any centrally supported role, such as file sharing, printer sharing, database access and management, communication services, facsimile services, application development, and others. Multiple functions may be supported by a single server.
· MIDDLEWARE This is a client/server specific term used to describe a unique class of software employed by client/server applications. This software resides between an application and the network, and manages the interaction between the GUI front-end and data servers in the back- end. It facilitates the client/server connections over the network and also allows client applications to access and update remote databases and mainframe files.
Characteristics of client/server computing include: · DISTRIBUTED Most commonly, a server is a distinct computer that serves from a few to any number of client systems. It is feasible to have clients and servers on the same computer. The server may be in the same room as its clients, or it may be across town or around the world.
· DECENTRALIZED Client/server systems are typically installed, administered, and operated by a business unit, rather than a centralized computing facility.
· COMPLEX Client/server systems usually involve multiple clusters of computers linked by high-speed communication lines.
|Last Updated firstname.lastname@example.org|