The changes were primarily made in response to the SolarWinds cyberattack which has impacted many organisations around the world. The highlight of the latest TRM guidance indicates that financial institutions such as banks, payment providers, brokerages, and insurance providers must now audit their suppliers of technology vendors in their security measures and cyber-risk management. They must also determine if secured mechanisms are used to interact with the institution’s APIs which send and receive information. Source code validation may be requested from vendors as part of the new changes.
IT departments in financial institutions may find themselves with one or more of the following issues when preparing to meet new MAS compliance requirements such as mandatory vendor audits:
An IT Portfolio Management solution can help all financial institutions to assess the suppliers of their technology vendors. Here are the main advantages:
An IT Portfolio Management solution contains a single source of information in the enterprise. Having all the information, such as application records in one place, saves time when gathering information for analysis. IT Managers can then delegate the responsibility of information update to specific stakeholders, who would have the most updated information. This would help in maintaining the freshness of information, such as the last time a software source code has been tested, and allows frequent updates to provide timely information.
Having a baselined and structured information can make it easy to respond to new requirements, the information required can be extended from the base information already captured. Supporting information such as technology usage and vendors have already been captured as standard in a solution like HOPEX ITPM. To meet the additional TRM use case, information such as Vendor audits can be captured as part of the Vendor information record, as and when there are conducted. With a connected, contextualised way of collecting information, the compliance information builds on top of the existing information.
Collecting relevant information is only part of the work to meet compliance requirements, IT Managers must also quickly deliver the output that management and auditors require. Usually, that output is a consolidated view on the completeness of required activities. For example, a report is required to check which Vendors have their Audits completed, and the Applications were provided by these Vendors. Tools like HOPEX ITPM have the ability to generate reports based on the information captured.
Being prepared for changes and new requirements for regulatory compliance gets easy if there is a well-defined, maintained IT Portfolio.
Using HOPEX ITPM as an IT Portfolio management solution shows how IT information can be connected to one another to provides a complete view of the IT landscape. HOPEX ITPM in a systematic approach, with a structured and maintained information pool, IT Managers can reduce the churn of gathering and sorting through information to focus on engaging stakeholders on managing risk and compliance in the enterprise. HOPEX ITPM also provides a way of preparing reports from the contents of the IT Portfolio easily for stakeholders and management.