Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 10 The NIST Cybersecurity Framework, which was first established in the mid 1980s, provides IT organizations with a standardized approach for governing Cybersecurity risks. This approach offers many benefits, including a standardized control environment resulting in management efficiencies. NIST recommendations lower IT risks while delivering greater transparency and improving credit IT system reliability. Given the abundance of existing guidance on the NIST Framework, this paper addresses those specific aspects of Cybersecurity and reliability that are germane to the Credit Information Ecosystem. 1.4.5 Understood & Documented Key elements of the Credit Information Ecosystem, including Credit Risk Models & related software applications that support credit management decision-making should be well understood by credit and IT professionals and adequately documented. Another critical aspect of maintaining a robust credit IT system is to ensure that applicable technical and process specifications, including relevant operating Systems, databases, applications, models, dependencies be documented. While IT Groups often rely upon commercial product documentation to support their operations, this detail level is insufficient for Credit Groups that must be “audit-ready” upon demand. Company internal documentation avoids the vulnerability risk created by retention of information through just one person, ensuring that institutional knowledge is maintained. The Ecosystem should also house and make readily available credit risk related documentation, including executed contracts, credit facility terms, parental and third-party guarantees, letters of credit, and trade credit insurance policies. This high level of audit readiness will improve the ability to demonstrate compliance and minimize the learning curves for new IT and Credit Group personnel. For example, new IT projects addressing credit responsibilities should always include updating existing Standard Operating Procedure. This helps keep documentation up to date and employees informed of exactly how these new Systems operate. Regularly auditing this documentation for relevancy and accuracy is also recommended. Gaps should be addressed as soon as possible, taking into consideration upcoming projects that would allow efficiency in the System documentation. Consider adding this audit step as part of the overall IT Governance processes and as a mandatory requirement of the change management process.