Energy Credit Best Practices – Chapter: Information Technology http://ccro.org © Copyright 2022, CCRO. All rights reserved. 17 based on the perceived risk of each Credit function. A more detailed description can be found in the IT best practices section of this paper under “Security”. 2.3.2 Model Requirements Information Technology models are a simple way to encapsulate standards and proven practices for conducting IT business in the Credit space without developing processes from a Greenfield Environment. While many models exist, both in the public domain and with 3rd party consulting organizations, the easiest of these models to reference as illustration of their use is the National Institute of Standards and Technology (NIST) (www.nist.org). The NIST architectural and Security models have been around in several versions since the mid- 1980s and provide IT organizations with an outlined, streamlined approach to enterprise architecture and associated Security components. Do not overlook the efficiencies and process compliance capabilities that enterprise models such as NIST could institute within IT organizations. While evaluating models, they include capabilities in the management of information, integrated Security approaches, and an emphasis on enterprise architecture standards. The more repeatable structure you can put in place with a model application, the lower the IT risk, the greater the visibility to any Security issues, and its overall benefit to operational efficiency and IT employee satisfaction. 2.3.3 System Documentation Information Technology Systems have long been known for their lack of pertinent technical and process-related documentation. Often IT leadership rely upon commercial product documentation as a sufficient level of documentation. However, it cannot be overstated how important documenting IT Systems is as it relates to the Credit business. Operating Systems, databases, applications and their associated dependencies should be documented to a point where learning curves for new IT personnel are minimized and effective. New IT projects addressing Credit should always include activities to update existing documentation (or create new documentation as needed) to keep documentation up to date and standardized. Documentation should be regularly audited for relevancy and accuracy. Gaps should be addressed as soon as possible, taking into consideration upcoming projects that would allow efficiency in system documentation. Consider adding this audit step as part of the overall IT Governance processes and as a mandatory requirement as part of the change control process for moving changes/updates into the production IT environment.