March 19, 2014
BSP MEMORANDUM NO. M-2014-012
TO | : | All BSP-Supervised Institutions |
SUBJECT | : | Obsolescence of Information Assets |
A. Risk Management Processes to Address Obsolete Information Assets
The product life cycle of an information asset generally ends when it is rendered obsolete, such as when the (1) skill required in maintaining the asset is no longer available, (2) supplier/vendor stops supporting the asset (end-of-life) or (3) format is no longer readable by more current technologies. Obsolescence heightens operational risk due to its implications to service delivery, information security and business continuity. For instance, end-of-life increases the vulnerability to malware and other attacks since the supplier/vendor no longer monitors and provides patches/security updates to the said asset.
In line with this, BSP-supervised institutions (BSIs) should follow existing Information Technology (IT) risk management processes provided by BSP Circular No. 808 dated 22 August 2013 (including the related appendices), to address the risks brought about by obsolescence. Given that obsolescence is (1) an identified threat or (2) an event that may result to vulnerabilities to the information assets or over-all IT...