Back

North America > US Federal Financial Institutions Examination Council (FFIEC)

FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024



AD ID

0003980

AD STATUS

FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

Free

SYNONYMS

FFIEC IT Examination Handbook - Development, Acquisition, and Maintenance, August 2024

FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance

EFFECTIVE

2024-08-29

ADDED

AD ID

0003980

AD STATUS

Free

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

SYNONYMS

FFIEC IT Examination Handbook - Development, Acquisition, and Maintenance, August 2024

FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance

EFFECTIVE

2024-08-29

ADDED


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
21 Mandated Controls - bold    
30 Implied Controls - italic     495 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
546 Total
  • Audits and risk management
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain an audit program. CC ID 00684 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621 Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4
    Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6]
    Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161
    [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a]
    Establish/Maintain Documentation Detective
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c]
    Establish/Maintain Documentation Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b
    {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d]
    Audits and Risk Management Detective
  • Human Resources management
    29
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Establish Roles Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources Management Preventive
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Establish/Maintain Documentation Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources Management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Establish/Maintain Documentation Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Establish/Maintain Documentation Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources Management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources Management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Establish Roles Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources Management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1
    {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1
    {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1]
    Human Resources Management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources Management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources Management Corrective
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2]
    Establish Roles Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2]
    Establish Roles Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Establish Roles Detective
    Assign and staff all roles appropriately. CC ID 00784 Testing Detective
    Delegate authority for specific processes, as necessary. CC ID 06780 Behavior Preventive
    Implement a staff rotation plan. CC ID 12772 Human Resources Management Preventive
    Rotate duties amongst the critical roles and positions. CC ID 06554 Establish Roles Preventive
    Place Information Technology operations in a position to support the business model. CC ID 00766 Business Processes Preventive
    Review organizational personnel successes. CC ID 00767 Business Processes Preventive
    Implement personnel supervisory practices. CC ID 00773 Behavior Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2
    Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5
    Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7
    {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Technical Security Preventive
    Evaluate the staffing requirements regularly. CC ID 00775 Business Processes Detective
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 Behavior Preventive
  • Leadership and high level objectives
    208
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Monitor and Evaluate Occurrences Preventive
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Establish/Maintain Documentation Preventive
    Analyze the business environment in which the organization operates. CC ID 12798
    [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2]
    Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Process or Activity Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Process or Activity Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Process or Activity Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Process or Activity Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Process or Activity Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Process or Activity Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Process or Activity Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Process or Activity Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Process or Activity Preventive
    Align assets with business functions and the business environment. CC ID 13681 Business Processes Preventive
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Communicate Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Monitor and Evaluate Occurrences Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Monitor and Evaluate Occurrences Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Business Processes Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Monitor and Evaluate Occurrences Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Business Processes Preventive
    Include society in the analysis of the external environment. CC ID 12963 Business Processes Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Business Processes Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Business Processes Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Business Processes Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Business Processes Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Business Processes Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Business Processes Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Business Processes Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959 Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960 Business Processes Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Establish/Maintain Documentation Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Communicate Preventive
    Include value distribution in the value generation model. CC ID 15603 Establish/Maintain Documentation Preventive
    Include value retention in the value generation model. CC ID 15600 Establish/Maintain Documentation Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Establish/Maintain Documentation Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Establish/Maintain Documentation Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Communicate Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1]
    Process or Activity Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Process or Activity Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2
    Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3]
    Business Processes Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3
    A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7]
    Establish/Maintain Documentation Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Establish/Maintain Documentation Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Establish/Maintain Documentation Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Establish/Maintain Documentation Preventive
    Include the data source in the data governance and management practices. CC ID 17211 Data and Information Management Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Establish/Maintain Documentation Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Establish/Maintain Documentation Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Establish/Maintain Documentation Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Establish/Maintain Documentation Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Establish/Maintain Documentation Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Establish/Maintain Documentation Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Data and Information Management Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Establish/Maintain Documentation Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Data and Information Management Preventive
    Approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Communicate Preventive
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Establish/Maintain Documentation Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Establish/Maintain Documentation Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Establish/Maintain Documentation Preventive
    Include format requirements for data elements in the data dictionary. CC ID 17108 Data and Information Management Preventive
    Include notification requirements for data elements in the data dictionary. CC ID 17107 Data and Information Management Preventive
    Ensure the data dictionary is complete and accurate. CC ID 13527 Investigate Detective
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Establish/Maintain Documentation Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Establish/Maintain Documentation Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Establish/Maintain Documentation Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Establish/Maintain Documentation Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Establish/Maintain Documentation Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519 Establish/Maintain Documentation Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Establish/Maintain Documentation Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Establish/Maintain Documentation Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Communicate Preventive
    Establish, implement, and maintain data reconciliation procedures. CC ID 17118 Data and Information Management Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Establish/Maintain Documentation Preventive
    Involve all stakeholders in the architecture review process. CC ID 16935 Process or Activity Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Establish/Maintain Documentation Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078 Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Establish/Maintain Documentation Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Establish/Maintain Documentation Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Establish/Maintain Documentation Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Communicate Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Communicate Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006
    [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4]
    Establish/Maintain Documentation Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Establish/Maintain Documentation Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3]
    Business Processes Detective
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Testing Detective
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13
    Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3
    Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5]
    Establish/Maintain Documentation Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Communicate Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Communicate Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Business Processes Corrective
    Include quality objectives in the Quality Management program. CC ID 13693 Establish/Maintain Documentation Preventive
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Monitor and Evaluate Occurrences Preventive
    Include records management in the quality management system. CC ID 15055 Establish/Maintain Documentation Preventive
    Include risk management in the quality management system. CC ID 15054 Establish/Maintain Documentation Preventive
    Include data management procedures in the quality management system. CC ID 15052 Establish/Maintain Documentation Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Establish/Maintain Documentation Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Establish/Maintain Documentation Preventive
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Systems Design, Build, and Implementation Preventive
    Include resource management in the quality management system. CC ID 15026 Establish/Maintain Documentation Preventive
    Include communication protocols in the quality management system. CC ID 15025 Establish/Maintain Documentation Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Establish/Maintain Documentation Preventive
    Include technical specifications in the quality management system. CC ID 15021 Establish/Maintain Documentation Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6]
    Establish/Maintain Documentation Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Establish/Maintain Documentation Preventive
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Business Processes Detective
    Include program testing standards in the Quality Management program. CC ID 01017 Establish/Maintain Documentation Preventive
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Business Processes Detective
    Include system testing standards in the Quality Management program. CC ID 01018 Establish/Maintain Documentation Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Systems Design, Build, and Implementation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Establish/Maintain Documentation Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Business Processes Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Detective
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2]
    Establish Roles Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1
    Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Establish/Maintain Documentation Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Information Technology project plans. CC ID 16944
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3]
    Establish/Maintain Documentation Preventive
    Submit closure reports at the conclusion of each information technology project. CC ID 16948
    [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2]
    Actionable Reports or Measurements Preventive
    Review and approve the closure report. CC ID 16947 Actionable Reports or Measurements Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846
    [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1
    A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1]
    Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917
    [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5]
    Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2
    Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4
    {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1]
    Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634
    [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1
    Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1]
    Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839
    [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1]
    Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Review and approve the Strategic Information Technology Plan. CC ID 13094 Human Resources Management Preventive
  • Operational management
    274
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 Behavior Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Establish/Maintain Documentation Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Process or Activity Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Establish/Maintain Documentation Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Establish/Maintain Documentation Preventive
    Include the scope in the compliance policy. CC ID 14812 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Communicate Preventive
    Include management commitment in the compliance policy. CC ID 14808 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587 Establish/Maintain Documentation Preventive
    Conduct governance meetings, as necessary. CC ID 16946 Process or Activity Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Communicate Preventive
    Include governance threshold requirements in the governance policy. CC ID 16933 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1
    Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Define the scope for the internal control framework. CC ID 16325 Business Processes Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2]
    Business Processes Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include cloud services in the internal control framework. CC ID 17262 Establish/Maintain Documentation Preventive
    Include cloud security controls in the internal control framework. CC ID 17264 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 Process or Activity Preventive
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Communicate Preventive
    Establish, implement, and maintain a cybersecurity framework. CC ID 17276 Establish/Maintain Documentation Preventive
    Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 Establish/Maintain Documentation Preventive
    Include protection measures in the cybersecurity framework. CC ID 17278 Establish/Maintain Documentation Preventive
    Include the scope in the cybersecurity framework. CC ID 17277 Establish/Maintain Documentation Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Communicate Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4]
    Establish/Maintain Documentation Preventive
    Include physical safeguards in the information security program. CC ID 12375 Establish/Maintain Documentation Preventive
    Include technical safeguards in the information security program. CC ID 12374 Establish/Maintain Documentation Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Establish/Maintain Documentation Preventive
    Include system development in the information security program. CC ID 12389 Establish/Maintain Documentation Preventive
    Include system maintenance in the information security program. CC ID 12388 Establish/Maintain Documentation Preventive
    Include system acquisition in the information security program. CC ID 12387 Establish/Maintain Documentation Preventive
    Include access control in the information security program. CC ID 12386 Establish/Maintain Documentation Preventive
    Review and approve access controls, as necessary. CC ID 13074
    [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4]
    Process or Activity Detective
    Include operations management in the information security program. CC ID 12385 Establish/Maintain Documentation Preventive
    Include communication management in the information security program. CC ID 12384 Establish/Maintain Documentation Preventive
    Include environmental security in the information security program. CC ID 12383 Establish/Maintain Documentation Preventive
    Include physical security in the information security program. CC ID 12382 Establish/Maintain Documentation Preventive
    Include human resources security in the information security program. CC ID 12381 Establish/Maintain Documentation Preventive
    Include asset management in the information security program. CC ID 12380 Establish/Maintain Documentation Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Establish/Maintain Documentation Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Establish/Maintain Documentation Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Establish/Maintain Documentation Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Establish/Maintain Documentation Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 Communicate Preventive
    Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 Communicate Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Establish/Maintain Documentation Preventive
    Include risk management in the information security program. CC ID 12378 Establish/Maintain Documentation Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Establish/Maintain Documentation Preventive
    Provide management direction and support for the information security program. CC ID 11999 Process or Activity Preventive
    Monitor and review the effectiveness of the information security program. CC ID 12744 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Establish/Maintain Documentation Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Business Processes Preventive
    Include data localization requirements in the information security policy. CC ID 16932 Establish/Maintain Documentation Preventive
    Include business processes in the information security policy. CC ID 16326 Establish/Maintain Documentation Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Establish/Maintain Documentation Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Establish/Maintain Documentation Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Establish/Maintain Documentation Preventive
    Include information security objectives in the information security policy. CC ID 13493 Establish/Maintain Documentation Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Establish/Maintain Documentation Preventive
    Include notification procedures in the information security policy. CC ID 16842 Establish/Maintain Documentation Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Process or Activity Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Business Processes Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Establish/Maintain Documentation Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Communicate Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Establish/Maintain Documentation Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Process or Activity Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Establish Roles Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Human Resources Management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Establish/Maintain Documentation Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Human Resources Management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Communicate Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Establish/Maintain Documentation Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Business Processes Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Business Processes Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Behavior Preventive
    Require social media users to clarify that their communications do not represent the organization. CC ID 17046 Communicate Preventive
    Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 Communicate Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Establish/Maintain Documentation Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Establish/Maintain Documentation Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Establish/Maintain Documentation Preventive
    Perform social network analysis, as necessary. CC ID 14864 Investigate Detective
    Establish, implement, and maintain operational control procedures. CC ID 00831
    [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1]
    Establish/Maintain Documentation Preventive
    Define the nomenclature requirements in the operating instructions. CC ID 17112 Establish/Maintain Documentation Preventive
    Define the situations that require time information in the operating instructions. CC ID 17111 Establish/Maintain Documentation Preventive
    Implement alternative actions for oral communications not received or understood. CC ID 17122 Communicate Preventive
    Reissue operating instructions, as necessary. CC ID 17121 Communicate Preventive
    Include congestion management actions in the operational control procedures. CC ID 17135 Establish/Maintain Documentation Preventive
    Update the congestion management actions in a timely manner. CC ID 17145 Establish/Maintain Documentation Preventive
    Coordinate alternate congestion management actions with affected parties. CC ID 17136 Process or Activity Preventive
    Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 Process or Activity Preventive
    Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 Establish/Maintain Documentation Preventive
    Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 Communicate Detective
    Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 Communicate Preventive
    Include continuous monitoring in the operational control procedures. CC ID 17137 Establish/Maintain Documentation Preventive
    Repeat operating instructions received by oral communications to the issuer. CC ID 17119 Communicate Preventive
    Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 Establish/Maintain Documentation Preventive
    Coordinate the transmission of electricity between affected parties. CC ID 17114 Business Processes Preventive
    Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 Behavior Detective
    Include assigning and approving operations in operational control procedures. CC ID 06382 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the operational control procedures. CC ID 17147 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an outage coordination process. CC ID 17161 Process or Activity Preventive
    Coordinate outages with affected parties. CC ID 17160 Process or Activity Preventive
    Coordinate energy resource management with affected parties. CC ID 17150 Process or Activity Preventive
    Coordinate the control of voltage with affected parties. CC ID 17149 Process or Activity Preventive
    Coordinate energy shortages with affected parties. CC ID 17148 Process or Activity Preventive
    Include roles and responsibilities in the operational control procedures. CC ID 17159
    [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5]
    Establish/Maintain Documentation Preventive
    Include startup processes in operational control procedures. CC ID 00833 Establish/Maintain Documentation Preventive
    Include alternative actions in the operational control procedures. CC ID 17096 Establish/Maintain Documentation Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Establish/Maintain Documentation Preventive
    Approve or deny requests in a timely manner. CC ID 17095 Process or Activity Preventive
    Comply with requests from relevant parties unless justified in not complying. CC ID 17094 Business Processes Preventive
    Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 Communicate Preventive
    Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 Communicate Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Establish/Maintain Documentation Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Process or Activity Preventive
    Include system use information in the standard operating procedures manual. CC ID 17240 Establish/Maintain Documentation Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Establish/Maintain Documentation Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Establish/Maintain Documentation Preventive
    Include logging procedures in the standard operating procedures manual. CC ID 17214 Establish/Maintain Documentation Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Establish/Maintain Documentation Preventive
    Include resources in the standard operating procedures manual. CC ID 17212 Establish/Maintain Documentation Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Establish/Maintain Documentation Preventive
    Include human oversight measures in the standard operating procedures manual. CC ID 17213 Establish/Maintain Documentation Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Establish/Maintain Documentation Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Establish/Maintain Documentation Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Establish/Maintain Documentation Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Establish/Maintain Documentation Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Establish/Maintain Documentation Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Business Processes Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Establish/Maintain Documentation Corrective
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Establish/Maintain Documentation Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Establish/Maintain Documentation Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Establish/Maintain Documentation Preventive
    Include information sharing procedures in standard operating procedures. CC ID 12974
    [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2]
    Records Management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645
    [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5
    Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5]
    Business Processes Preventive
    Provide support for information sharing activities. CC ID 15644 Process or Activity Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Communicate Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Establish/Maintain Documentation Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Establish/Maintain Documentation Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Establish/Maintain Documentation Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Establish/Maintain Documentation Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Establish/Maintain Documentation Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Establish/Maintain Documentation Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Establish/Maintain Documentation Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Establish/Maintain Documentation Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Establish/Maintain Documentation Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Establish/Maintain Documentation Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Establish/Maintain Documentation Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Establish/Maintain Documentation Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Establish/Maintain Documentation Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Establish/Maintain Documentation Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Technical Security Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Establish/Maintain Documentation Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Data and Information Management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Establish/Maintain Documentation Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Establish/Maintain Documentation Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Establish/Maintain Documentation Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Establish/Maintain Documentation Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Establish/Maintain Documentation Corrective
    Include usage restrictions in the Acceptable Use Policy. CC ID 15311 Establish/Maintain Documentation Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Establish/Maintain Documentation Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Communicate Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Business Processes Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4]
    Establish/Maintain Documentation Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 Establish/Maintain Documentation Preventive
    Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 Establish/Maintain Documentation Preventive
    Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 Establish/Maintain Documentation Preventive
    Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 Communicate Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Establish/Maintain Documentation Preventive
    Validate recipients prior to sending electronic messages. CC ID 16981 Business Processes Preventive
    Establish, implement, and maintain a Global Address List. CC ID 16934 Data and Information Management Preventive
    Include roles and responsibilities in the e-mail policy. CC ID 17040 Establish/Maintain Documentation Preventive
    Include content requirements in the e-mail policy. CC ID 17041 Establish/Maintain Documentation Preventive
    Include the personal use of business e-mail in the e-mail policy. CC ID 17037 Establish/Maintain Documentation Preventive
    Include usage restrictions in the e-mail policy. CC ID 17039 Establish/Maintain Documentation Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Establish/Maintain Documentation Preventive
    Include message format requirements in the e-mail policy. CC ID 17038 Establish/Maintain Documentation Preventive
    Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 Establish/Maintain Documentation Preventive
    Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 Communicate Preventive
    Identify the sender in all electronic messages. CC ID 13996 Data and Information Management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Establish/Maintain Documentation Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Communicate Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Establish/Maintain Documentation Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Establish/Maintain Documentation Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Establish/Maintain Documentation Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Establish/Maintain Documentation Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Establish/Maintain Documentation Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Establish/Maintain Documentation Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Establish/Maintain Documentation Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Establish/Maintain Documentation Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Establish/Maintain Documentation Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Establish/Maintain Documentation Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Business Processes Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Process or Activity Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Process or Activity Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Process or Activity Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Process or Activity Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Process or Activity Preventive
    Analyze the organizational culture. CC ID 12899 Process or Activity Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Process or Activity Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Process or Activity Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Process or Activity Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Behavior Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Business Processes Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Business Processes Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Business Processes Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Behavior Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Behavior Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Business Processes Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Behavior Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Behavior Preventive
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Process or Activity Corrective
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384 Establish/Maintain Documentation Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Communicate Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Business Processes Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Behavior Preventive
  • Systems design, build, and implementation
    25
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Systems design, build, and implementation CC ID 00989 IT Impact Zone IT Impact Zone
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems Design, Build, and Implementation Preventive
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain project management standards. CC ID 00992
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems Design, Build, and Implementation Preventive
    Include objectives in the project management standard. CC ID 17202
    [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project program documentation standard. CC ID 00995
    [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7
    Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2]
    Establish/Maintain Documentation Preventive
    Include budgeting for projects in the project management standard. CC ID 13136
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1
    Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7]
    Establish/Maintain Documentation Preventive
    Include time requirements in the project management standard. CC ID 17199
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain project management procedures. CC ID 17200
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1]
    Establish/Maintain Documentation Preventive
    Formally approve the initiation of each project phase. CC ID 00997
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3]
    Systems Design, Build, and Implementation Detective
    Establish, implement, and maintain integrated project plans. CC ID 01056
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Establish/Maintain Documentation Preventive
    Perform a risk assessment for each system development project. CC ID 01000
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1
    When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3
    Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3]
    Testing Detective
    Establish, implement, and maintain a project control program. CC ID 01612
    [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project test plan. CC ID 01001
    [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project team plan. CC ID 06533
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2
    In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1
    Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2]
    Establish/Maintain Documentation Preventive
    Identify accreditation tasks. CC ID 00999 Systems Design, Build, and Implementation Detective
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a project management training plan. CC ID 01002 Establish/Maintain Documentation Preventive
    Conduct a post implementation review when the system design project ends. CC ID 01003
    [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3
    Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1
    Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4
    Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9
    {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6]
    Testing Detective
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems Design, Build, and Implementation Preventive
    Perform Quality Management on all newly developed or modified systems. CC ID 01100
    [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5
    Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2]
    Testing Detective
    Establish, implement, and maintain system testing procedures. CC ID 11744
    [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1
    Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2
    Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3]
    Establish/Maintain Documentation Preventive
    Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 Testing Detective
    Review and test source code. CC ID 01086
    [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5]
    Testing Detective
Common Controls and
mandates by Type
21 Mandated Controls - bold    
30 Implied Controls - italic     495 Implementation

Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.

Number of Controls
546 Total
  • Acquisition/Sale of Assets or Services
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 Operational management Preventive
  • Actionable Reports or Measurements
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Submit closure reports at the conclusion of each information technology project. CC ID 16948
    [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2]
    Leadership and high level objectives Preventive
    Review and approve the closure report. CC ID 16947 Leadership and high level objectives Preventive
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839
    [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1]
    Leadership and high level objectives Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Preventive
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Corrective
  • Audits and Risk Management
    4
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Preventive
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Detective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b
    {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d]
    Audits and risk management Detective
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Operational management Preventive
  • Behavior
    14
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Preventive
    Delegate authority for specific processes, as necessary. CC ID 06780 Human Resources management Preventive
    Implement personnel supervisory practices. CC ID 00773 Human Resources management Preventive
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 Human Resources management Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 Operational management Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Preventive
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Preventive
    Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 Operational management Detective
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Preventive
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Preventive
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Preventive
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Preventive
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Preventive
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Operational management Preventive
  • Business Processes
    55
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze the business environment in which the organization operates. CC ID 12798
    [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2]
    Leadership and high level objectives Preventive
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Leadership and high level objectives Preventive
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Leadership and high level objectives Preventive
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Preventive
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Preventive
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Preventive
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Preventive
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Preventive
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Preventive
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Preventive
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Preventive
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Preventive
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Preventive
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2
    Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3]
    Leadership and high level objectives Preventive
    Enforce a continuous Quality Control system. CC ID 01005
    [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3]
    Leadership and high level objectives Detective
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Leadership and high level objectives Corrective
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Detective
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Detective
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Leadership and high level objectives Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Leadership and high level objectives Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Leadership and high level objectives Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Leadership and high level objectives Preventive
    Place Information Technology operations in a position to support the business model. CC ID 00766 Human Resources management Preventive
    Review organizational personnel successes. CC ID 00767 Human Resources management Preventive
    Evaluate the staffing requirements regularly. CC ID 00775 Human Resources management Detective
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Operational management Preventive
    Define the scope for the internal control framework. CC ID 16325 Operational management Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Detective
    Assign resources to implement the internal control framework. CC ID 00816
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2]
    Operational management Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Preventive
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Preventive
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Preventive
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Preventive
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Preventive
    Coordinate the transmission of electricity between affected parties. CC ID 17114 Operational management Preventive
    Comply with requests from relevant parties unless justified in not complying. CC ID 17094 Operational management Preventive
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Preventive
    Establish, implement, and maintain information sharing agreements. CC ID 15645
    [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5
    Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5]
    Operational management Preventive
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Preventive
    Validate recipients prior to sending electronic messages. CC ID 16981 Operational management Preventive
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Preventive
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Preventive
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Preventive
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Preventive
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Preventive
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Preventive
  • Communicate
    37
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Preventive
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Preventive
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Preventive
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Preventive
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Corrective
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Preventive
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Preventive
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Leadership and high level objectives Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Operational management Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Preventive
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Preventive
    Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 Operational management Preventive
    Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 Operational management Preventive
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Preventive
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Preventive
    Require social media users to clarify that their communications do not represent the organization. CC ID 17046 Operational management Preventive
    Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 Operational management Preventive
    Implement alternative actions for oral communications not received or understood. CC ID 17122 Operational management Preventive
    Reissue operating instructions, as necessary. CC ID 17121 Operational management Preventive
    Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 Operational management Detective
    Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 Operational management Preventive
    Repeat operating instructions received by oral communications to the issuer. CC ID 17119 Operational management Preventive
    Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 Operational management Preventive
    Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 Operational management Preventive
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Preventive
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Preventive
    Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 Operational management Preventive
    Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 Operational management Preventive
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Preventive
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Preventive
  • Configuration
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Automate threat assessments, as necessary. CC ID 06877 Operational management Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Preventive
  • Data and Information Management
    17
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include the data source in the data governance and management practices. CC ID 17211 Leadership and high level objectives Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Preventive
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Preventive
    Include format requirements for data elements in the data dictionary. CC ID 17108 Leadership and high level objectives Preventive
    Include notification requirements for data elements in the data dictionary. CC ID 17107 Leadership and high level objectives Preventive
    Establish, implement, and maintain data reconciliation procedures. CC ID 17118 Leadership and high level objectives Preventive
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Preventive
    Establish, implement, and maintain a Global Address List. CC ID 16934 Operational management Preventive
    Identify the sender in all electronic messages. CC ID 13996 Operational management Preventive
  • Establish Roles
    13
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Detective
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Preventive
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Human Resources management Preventive
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2]
    Human Resources management Preventive
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2]
    Human Resources management Preventive
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Human Resources management Detective
    Rotate duties amongst the critical roles and positions. CC ID 06554 Human Resources management Preventive
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Preventive
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Preventive
  • Establish/Maintain Documentation
    297
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Preventive
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Preventive
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Leadership and high level objectives Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3
    A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7]
    Leadership and high level objectives Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Preventive
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Detective
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Preventive
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Preventive
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Preventive
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Preventive
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Preventive
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Preventive
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Preventive
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Preventive
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Preventive
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Preventive
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Preventive
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Preventive
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Preventive
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Preventive
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Preventive
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Preventive
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Preventive
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Preventive
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Preventive
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management standard. CC ID 01006
    [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4]
    Leadership and high level objectives Preventive
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13
    Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3
    Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5]
    Leadership and high level objectives Preventive
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Preventive
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Preventive
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Preventive
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Preventive
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Preventive
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Preventive
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Preventive
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Preventive
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Preventive
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Preventive
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6]
    Leadership and high level objectives Preventive
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Preventive
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Preventive
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Preventive
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Preventive
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2]
    Leadership and high level objectives Detective
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Leadership and high level objectives Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1
    Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Leadership and high level objectives Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Leadership and high level objectives Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Leadership and high level objectives Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Leadership and high level objectives Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Leadership and high level objectives Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Leadership and high level objectives Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Leadership and high level objectives Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Leadership and high level objectives Preventive
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Leadership and high level objectives Preventive
    Establish, implement, and maintain Information Technology project plans. CC ID 16944
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3]
    Leadership and high level objectives Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846
    [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1
    A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1]
    Leadership and high level objectives Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917
    [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5]
    Leadership and high level objectives Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2
    Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4
    {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1]
    Leadership and high level objectives Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Leadership and high level objectives Corrective
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Leadership and high level objectives Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Leadership and high level objectives Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Leadership and high level objectives Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Leadership and high level objectives Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Leadership and high level objectives Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Leadership and high level objectives Preventive
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2]
    Leadership and high level objectives Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Preventive
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Preventive
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Preventive
    Review past audit reports. CC ID 01155
    [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4
    Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6]
    Audits and risk management Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161
    [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a]
    Audits and risk management Detective
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c]
    Audits and risk management Detective
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Corrective
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Preventive
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Preventive
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Operational management Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Operational management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Operational management Preventive
    Include the scope in the compliance policy. CC ID 14812 Operational management Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Preventive
    Include management commitment in the compliance policy. CC ID 14808 Operational management Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587 Operational management Preventive
    Include governance threshold requirements in the governance policy. CC ID 16933 Operational management Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Operational management Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594 Operational management Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1
    Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1]
    Operational management Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Preventive
    Include cloud services in the internal control framework. CC ID 17262 Operational management Preventive
    Include cloud security controls in the internal control framework. CC ID 17264 Operational management Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Preventive
    Establish, implement, and maintain a cybersecurity framework. CC ID 17276 Operational management Preventive
    Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 Operational management Preventive
    Include protection measures in the cybersecurity framework. CC ID 17278 Operational management Preventive
    Include the scope in the cybersecurity framework. CC ID 17277 Operational management Preventive
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4]
    Operational management Preventive
    Include physical safeguards in the information security program. CC ID 12375 Operational management Preventive
    Include technical safeguards in the information security program. CC ID 12374 Operational management Preventive
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Preventive
    Include system development in the information security program. CC ID 12389 Operational management Preventive
    Include system maintenance in the information security program. CC ID 12388 Operational management Preventive
    Include system acquisition in the information security program. CC ID 12387 Operational management Preventive
    Include access control in the information security program. CC ID 12386 Operational management Preventive
    Include operations management in the information security program. CC ID 12385 Operational management Preventive
    Include communication management in the information security program. CC ID 12384 Operational management Preventive
    Include environmental security in the information security program. CC ID 12383 Operational management Preventive
    Include physical security in the information security program. CC ID 12382 Operational management Preventive
    Include human resources security in the information security program. CC ID 12381 Operational management Preventive
    Include asset management in the information security program. CC ID 12380 Operational management Preventive
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Preventive
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Preventive
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Preventive
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Preventive
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Preventive
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Preventive
    Include risk management in the information security program. CC ID 12378 Operational management Preventive
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Preventive
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Preventive
    Include data localization requirements in the information security policy. CC ID 16932 Operational management Preventive
    Include business processes in the information security policy. CC ID 16326 Operational management Preventive
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Preventive
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Preventive
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Preventive
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Preventive
    Include information security objectives in the information security policy. CC ID 13493 Operational management Preventive
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Preventive
    Include notification procedures in the information security policy. CC ID 16842 Operational management Preventive
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Preventive
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Preventive
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Preventive
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Preventive
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Preventive
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Preventive
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Preventive
    Establish, implement, and maintain operational control procedures. CC ID 00831
    [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1]
    Operational management Preventive
    Define the nomenclature requirements in the operating instructions. CC ID 17112 Operational management Preventive
    Define the situations that require time information in the operating instructions. CC ID 17111 Operational management Preventive
    Include congestion management actions in the operational control procedures. CC ID 17135 Operational management Preventive
    Update the congestion management actions in a timely manner. CC ID 17145 Operational management Preventive
    Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 Operational management Preventive
    Include continuous monitoring in the operational control procedures. CC ID 17137 Operational management Preventive
    Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 Operational management Preventive
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Preventive
    Include coordination amongst entities in the operational control procedures. CC ID 17147 Operational management Preventive
    Include roles and responsibilities in the operational control procedures. CC ID 17159
    [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5]
    Operational management Preventive
    Include startup processes in operational control procedures. CC ID 00833 Operational management Preventive
    Include alternative actions in the operational control procedures. CC ID 17096 Operational management Preventive
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Preventive
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Preventive
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Preventive
    Include system use information in the standard operating procedures manual. CC ID 17240 Operational management Preventive
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Preventive
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Preventive
    Include logging procedures in the standard operating procedures manual. CC ID 17214 Operational management Preventive
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Preventive
    Include resources in the standard operating procedures manual. CC ID 17212 Operational management Preventive
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Preventive
    Include human oversight measures in the standard operating procedures manual. CC ID 17213 Operational management Preventive
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Preventive
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Preventive
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Preventive
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Preventive
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Preventive
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Corrective
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Preventive
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Preventive
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Preventive
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Preventive
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Preventive
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Preventive
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Preventive
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Preventive
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Preventive
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Preventive
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Preventive
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Preventive
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Preventive
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Preventive
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Preventive
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Preventive
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Preventive
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Preventive
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Preventive
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Preventive
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Preventive
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Preventive
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Preventive
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Preventive
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Preventive
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Preventive
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Preventive
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Preventive
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Corrective
    Include usage restrictions in the Acceptable Use Policy. CC ID 15311 Operational management Preventive
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Preventive
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Preventive
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Preventive
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Preventive
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Preventive
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4]
    Operational management Preventive
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Preventive
    Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 Operational management Preventive
    Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 Operational management Preventive
    Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 Operational management Preventive
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Preventive
    Include roles and responsibilities in the e-mail policy. CC ID 17040 Operational management Preventive
    Include content requirements in the e-mail policy. CC ID 17041 Operational management Preventive
    Include the personal use of business e-mail in the e-mail policy. CC ID 17037 Operational management Preventive
    Include usage restrictions in the e-mail policy. CC ID 17039 Operational management Preventive
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Preventive
    Include message format requirements in the e-mail policy. CC ID 17038 Operational management Preventive
    Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 Operational management Preventive
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Preventive
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Preventive
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Preventive
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Preventive
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Preventive
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Preventive
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Preventive
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Preventive
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Preventive
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Preventive
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Preventive
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Preventive
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Preventive
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Preventive
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384 Operational management Preventive
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Systems design, build, and implementation Preventive
    Establish, implement, and maintain project management standards. CC ID 00992
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4]
    Systems design, build, and implementation Preventive
    Include objectives in the project management standard. CC ID 17202
    [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project program documentation standard. CC ID 00995
    [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7
    Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2]
    Systems design, build, and implementation Preventive
    Include budgeting for projects in the project management standard. CC ID 13136
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1
    Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7]
    Systems design, build, and implementation Preventive
    Include time requirements in the project management standard. CC ID 17199
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain project management procedures. CC ID 17200
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain integrated project plans. CC ID 01056
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project control program. CC ID 01612
    [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project test plan. CC ID 01001
    [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3]
    Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project team plan. CC ID 06533
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2
    In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1
    Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2]
    Systems design, build, and implementation Preventive
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Systems design, build, and implementation Preventive
    Establish, implement, and maintain a project management training plan. CC ID 01002 Systems design, build, and implementation Preventive
    Establish, implement, and maintain system testing procedures. CC ID 11744
    [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1
    Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2
    Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3]
    Systems design, build, and implementation Preventive
  • Human Resources Management
    16
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Leadership and high level objectives Preventive
    Assign senior management to approve business cases. CC ID 13068 Leadership and high level objectives Preventive
    Review and approve the Strategic Information Technology Plan. CC ID 13094 Leadership and high level objectives Preventive
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Preventive
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Preventive
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Preventive
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Preventive
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Preventive
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1
    {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1
    {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1]
    Human Resources management Preventive
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Preventive
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Corrective
    Implement a staff rotation plan. CC ID 12772 Human Resources management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Operational management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Preventive
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Preventive
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Preventive
  • IT Impact Zone
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
  • Investigate
    2
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Detective
    Perform social network analysis, as necessary. CC ID 14864 Operational management Detective
  • Monitor and Evaluate Occurrences
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Preventive
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Leadership and high level objectives Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604 Leadership and high level objectives Detective
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Detective
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Leadership and high level objectives Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634
    [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1
    Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1]
    Leadership and high level objectives Detective
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Preventive
  • Process or Activity
    47
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Preventive
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Preventive
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Preventive
    Include resources in the analysis of the internal business environment. CC ID 12942
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Preventive
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Preventive
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Preventive
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Preventive
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Preventive
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Leadership and high level objectives Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Leadership and high level objectives Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1]
    Leadership and high level objectives Detective
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Preventive
    Involve all stakeholders in the architecture review process. CC ID 16935 Leadership and high level objectives Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 Operational management Preventive
    Conduct governance meetings, as necessary. CC ID 16946 Operational management Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Preventive
    Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 Operational management Preventive
    Review and approve access controls, as necessary. CC ID 13074
    [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4]
    Operational management Detective
    Provide management direction and support for the information security program. CC ID 11999 Operational management Preventive
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Preventive
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Preventive
    Coordinate alternate congestion management actions with affected parties. CC ID 17136 Operational management Preventive
    Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 Operational management Preventive
    Establish, implement, and maintain an outage coordination process. CC ID 17161 Operational management Preventive
    Coordinate outages with affected parties. CC ID 17160 Operational management Preventive
    Coordinate energy resource management with affected parties. CC ID 17150 Operational management Preventive
    Coordinate the control of voltage with affected parties. CC ID 17149 Operational management Preventive
    Coordinate energy shortages with affected parties. CC ID 17148 Operational management Preventive
    Approve or deny requests in a timely manner. CC ID 17095 Operational management Preventive
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Preventive
    Provide support for information sharing activities. CC ID 15644 Operational management Preventive
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Preventive
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Preventive
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Operational management Preventive
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Preventive
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Preventive
    Analyze the organizational culture. CC ID 12899 Operational management Preventive
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Detective
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Detective
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Detective
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Corrective
  • Records Management
    1
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include information sharing procedures in standard operating procedures. CC ID 12974
    [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2]
    Operational management Preventive
  • Systems Design, Build, and Implementation
    7
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Preventive
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Leadership and high level objectives Preventive
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Preventive
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems design, build, and implementation Preventive
    Formally approve the initiation of each project phase. CC ID 00997
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3]
    Systems design, build, and implementation Detective
    Identify accreditation tasks. CC ID 00999 Systems design, build, and implementation Detective
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Preventive
  • Technical Security
    3
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Human Resources management Preventive
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Preventive
  • Testing
    8
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE CLASS
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Detective
    Assign and staff all roles appropriately. CC ID 00784 Human Resources management Detective
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2
    Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5
    Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7
    {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Human Resources management Detective
    Perform a risk assessment for each system development project. CC ID 01000
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1
    When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3
    Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3]
    Systems design, build, and implementation Detective
    Conduct a post implementation review when the system design project ends. CC ID 01003
    [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3
    Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1
    Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4
    Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9
    {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6]
    Systems design, build, and implementation Detective
    Perform Quality Management on all newly developed or modified systems. CC ID 01100
    [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5
    Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2]
    Systems design, build, and implementation Detective
    Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 Systems design, build, and implementation Detective
    Review and test source code. CC ID 01086
    [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5]
    Systems design, build, and implementation Detective
Common Controls and
mandates by Classification
21 Mandated Controls - bold    
30 Implied Controls - italic     495 Implementation

There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.

Number of Controls
546 Total
  • Corrective
    10
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Leadership and high level objectives Communicate
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Leadership and high level objectives Business Processes
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 Leadership and high level objectives Business Processes
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Leadership and high level objectives Establish/Maintain Documentation
    Implement a corrective action plan in response to the audit report. CC ID 06777 Audits and risk management Establish/Maintain Documentation
    Rotate members of the board of directors, as necessary. CC ID 14803 Human Resources management Human Resources Management
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Operational management Actionable Reports or Measurements
    Update operating procedures that contribute to user errors. CC ID 06935 Operational management Establish/Maintain Documentation
    Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 Operational management Process or Activity
  • Detective
    38
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Identify all interested personnel and affected parties. CC ID 12845
    [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1]
    Leadership and high level objectives Process or Activity
    Approve the data classification scheme. CC ID 13858 Leadership and high level objectives Establish/Maintain Documentation
    Ensure the data dictionary is complete and accurate. CC ID 13527 Leadership and high level objectives Investigate
    Monitor regulatory trends to maintain compliance. CC ID 00604 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for new Information Security solutions. CC ID 07078 Leadership and high level objectives Monitor and Evaluate Occurrences
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 Leadership and high level objectives Technical Security
    Enforce a continuous Quality Control system. CC ID 01005
    [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3]
    Leadership and high level objectives Business Processes
    Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 Leadership and high level objectives Testing
    Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 Leadership and high level objectives Business Processes
    Review and analyze any quality improvement goals that were missed. CC ID 07204 Leadership and high level objectives Business Processes
    Establish and maintain a compliance oversight committee. CC ID 00765 Leadership and high level objectives Establish Roles
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634
    [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1
    Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and risk management Audits and Risk Management
    Review past audit reports. CC ID 01155
    [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4
    Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6]
    Audits and risk management Establish/Maintain Documentation
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161
    [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a]
    Audits and risk management Establish/Maintain Documentation
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c]
    Audits and risk management Establish/Maintain Documentation
    Review management's response to issues raised in past audit reports. CC ID 01149
    [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b
    {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d]
    Audits and risk management Audits and Risk Management
    Document and communicate role descriptions to all applicable personnel. CC ID 00776 Human Resources management Establish Roles
    Assign and staff all roles appropriately. CC ID 00784 Human Resources management Testing
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2
    Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5
    Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7
    {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Human Resources management Testing
    Evaluate the staffing requirements regularly. CC ID 00775 Human Resources management Business Processes
    Review the relevance of information supporting internal controls. CC ID 12420 Operational management Business Processes
    Include emergency response procedures in the internal control framework. CC ID 06779 Operational management Establish/Maintain Documentation
    Review and approve access controls, as necessary. CC ID 13074
    [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4]
    Operational management Process or Activity
    Perform social network analysis, as necessary. CC ID 14864 Operational management Investigate
    Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 Operational management Communicate
    Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 Operational management Behavior
    Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 Operational management Process or Activity
    Include the organizational climate in the analysis of the organizational culture. CC ID 12921 Operational management Process or Activity
    Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 Operational management Process or Activity
    Formally approve the initiation of each project phase. CC ID 00997
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3]
    Systems design, build, and implementation Systems Design, Build, and Implementation
    Perform a risk assessment for each system development project. CC ID 01000
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1
    When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3
    Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3]
    Systems design, build, and implementation Testing
    Identify accreditation tasks. CC ID 00999 Systems design, build, and implementation Systems Design, Build, and Implementation
    Conduct a post implementation review when the system design project ends. CC ID 01003
    [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3
    Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1
    Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4
    Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9
    {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6]
    Systems design, build, and implementation Testing
    Perform Quality Management on all newly developed or modified systems. CC ID 01100
    [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5
    Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2]
    Systems design, build, and implementation Testing
    Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 Systems design, build, and implementation Testing
    Review and test source code. CC ID 01086
    [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4
    To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5]
    Systems design, build, and implementation Testing
  • IT Impact Zone
    5
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Leadership and high level objectives CC ID 00597 Leadership and high level objectives IT Impact Zone
    Audits and risk management CC ID 00677 Audits and risk management IT Impact Zone
    Human Resources management CC ID 00763 Human Resources management IT Impact Zone
    Operational management CC ID 00805 Operational management IT Impact Zone
    Systems design, build, and implementation CC ID 00989 Systems design, build, and implementation IT Impact Zone
  • Preventive
    493
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular IMPACT ZONE TYPE
    Analyze organizational objectives, functions, and activities. CC ID 00598
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Monitor and Evaluate Occurrences
    Develop instructions for setting organizational objectives and strategies. CC ID 12931 Leadership and high level objectives Establish/Maintain Documentation
    Analyze the business environment in which the organization operates. CC ID 12798
    [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2]
    Leadership and high level objectives Business Processes
    Identify the internal factors that may affect organizational objectives. CC ID 12957 Leadership and high level objectives Process or Activity
    Include key processes in the analysis of the internal business environment. CC ID 12947 Leadership and high level objectives Process or Activity
    Include existing information in the analysis of the internal business environment. CC ID 12943 Leadership and high level objectives Process or Activity
    Include resources in the analysis of the internal business environment. CC ID 12942
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Process or Activity
    Include the operating plan in the analysis of the internal business environment. CC ID 12941 Leadership and high level objectives Process or Activity
    Include incentives in the analysis of the internal business environment. CC ID 12940 Leadership and high level objectives Process or Activity
    Include organizational structures in the analysis of the internal business environment. CC ID 12939 Leadership and high level objectives Process or Activity
    Include the strategic plan in the analysis of the internal business environment. CC ID 12937 Leadership and high level objectives Process or Activity
    Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 Leadership and high level objectives Process or Activity
    Align assets with business functions and the business environment. CC ID 13681 Leadership and high level objectives Business Processes
    Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 Leadership and high level objectives Communicate
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 Leadership and high level objectives Monitor and Evaluate Occurrences
    Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 Leadership and high level objectives Monitor and Evaluate Occurrences
    Analyze the external environment in which the organization operates. CC ID 12799 Leadership and high level objectives Business Processes
    Identify the external forces that may affect organizational objectives. CC ID 12960 Leadership and high level objectives Process or Activity
    Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include environmental requirements in the analysis of the external environment. CC ID 12965 Leadership and high level objectives Business Processes
    Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include regulatory requirements in the analysis of the external environment. CC ID 12964 Leadership and high level objectives Business Processes
    Include society in the analysis of the external environment. CC ID 12963 Leadership and high level objectives Business Processes
    Include opportunities in the analysis of the external environment. CC ID 12954 Leadership and high level objectives Business Processes
    Include third party relationships in the analysis of the external environment. CC ID 12952 Leadership and high level objectives Business Processes
    Include industry forces in the analysis of the external environment. CC ID 12904 Leadership and high level objectives Business Processes
    Include threats in the analysis of the external environment. CC ID 12898 Leadership and high level objectives Business Processes
    Include geopolitics in the analysis of the external environment. CC ID 12897 Leadership and high level objectives Business Processes
    Include legal requirements in the analysis of the external environment. CC ID 12896
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Business Processes
    Include technology in the analysis of the external environment. CC ID 12837 Leadership and high level objectives Business Processes
    Include analyzing the market in the analysis of the external environment. CC ID 12836 Leadership and high level objectives Business Processes
    Conduct a context analysis to define objectives and strategies. CC ID 12864 Leadership and high level objectives Business Processes
    Establish, implement, and maintain organizational objectives. CC ID 09959 Leadership and high level objectives Establish/Maintain Documentation
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Leadership and high level objectives Process or Activity
    Identify events that may affect organizational objectives. CC ID 12961 Leadership and high level objectives Process or Activity
    Identify conditions that may affect organizational objectives. CC ID 12958 Leadership and high level objectives Process or Activity
    Identify requirements that could affect achieving organizational objectives. CC ID 12828 Leadership and high level objectives Business Processes
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Leadership and high level objectives Business Processes
    Prioritize organizational objectives. CC ID 09960 Leadership and high level objectives Business Processes
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Leadership and high level objectives Business Processes
    Establish, implement, and maintain a value generation model. CC ID 15591 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Leadership and high level objectives Communicate
    Include value distribution in the value generation model. CC ID 15603 Leadership and high level objectives Establish/Maintain Documentation
    Include value retention in the value generation model. CC ID 15600 Leadership and high level objectives Establish/Maintain Documentation
    Include value generation procedures in the value generation model. CC ID 15599 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain value generation objectives. CC ID 15583 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Leadership and high level objectives Establish/Maintain Documentation
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Leadership and high level objectives Establish/Maintain Documentation
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Leadership and high level objectives Establish/Maintain Documentation
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Leadership and high level objectives Establish/Maintain Documentation
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Leadership and high level objectives Establish/Maintain Documentation
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Leadership and high level objectives Establish/Maintain Documentation
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Leadership and high level objectives Establish/Maintain Documentation
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Leadership and high level objectives Communicate
    Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 Leadership and high level objectives Communicate
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 Leadership and high level objectives Establish/Maintain Documentation
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Leadership and high level objectives Business Processes
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Leadership and high level objectives Process or Activity
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Leadership and high level objectives Process or Activity
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Leadership and high level objectives Business Processes
    Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 Leadership and high level objectives Process or Activity
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2
    Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3]
    Leadership and high level objectives Business Processes
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3
    A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7]
    Leadership and high level objectives Establish/Maintain Documentation
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Leadership and high level objectives Establish/Maintain Documentation
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Leadership and high level objectives Establish/Maintain Documentation
    Include bias for data sets in the data governance and management practices. CC ID 15085 Leadership and high level objectives Establish/Maintain Documentation
    Include the data source in the data governance and management practices. CC ID 17211 Leadership and high level objectives Data and Information Management
    Include a data strategy in the data governance and management practices. CC ID 15304 Leadership and high level objectives Establish/Maintain Documentation
    Include data monitoring in the data governance and management practices. CC ID 15303 Leadership and high level objectives Establish/Maintain Documentation
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Leadership and high level objectives Establish/Maintain Documentation
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Leadership and high level objectives Establish/Maintain Documentation
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Leadership and high level objectives Establish/Maintain Documentation
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Leadership and high level objectives Establish/Maintain Documentation
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain an information classification standard. CC ID 00601 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Leadership and high level objectives Data and Information Management
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Leadership and high level objectives Data and Information Management
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 Leadership and high level objectives Data and Information Management
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Leadership and high level objectives Data and Information Management
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 Leadership and high level objectives Data and Information Management
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Leadership and high level objectives Data and Information Management
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 Leadership and high level objectives Data and Information Management
    Classify the value of information in the information classification standard. CC ID 11995 Leadership and high level objectives Data and Information Management
    Classify the legal requirements of information in the information classification standard. CC ID 11994 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain a data classification scheme. CC ID 11628 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Leadership and high level objectives Data and Information Management
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Leadership and high level objectives Communicate
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from including metadata in the data dictionary. CC ID 13529 Leadership and high level objectives Establish/Maintain Documentation
    Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 Leadership and high level objectives Establish/Maintain Documentation
    Include information needed to understand each data element and population in the data dictionary. CC ID 13528 Leadership and high level objectives Establish/Maintain Documentation
    Include format requirements for data elements in the data dictionary. CC ID 17108 Leadership and high level objectives Data and Information Management
    Include notification requirements for data elements in the data dictionary. CC ID 17107 Leadership and high level objectives Data and Information Management
    Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 Leadership and high level objectives Establish/Maintain Documentation
    Include the date or time period the data was observed in the data dictionary. CC ID 13524 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 Leadership and high level objectives Establish/Maintain Documentation
    Include the uncertainty of each data element in the data dictionary. CC ID 13521 Leadership and high level objectives Establish/Maintain Documentation
    Include the measurement units for each data element in the data dictionary. CC ID 13534 Leadership and high level objectives Establish/Maintain Documentation
    Include the precision of the measurement in the data dictionary. CC ID 13520 Leadership and high level objectives Establish/Maintain Documentation
    Include the data source in the data dictionary. CC ID 13519 Leadership and high level objectives Establish/Maintain Documentation
    Include the nature of each element in the data dictionary. CC ID 13518 Leadership and high level objectives Establish/Maintain Documentation
    Include the population of events or instances in the data dictionary. CC ID 13517 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 Leadership and high level objectives Communicate
    Establish, implement, and maintain data reconciliation procedures. CC ID 17118 Leadership and high level objectives Data and Information Management
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 Leadership and high level objectives Establish/Maintain Documentation
    Involve all stakeholders in the architecture review process. CC ID 16935 Leadership and high level objectives Process or Activity
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 Leadership and high level objectives Establish/Maintain Documentation
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Leadership and high level objectives Behavior
    Establish, implement, and maintain an organizational structure. CC ID 16310 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Leadership and high level objectives Establish/Maintain Documentation
    Include supply chain management standards in the Quality Management framework. CC ID 13701 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management policy. CC ID 13694 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 Leadership and high level objectives Establish/Maintain Documentation
    Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 Leadership and high level objectives Establish/Maintain Documentation
    Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 Leadership and high level objectives Establish/Maintain Documentation
    Include critical Information Technology processes in the Quality Management framework. CC ID 13645 Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 Leadership and high level objectives Communicate
    Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 Leadership and high level objectives Communicate
    Align the quality objectives with the Quality Management policy. CC ID 13697 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management standard. CC ID 01006
    [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4]
    Leadership and high level objectives Establish/Maintain Documentation
    Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a Quality Management program. CC ID 07201
    [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13
    Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3
    Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5]
    Leadership and high level objectives Establish/Maintain Documentation
    Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 Leadership and high level objectives Communicate
    Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 Leadership and high level objectives Communicate
    Include quality objectives in the Quality Management program. CC ID 13693 Leadership and high level objectives Establish/Maintain Documentation
    Include monitoring and analysis capabilities in the quality management program. CC ID 17153 Leadership and high level objectives Monitor and Evaluate Occurrences
    Include records management in the quality management system. CC ID 15055 Leadership and high level objectives Establish/Maintain Documentation
    Include risk management in the quality management system. CC ID 15054 Leadership and high level objectives Establish/Maintain Documentation
    Include data management procedures in the quality management system. CC ID 15052 Leadership and high level objectives Establish/Maintain Documentation
    Include a post-market monitoring system in the quality management system. CC ID 15027 Leadership and high level objectives Establish/Maintain Documentation
    Include operational roles and responsibilities in the quality management system. CC ID 15028 Leadership and high level objectives Establish/Maintain Documentation
    Include quality gates and testing milestones in the Quality Management program. CC ID 06825 Leadership and high level objectives Systems Design, Build, and Implementation
    Include resource management in the quality management system. CC ID 15026 Leadership and high level objectives Establish/Maintain Documentation
    Include communication protocols in the quality management system. CC ID 15025 Leadership and high level objectives Establish/Maintain Documentation
    Include incident reporting procedures in the quality management system. CC ID 15023 Leadership and high level objectives Establish/Maintain Documentation
    Include technical specifications in the quality management system. CC ID 15021 Leadership and high level objectives Establish/Maintain Documentation
    Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6]
    Leadership and high level objectives Establish/Maintain Documentation
    Include program documentation standards in the Quality Management program. CC ID 01016 Leadership and high level objectives Establish/Maintain Documentation
    Include program testing standards in the Quality Management program. CC ID 01017 Leadership and high level objectives Establish/Maintain Documentation
    Include system testing standards in the Quality Management program. CC ID 01018 Leadership and high level objectives Establish/Maintain Documentation
    Include an issue tracking system in the Quality Management program. CC ID 06824
    [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9]
    Leadership and high level objectives Systems Design, Build, and Implementation
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285 Leadership and high level objectives Establish/Maintain Documentation
    Approve all compliance documents. CC ID 06286 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Leadership and high level objectives Establish/Maintain Documentation
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Leadership and high level objectives Business Processes
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608 Leadership and high level objectives Establish Roles
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2]
    Leadership and high level objectives Establish Roles
    Establish, implement, and maintain a strategic plan. CC ID 12784 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a security planning policy. CC ID 14027 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain security planning procedures. CC ID 14060
    [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Leadership and high level objectives Communicate
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1
    Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 Leadership and high level objectives Establish/Maintain Documentation
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Leadership and high level objectives Human Resources Management
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Leadership and high level objectives Establish/Maintain Documentation
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Leadership and high level objectives Establish/Maintain Documentation
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Leadership and high level objectives Establish/Maintain Documentation
    Align business continuity objectives with the business continuity policy. CC ID 12408 Leadership and high level objectives Establish/Maintain Documentation
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Leadership and high level objectives Business Processes
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Leadership and high level objectives Establish/Maintain Documentation
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain Information Technology project plans. CC ID 16944
    [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3]
    Leadership and high level objectives Establish/Maintain Documentation
    Submit closure reports at the conclusion of each information technology project. CC ID 16948
    [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2]
    Leadership and high level objectives Actionable Reports or Measurements
    Review and approve the closure report. CC ID 16947 Leadership and high level objectives Actionable Reports or Measurements
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
    Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846
    [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1
    A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Leadership and high level objectives Business Processes
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917
    [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5]
    Leadership and high level objectives Establish/Maintain Documentation
    Assign senior management to approve business cases. CC ID 13068 Leadership and high level objectives Human Resources Management
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2
    Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4
    {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Leadership and high level objectives Establish/Maintain Documentation
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Leadership and high level objectives Establish/Maintain Documentation
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Leadership and high level objectives Establish/Maintain Documentation
    Include a search plan in the counterterror protective security plan. CC ID 06865 Leadership and high level objectives Establish/Maintain Documentation
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Leadership and high level objectives Establish/Maintain Documentation
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Leadership and high level objectives Establish/Maintain Documentation
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2
    {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2]
    Leadership and high level objectives Establish/Maintain Documentation
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1]
    Leadership and high level objectives Establish/Maintain Documentation
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839
    [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1]
    Leadership and high level objectives Actionable Reports or Measurements
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Leadership and high level objectives Actionable Reports or Measurements
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Leadership and high level objectives Actionable Reports or Measurements
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Leadership and high level objectives Actionable Reports or Measurements
    Review and approve the Strategic Information Technology Plan. CC ID 13094 Leadership and high level objectives Human Resources Management
    Establish, implement, and maintain an audit program. CC ID 00684 Audits and risk management Establish/Maintain Documentation
    Establish and maintain organizational audit reports. CC ID 06731 Audits and risk management Establish/Maintain Documentation
    Include the scope and work performed in the audit report. CC ID 11621 Audits and risk management Audits and Risk Management
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Human Resources management Establish Roles
    Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Human Resources management Establish Roles
    Establish and maintain board committees, as necessary. CC ID 14789 Human Resources management Human Resources Management
    Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 Human Resources management Establish/Maintain Documentation
    Assign oversight of C-level executives to the Board of Directors. CC ID 14784 Human Resources management Human Resources Management
    Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 Human Resources management Establish/Maintain Documentation
    Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 Human Resources management Establish/Maintain Documentation
    Assign oversight of the financial management program to the board of directors. CC ID 14781 Human Resources management Human Resources Management
    Assign senior management to the role of supporting Quality Management. CC ID 13692 Human Resources management Human Resources Management
    Assign senior management to the role of authorizing official. CC ID 14238 Human Resources management Establish Roles
    Assign members who are independent from management to the Board of Directors. CC ID 12395 Human Resources management Human Resources Management
    Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
    [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1
    {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1
    {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1]
    Human Resources management Human Resources Management
    Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 Human Resources management Human Resources Management
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809
    [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
    IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2]
    Human Resources management Establish Roles
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
    [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2]
    Human Resources management Establish Roles
    Delegate authority for specific processes, as necessary. CC ID 06780 Human Resources management Behavior
    Implement a staff rotation plan. CC ID 12772 Human Resources management Human Resources Management
    Rotate duties amongst the critical roles and positions. CC ID 06554 Human Resources management Establish Roles
    Place Information Technology operations in a position to support the business model. CC ID 00766 Human Resources management Business Processes
    Review organizational personnel successes. CC ID 00767 Human Resources management Business Processes
    Implement personnel supervisory practices. CC ID 00773 Human Resources management Behavior
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
    [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1]
    Human Resources management Technical Security
    Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 Human Resources management Behavior
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
    The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1]
    Operational management Establish/Maintain Documentation
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 Operational management Behavior
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Operational management Establish/Maintain Documentation
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 Operational management Acquisition/Sale of Assets or Services
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Operational management Establish/Maintain Documentation
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 Operational management Process or Activity
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 Operational management Process or Activity
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Operational management Audits and Risk Management
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 Operational management Human Resources Management
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Operational management Human Resources Management
    Establish, implement, and maintain a compliance policy. CC ID 14807 Operational management Establish/Maintain Documentation
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Operational management Establish/Maintain Documentation
    Include the scope in the compliance policy. CC ID 14812 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the compliance policy. CC ID 14811 Operational management Establish/Maintain Documentation
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Operational management Establish/Maintain Documentation
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Operational management Communicate
    Include management commitment in the compliance policy. CC ID 14808 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a governance policy. CC ID 15587 Operational management Establish/Maintain Documentation
    Conduct governance meetings, as necessary. CC ID 16946 Operational management Process or Activity
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Operational management Communicate
    Include governance threshold requirements in the governance policy. CC ID 16933 Operational management Establish/Maintain Documentation
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the governance policy. CC ID 15594 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a positive information control environment. CC ID 00813 Operational management Business Processes
    Make compliance and governance decisions in a timely manner. CC ID 06490 Operational management Behavior
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1
    Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1]
    Operational management Establish/Maintain Documentation
    Define the scope for the internal control framework. CC ID 16325 Operational management Business Processes
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Operational management Establish Roles
    Assign resources to implement the internal control framework. CC ID 00816
    [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2]
    Operational management Business Processes
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Operational management Establish Roles
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Operational management Business Processes
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Operational management Establish/Maintain Documentation
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Operational management Establish/Maintain Documentation
    Leverage actionable information to support internal controls. CC ID 12414 Operational management Business Processes
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 Operational management Establish/Maintain Documentation
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Operational management Establish/Maintain Documentation
    Include cloud services in the internal control framework. CC ID 17262 Operational management Establish/Maintain Documentation
    Include cloud security controls in the internal control framework. CC ID 17264 Operational management Establish/Maintain Documentation
    Include threat assessment in the internal control framework. CC ID 01347 Operational management Establish/Maintain Documentation
    Automate threat assessments, as necessary. CC ID 06877 Operational management Configuration
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Operational management Establish/Maintain Documentation
    Automate vulnerability management, as necessary. CC ID 11730 Operational management Configuration
    Include personnel security procedures in the internal control framework. CC ID 01349 Operational management Establish/Maintain Documentation
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Operational management Establish/Maintain Documentation
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Operational management Establish/Maintain Documentation
    Include security information sharing procedures in the internal control framework. CC ID 06489 Operational management Establish/Maintain Documentation
    Share security information with interested personnel and affected parties. CC ID 11732 Operational management Communicate
    Evaluate information sharing partners, as necessary. CC ID 12749 Operational management Process or Activity
    Include security incident response procedures in the internal control framework. CC ID 01359 Operational management Establish/Maintain Documentation
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Operational management Establish/Maintain Documentation
    Include continuous user account management procedures in the internal control framework. CC ID 01360 Operational management Establish/Maintain Documentation
    Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 Operational management Process or Activity
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Operational management Establish/Maintain Documentation
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Operational management Communicate
    Establish, implement, and maintain a cybersecurity framework. CC ID 17276 Operational management Establish/Maintain Documentation
    Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 Operational management Establish/Maintain Documentation
    Include protection measures in the cybersecurity framework. CC ID 17278 Operational management Establish/Maintain Documentation
    Include the scope in the cybersecurity framework. CC ID 17277 Operational management Establish/Maintain Documentation
    Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 Operational management Communicate
    Establish, implement, and maintain a cybersecurity policy. CC ID 16833 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an information security program. CC ID 00812
    [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4]
    Operational management Establish/Maintain Documentation
    Include physical safeguards in the information security program. CC ID 12375 Operational management Establish/Maintain Documentation
    Include technical safeguards in the information security program. CC ID 12374 Operational management Establish/Maintain Documentation
    Include administrative safeguards in the information security program. CC ID 12373 Operational management Establish/Maintain Documentation
    Include system development in the information security program. CC ID 12389 Operational management Establish/Maintain Documentation
    Include system maintenance in the information security program. CC ID 12388 Operational management Establish/Maintain Documentation
    Include system acquisition in the information security program. CC ID 12387 Operational management Establish/Maintain Documentation
    Include access control in the information security program. CC ID 12386 Operational management Establish/Maintain Documentation
    Include operations management in the information security program. CC ID 12385 Operational management Establish/Maintain Documentation
    Include communication management in the information security program. CC ID 12384 Operational management Establish/Maintain Documentation
    Include environmental security in the information security program. CC ID 12383 Operational management Establish/Maintain Documentation
    Include physical security in the information security program. CC ID 12382 Operational management Establish/Maintain Documentation
    Include human resources security in the information security program. CC ID 12381 Operational management Establish/Maintain Documentation
    Include asset management in the information security program. CC ID 12380 Operational management Establish/Maintain Documentation
    Include a continuous monitoring program in the information security program. CC ID 14323 Operational management Establish/Maintain Documentation
    Include change management procedures in the continuous monitoring plan. CC ID 16227 Operational management Establish/Maintain Documentation
    include recovery procedures in the continuous monitoring plan. CC ID 16226 Operational management Establish/Maintain Documentation
    Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 Operational management Establish/Maintain Documentation
    Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 Operational management Establish/Maintain Documentation
    Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 Operational management Communicate
    Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 Operational management Communicate
    Include how the information security department is organized in the information security program. CC ID 12379 Operational management Establish/Maintain Documentation
    Include risk management in the information security program. CC ID 12378 Operational management Establish/Maintain Documentation
    Include mitigating supply chain risks in the information security program. CC ID 13352 Operational management Establish/Maintain Documentation
    Provide management direction and support for the information security program. CC ID 11999 Operational management Process or Activity
    Monitor and review the effectiveness of the information security program. CC ID 12744 Operational management Monitor and Evaluate Occurrences
    Establish, implement, and maintain an information security policy. CC ID 11740 Operational management Establish/Maintain Documentation
    Align the information security policy with the organization's risk acceptance level. CC ID 13042 Operational management Business Processes
    Include data localization requirements in the information security policy. CC ID 16932 Operational management Establish/Maintain Documentation
    Include business processes in the information security policy. CC ID 16326 Operational management Establish/Maintain Documentation
    Include the information security strategy in the information security policy. CC ID 16125 Operational management Establish/Maintain Documentation
    Include a commitment to continuous improvement in the information security policy. CC ID 16123 Operational management Establish/Maintain Documentation
    Include roles and responsibilities in the information security policy. CC ID 16120 Operational management Establish/Maintain Documentation
    Include a commitment to the information security requirements in the information security policy. CC ID 13496 Operational management Establish/Maintain Documentation
    Include information security objectives in the information security policy. CC ID 13493 Operational management Establish/Maintain Documentation
    Include the use of Cloud Services in the information security policy. CC ID 13146 Operational management Establish/Maintain Documentation
    Include notification procedures in the information security policy. CC ID 16842 Operational management Establish/Maintain Documentation
    Approve the information security policy at the organization's management level or higher. CC ID 11737 Operational management Process or Activity
    Establish, implement, and maintain information security procedures. CC ID 12006 Operational management Business Processes
    Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 Operational management Establish/Maintain Documentation
    Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 Operational management Communicate
    Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 Operational management Establish/Maintain Documentation
    Define thresholds for approving information security activities in the information security program. CC ID 15702 Operational management Process or Activity
    Assign ownership of the information security program to the appropriate role. CC ID 00814 Operational management Establish Roles
    Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 Operational management Human Resources Management
    Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 Operational management Establish/Maintain Documentation
    Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 Operational management Human Resources Management
    Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 Operational management Communicate
    Establish, implement, and maintain a social media governance program. CC ID 06536 Operational management Establish/Maintain Documentation
    Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 Operational management Business Processes
    Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 Operational management Business Processes
    Refrain from accepting instant messages from unknown senders. CC ID 12537 Operational management Behavior
    Require social media users to clarify that their communications do not represent the organization. CC ID 17046 Operational management Communicate
    Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 Operational management Communicate
    Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 Operational management Establish/Maintain Documentation
    Include explicit restrictions in the social media acceptable use policy. CC ID 06655 Operational management Establish/Maintain Documentation
    Include contributive content sites in the social media acceptable use policy. CC ID 06656 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain operational control procedures. CC ID 00831
    [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3
    Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1]
    Operational management Establish/Maintain Documentation
    Define the nomenclature requirements in the operating instructions. CC ID 17112 Operational management Establish/Maintain Documentation
    Define the situations that require time information in the operating instructions. CC ID 17111 Operational management Establish/Maintain Documentation
    Implement alternative actions for oral communications not received or understood. CC ID 17122 Operational management Communicate
    Reissue operating instructions, as necessary. CC ID 17121 Operational management Communicate
    Include congestion management actions in the operational control procedures. CC ID 17135 Operational management Establish/Maintain Documentation
    Update the congestion management actions in a timely manner. CC ID 17145 Operational management Establish/Maintain Documentation
    Coordinate alternate congestion management actions with affected parties. CC ID 17136 Operational management Process or Activity
    Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 Operational management Process or Activity
    Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 Operational management Establish/Maintain Documentation
    Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 Operational management Communicate
    Include continuous monitoring in the operational control procedures. CC ID 17137 Operational management Establish/Maintain Documentation
    Repeat operating instructions received by oral communications to the issuer. CC ID 17119 Operational management Communicate
    Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 Operational management Establish/Maintain Documentation
    Coordinate the transmission of electricity between affected parties. CC ID 17114 Operational management Business Processes
    Include assigning and approving operations in operational control procedures. CC ID 06382 Operational management Establish/Maintain Documentation
    Include coordination amongst entities in the operational control procedures. CC ID 17147 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an outage coordination process. CC ID 17161 Operational management Process or Activity
    Coordinate outages with affected parties. CC ID 17160 Operational management Process or Activity
    Coordinate energy resource management with affected parties. CC ID 17150 Operational management Process or Activity
    Coordinate the control of voltage with affected parties. CC ID 17149 Operational management Process or Activity
    Coordinate energy shortages with affected parties. CC ID 17148 Operational management Process or Activity
    Include roles and responsibilities in the operational control procedures. CC ID 17159
    [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5]
    Operational management Establish/Maintain Documentation
    Include startup processes in operational control procedures. CC ID 00833 Operational management Establish/Maintain Documentation
    Include alternative actions in the operational control procedures. CC ID 17096 Operational management Establish/Maintain Documentation
    Include change control processes in the operational control procedures. CC ID 16793 Operational management Establish/Maintain Documentation
    Approve or deny requests in a timely manner. CC ID 17095 Operational management Process or Activity
    Comply with requests from relevant parties unless justified in not complying. CC ID 17094 Operational management Business Processes
    Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 Operational management Communicate
    Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 Operational management Communicate
    Establish and maintain a data processing run manual. CC ID 00832 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 Operational management Establish/Maintain Documentation
    Use systems in accordance with the standard operating procedures manual. CC ID 15049 Operational management Process or Activity
    Include system use information in the standard operating procedures manual. CC ID 17240 Operational management Establish/Maintain Documentation
    Include metrics in the standard operating procedures manual. CC ID 14988 Operational management Establish/Maintain Documentation
    Include maintenance measures in the standard operating procedures manual. CC ID 14986 Operational management Establish/Maintain Documentation
    Include logging procedures in the standard operating procedures manual. CC ID 17214 Operational management Establish/Maintain Documentation
    Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 Operational management Establish/Maintain Documentation
    Include resources in the standard operating procedures manual. CC ID 17212 Operational management Establish/Maintain Documentation
    Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 Operational management Establish/Maintain Documentation
    Include human oversight measures in the standard operating procedures manual. CC ID 17213 Operational management Establish/Maintain Documentation
    Include predetermined changes in the standard operating procedures manual. CC ID 14977 Operational management Establish/Maintain Documentation
    Include specifications for input data in the standard operating procedures manual. CC ID 14975 Operational management Establish/Maintain Documentation
    Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 Operational management Establish/Maintain Documentation
    Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 Operational management Establish/Maintain Documentation
    Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 Operational management Establish/Maintain Documentation
    Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 Operational management Business Processes
    Include the intended purpose in the standard operating procedures manual. CC ID 14967 Operational management Establish/Maintain Documentation
    Include information on system performance in the standard operating procedures manual. CC ID 14965 Operational management Establish/Maintain Documentation
    Include contact details in the standard operating procedures manual. CC ID 14962 Operational management Establish/Maintain Documentation
    Include information sharing procedures in standard operating procedures. CC ID 12974
    [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2]
    Operational management Records Management
    Establish, implement, and maintain information sharing agreements. CC ID 15645
    [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5
    Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5]
    Operational management Business Processes
    Provide support for information sharing activities. CC ID 15644 Operational management Process or Activity
    Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 Operational management Communicate
    Establish, implement, and maintain a job scheduling methodology. CC ID 00834 Operational management Establish/Maintain Documentation
    Establish and maintain a job schedule exceptions list. CC ID 00835 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a data processing continuity plan. CC ID 00836 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 Operational management Establish/Maintain Documentation
    Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 Operational management Establish/Maintain Documentation
    Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 Operational management Establish/Maintain Documentation
    Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 Operational management Establish/Maintain Documentation
    Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 Operational management Establish/Maintain Documentation
    Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 Operational management Establish/Maintain Documentation
    Include a web usage policy in the Acceptable Use Policy. CC ID 16496 Operational management Establish/Maintain Documentation
    Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 Operational management Establish/Maintain Documentation
    Include asset tags in the Acceptable Use Policy. CC ID 01354 Operational management Establish/Maintain Documentation
    Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 Operational management Establish/Maintain Documentation
    Include asset use policies in the Acceptable Use Policy. CC ID 01355 Operational management Establish/Maintain Documentation
    Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 Operational management Establish/Maintain Documentation
    Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 Operational management Establish/Maintain Documentation
    Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 Operational management Technical Security
    Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 Operational management Establish/Maintain Documentation
    Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 Operational management Data and Information Management
    Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 Operational management Establish/Maintain Documentation
    Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 Operational management Establish/Maintain Documentation
    Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 Operational management Establish/Maintain Documentation
    Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 Operational management Establish/Maintain Documentation
    Include usage restrictions in the Acceptable Use Policy. CC ID 15311 Operational management Establish/Maintain Documentation
    Include a software installation policy in the Acceptable Use Policy. CC ID 06749 Operational management Establish/Maintain Documentation
    Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 Operational management Establish/Maintain Documentation
    Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 Operational management Communicate
    Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 Operational management Business Processes
    Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512
    [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4]
    Operational management Establish/Maintain Documentation
    Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 Operational management Establish/Maintain Documentation
    Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 Operational management Establish/Maintain Documentation
    Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 Operational management Establish/Maintain Documentation
    Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 Operational management Communicate
    Establish, implement, and maintain an e-mail policy. CC ID 06439 Operational management Establish/Maintain Documentation
    Validate recipients prior to sending electronic messages. CC ID 16981 Operational management Business Processes
    Establish, implement, and maintain a Global Address List. CC ID 16934 Operational management Data and Information Management
    Include roles and responsibilities in the e-mail policy. CC ID 17040 Operational management Establish/Maintain Documentation
    Include content requirements in the e-mail policy. CC ID 17041 Operational management Establish/Maintain Documentation
    Include the personal use of business e-mail in the e-mail policy. CC ID 17037 Operational management Establish/Maintain Documentation
    Include usage restrictions in the e-mail policy. CC ID 17039 Operational management Establish/Maintain Documentation
    Include business use of personal e-mail in the e-mail policy. CC ID 14381 Operational management Establish/Maintain Documentation
    Include message format requirements in the e-mail policy. CC ID 17038 Operational management Establish/Maintain Documentation
    Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 Operational management Establish/Maintain Documentation
    Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 Operational management Communicate
    Identify the sender in all electronic messages. CC ID 13996 Operational management Data and Information Management
    Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain nondisclosure agreements. CC ID 04536 Operational management Establish/Maintain Documentation
    Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 Operational management Communicate
    Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 Operational management Establish/Maintain Documentation
    Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 Operational management Establish/Maintain Documentation
    Establish, implement, and maintain a use of information agreement. CC ID 06215 Operational management Establish/Maintain Documentation
    Include use limitations in the use of information agreement. CC ID 06244 Operational management Establish/Maintain Documentation
    Include disclosure requirements in the use of information agreement. CC ID 11735 Operational management Establish/Maintain Documentation
    Include information recipients in the use of information agreement. CC ID 06245 Operational management Establish/Maintain Documentation
    Include reporting out of scope use of information in the use of information agreement. CC ID 06246 Operational management Establish/Maintain Documentation
    Include disclosure of information in the use of information agreement. CC ID 11830 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 Operational management Establish/Maintain Documentation
    Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 Operational management Establish/Maintain Documentation
    Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 Operational management Establish/Maintain Documentation
    Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 Operational management Establish/Maintain Documentation
    Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 Operational management Business Processes
    Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 Operational management Process or Activity
    Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 Operational management Process or Activity
    Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 Operational management Process or Activity
    Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 Operational management Process or Activity
    Analyze the Governance, Risk, and Compliance approach. CC ID 12816 Operational management Process or Activity
    Analyze the organizational culture. CC ID 12899 Operational management Process or Activity
    Include employee engagement in the analysis of the organizational culture. CC ID 12914 Operational management Behavior
    Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 Operational management Business Processes
    Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 Operational management Business Processes
    Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 Operational management Business Processes
    Include skill development in the analysis of the organizational culture. CC ID 12913 Operational management Behavior
    Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 Operational management Behavior
    Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 Operational management Business Processes
    Include employee loyalty in the analysis of the organizational culture. CC ID 12911 Operational management Behavior
    Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 Operational management Behavior
    Comply with all implemented policies in the organization's compliance framework. CC ID 06384 Operational management Establish/Maintain Documentation
    Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 Operational management Communicate
    Review systems for compliance with organizational information security policies. CC ID 12004 Operational management Business Processes
    Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 Operational management Behavior
    Initiate the System Development Life Cycle planning phase. CC ID 06266 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain a system design project management framework. CC ID 00990 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain project management standards. CC ID 00992
    [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
    Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4]
    Systems design, build, and implementation Establish/Maintain Documentation
    Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 Systems design, build, and implementation Systems Design, Build, and Implementation
    Include objectives in the project management standard. CC ID 17202
    [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project program documentation standard. CC ID 00995
    [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4
    Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
    An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7
    Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6
    Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2]
    Systems design, build, and implementation Establish/Maintain Documentation
    Include budgeting for projects in the project management standard. CC ID 13136
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1
    Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7]
    Systems design, build, and implementation Establish/Maintain Documentation
    Include time requirements in the project management standard. CC ID 17199
    [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain project management procedures. CC ID 17200
    [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
    A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain integrated project plans. CC ID 01056
    [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
    Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project control program. CC ID 01612
    [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1
    Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project test plan. CC ID 01001
    [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3]
    Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project team plan. CC ID 06533
    [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
    The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2
    In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
    Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1
    Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2]
    Systems design, build, and implementation Establish/Maintain Documentation
    Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 Systems design, build, and implementation Establish/Maintain Documentation
    Establish, implement, and maintain a project management training plan. CC ID 01002 Systems design, build, and implementation Establish/Maintain Documentation
    Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 Systems design, build, and implementation Systems Design, Build, and Implementation
    Establish, implement, and maintain system testing procedures. CC ID 11744
    [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4
    Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1
    Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2
    Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3]
    Systems design, build, and implementation Establish/Maintain Documentation