0003980
FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024
US Federal Financial Institutions Examination Council (FFIEC)
Audit Guideline
Free
FFIEC IT Examination Handbook - Development, Acquisition, and Maintenance, August 2024
FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance
2024-08-29
0003980
Free
US Federal Financial Institutions Examination Council (FFIEC)
Audit Guideline
FFIEC IT Examination Handbook - Development, Acquisition, and Maintenance, August 2024
FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance
2024-08-29
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for FFIEC Information Technology Examination Handbook - Development, Acquisition, and Maintenance, August 2024 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain an audit program. CC ID 00684 | Establish/Maintain Documentation | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4 Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6] | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a] | Establish/Maintain Documentation | Detective | |
Review the issues of non-compliance from past audit reports. CC ID 01148 [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c] | Establish/Maintain Documentation | Detective | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d] | Audits and Risk Management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Establish Roles | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Establish Roles | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1 {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1 {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1] | Human Resources Management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2] | Establish Roles | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2] | Establish Roles | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Establish Roles | Detective | |
Assign and staff all roles appropriately. CC ID 00784 | Testing | Detective | |
Delegate authority for specific processes, as necessary. CC ID 06780 | Behavior | Preventive | |
Implement a staff rotation plan. CC ID 12772 | Human Resources Management | Preventive | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Establish Roles | Preventive | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Business Processes | Preventive | |
Review organizational personnel successes. CC ID 00767 | Business Processes | Preventive | |
Implement personnel supervisory practices. CC ID 00773 | Behavior | Preventive | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2 Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5 Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7 {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Testing | Detective | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Technical Security | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 | Business Processes | Detective | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Monitor and Evaluate Occurrences | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Establish/Maintain Documentation | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2] | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Business Processes | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Business Processes | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Monitor and Evaluate Occurrences | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Business Processes | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Business Processes | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Business Processes | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Business Processes | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1] | Process or Activity | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Process or Activity | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2 Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3] | Business Processes | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3 A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7] | Establish/Maintain Documentation | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data governance and management practices. CC ID 17211 | Data and Information Management | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Establish/Maintain Documentation | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Establish/Maintain Documentation | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Establish/Maintain Documentation | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Establish/Maintain Documentation | Preventive | |
Include format requirements for data elements in the data dictionary. CC ID 17108 | Data and Information Management | Preventive | |
Include notification requirements for data elements in the data dictionary. CC ID 17107 | Data and Information Management | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Investigate | Detective | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Establish/Maintain Documentation | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Establish/Maintain Documentation | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Establish/Maintain Documentation | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Establish/Maintain Documentation | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Establish/Maintain Documentation | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Communicate | Preventive | |
Establish, implement, and maintain data reconciliation procedures. CC ID 17118 | Data and Information Management | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Establish/Maintain Documentation | Preventive | |
Involve all stakeholders in the architecture review process. CC ID 16935 | Process or Activity | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Establish/Maintain Documentation | Preventive | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Behavior | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Establish/Maintain Documentation | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Technical Security | Detective | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3] | Business Processes | Detective | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Testing | Detective | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13 Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3 Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Business Processes | Corrective | |
Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Establish/Maintain Documentation | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Establish/Maintain Documentation | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Business Processes | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Establish Roles | Detective | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2] | Establish/Maintain Documentation | Detective | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2] | Establish Roles | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Communicate | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1 Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Establish/Maintain Documentation | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Establish/Maintain Documentation | Preventive | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Human Resources Management | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Establish/Maintain Documentation | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Establish/Maintain Documentation | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Establish/Maintain Documentation | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Establish/Maintain Documentation | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Business Processes | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Business Processes | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Establish/Maintain Documentation | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Information Technology project plans. CC ID 16944 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3] | Establish/Maintain Documentation | Preventive | |
Submit closure reports at the conclusion of each information technology project. CC ID 16948 [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2] | Actionable Reports or Measurements | Preventive | |
Review and approve the closure report. CC ID 16947 | Actionable Reports or Measurements | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1 A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Business Processes | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5] | Establish/Maintain Documentation | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Human Resources Management | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2 Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4 {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Establish/Maintain Documentation | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Establish/Maintain Documentation | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Establish/Maintain Documentation | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Establish/Maintain Documentation | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Establish/Maintain Documentation | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Establish/Maintain Documentation | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Establish/Maintain Documentation | Preventive | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1 Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1] | Monitor and Evaluate Occurrences | Detective | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1] | Actionable Reports or Measurements | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Actionable Reports or Measurements | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Actionable Reports or Measurements | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Actionable Reports or Measurements | Preventive | |
Review and approve the Strategic Information Technology Plan. CC ID 13094 | Human Resources Management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Behavior | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Establish/Maintain Documentation | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Process or Activity | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Process or Activity | Preventive | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Audits and Risk Management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Human Resources Management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Human Resources Management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Establish/Maintain Documentation | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Establish/Maintain Documentation | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Communicate | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Establish/Maintain Documentation | Preventive | |
Conduct governance meetings, as necessary. CC ID 16946 | Process or Activity | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Communicate | Preventive | |
Include governance threshold requirements in the governance policy. CC ID 16933 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Business Processes | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Behavior | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1 Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2] | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include cloud services in the internal control framework. CC ID 17262 | Establish/Maintain Documentation | Preventive | |
Include cloud security controls in the internal control framework. CC ID 17264 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Process or Activity | Preventive | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Establish/Maintain Documentation | Preventive | |
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Establish/Maintain Documentation | Preventive | |
Include protection measures in the cybersecurity framework. CC ID 17278 | Establish/Maintain Documentation | Preventive | |
Include the scope in the cybersecurity framework. CC ID 17277 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Establish/Maintain Documentation | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Establish/Maintain Documentation | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Establish/Maintain Documentation | Preventive | |
Include system development in the information security program. CC ID 12389 | Establish/Maintain Documentation | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Establish/Maintain Documentation | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Establish/Maintain Documentation | Preventive | |
Include access control in the information security program. CC ID 12386 | Establish/Maintain Documentation | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4] | Process or Activity | Detective | |
Include operations management in the information security program. CC ID 12385 | Establish/Maintain Documentation | Preventive | |
Include communication management in the information security program. CC ID 12384 | Establish/Maintain Documentation | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Establish/Maintain Documentation | Preventive | |
Include physical security in the information security program. CC ID 12382 | Establish/Maintain Documentation | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Establish/Maintain Documentation | Preventive | |
Include asset management in the information security program. CC ID 12380 | Establish/Maintain Documentation | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Establish/Maintain Documentation | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Establish/Maintain Documentation | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Establish/Maintain Documentation | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Establish/Maintain Documentation | Preventive | |
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Communicate | Preventive | |
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Communicate | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Establish/Maintain Documentation | Preventive | |
Include risk management in the information security program. CC ID 12378 | Establish/Maintain Documentation | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Establish/Maintain Documentation | Preventive | |
Provide management direction and support for the information security program. CC ID 11999 | Process or Activity | Preventive | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Establish/Maintain Documentation | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Business Processes | Preventive | |
Include data localization requirements in the information security policy. CC ID 16932 | Establish/Maintain Documentation | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Establish/Maintain Documentation | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Establish/Maintain Documentation | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Establish/Maintain Documentation | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Establish/Maintain Documentation | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Establish/Maintain Documentation | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Establish/Maintain Documentation | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Process or Activity | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Business Processes | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Communicate | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Establish/Maintain Documentation | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Process or Activity | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Establish Roles | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Human Resources Management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Establish/Maintain Documentation | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Human Resources Management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Communicate | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Establish/Maintain Documentation | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Business Processes | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Business Processes | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Behavior | Preventive | |
Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Communicate | Preventive | |
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Communicate | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Establish/Maintain Documentation | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Establish/Maintain Documentation | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Establish/Maintain Documentation | Preventive | |
Perform social network analysis, as necessary. CC ID 14864 | Investigate | Detective | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1] | Establish/Maintain Documentation | Preventive | |
Define the nomenclature requirements in the operating instructions. CC ID 17112 | Establish/Maintain Documentation | Preventive | |
Define the situations that require time information in the operating instructions. CC ID 17111 | Establish/Maintain Documentation | Preventive | |
Implement alternative actions for oral communications not received or understood. CC ID 17122 | Communicate | Preventive | |
Reissue operating instructions, as necessary. CC ID 17121 | Communicate | Preventive | |
Include congestion management actions in the operational control procedures. CC ID 17135 | Establish/Maintain Documentation | Preventive | |
Update the congestion management actions in a timely manner. CC ID 17145 | Establish/Maintain Documentation | Preventive | |
Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Process or Activity | Preventive | |
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Process or Activity | Preventive | |
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Establish/Maintain Documentation | Preventive | |
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Communicate | Detective | |
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Communicate | Preventive | |
Include continuous monitoring in the operational control procedures. CC ID 17137 | Establish/Maintain Documentation | Preventive | |
Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Communicate | Preventive | |
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Establish/Maintain Documentation | Preventive | |
Coordinate the transmission of electricity between affected parties. CC ID 17114 | Business Processes | Preventive | |
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Behavior | Detective | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the operational control procedures. CC ID 17147 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an outage coordination process. CC ID 17161 | Process or Activity | Preventive | |
Coordinate outages with affected parties. CC ID 17160 | Process or Activity | Preventive | |
Coordinate energy resource management with affected parties. CC ID 17150 | Process or Activity | Preventive | |
Coordinate the control of voltage with affected parties. CC ID 17149 | Process or Activity | Preventive | |
Coordinate energy shortages with affected parties. CC ID 17148 | Process or Activity | Preventive | |
Include roles and responsibilities in the operational control procedures. CC ID 17159 [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5] | Establish/Maintain Documentation | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Establish/Maintain Documentation | Preventive | |
Include alternative actions in the operational control procedures. CC ID 17096 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Establish/Maintain Documentation | Preventive | |
Approve or deny requests in a timely manner. CC ID 17095 | Process or Activity | Preventive | |
Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Business Processes | Preventive | |
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Communicate | Preventive | |
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Communicate | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Establish/Maintain Documentation | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Process or Activity | Preventive | |
Include system use information in the standard operating procedures manual. CC ID 17240 | Establish/Maintain Documentation | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Establish/Maintain Documentation | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Establish/Maintain Documentation | Preventive | |
Include logging procedures in the standard operating procedures manual. CC ID 17214 | Establish/Maintain Documentation | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Establish/Maintain Documentation | Preventive | |
Include resources in the standard operating procedures manual. CC ID 17212 | Establish/Maintain Documentation | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Establish/Maintain Documentation | Preventive | |
Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Establish/Maintain Documentation | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Establish/Maintain Documentation | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Establish/Maintain Documentation | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Establish/Maintain Documentation | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Establish/Maintain Documentation | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Establish/Maintain Documentation | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Business Processes | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Establish/Maintain Documentation | Corrective | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Establish/Maintain Documentation | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Establish/Maintain Documentation | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Establish/Maintain Documentation | Preventive | |
Include information sharing procedures in standard operating procedures. CC ID 12974 [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2] | Records Management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5 Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5] | Business Processes | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Process or Activity | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Communicate | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Establish/Maintain Documentation | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Establish/Maintain Documentation | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Establish/Maintain Documentation | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Establish/Maintain Documentation | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Establish/Maintain Documentation | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Establish/Maintain Documentation | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Establish/Maintain Documentation | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Establish/Maintain Documentation | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Establish/Maintain Documentation | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Establish/Maintain Documentation | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Establish/Maintain Documentation | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Establish/Maintain Documentation | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Establish/Maintain Documentation | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Technical Security | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Establish/Maintain Documentation | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Data and Information Management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Establish/Maintain Documentation | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Establish/Maintain Documentation | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Establish/Maintain Documentation | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Establish/Maintain Documentation | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Establish/Maintain Documentation | Corrective | |
Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Establish/Maintain Documentation | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Establish/Maintain Documentation | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Communicate | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Business Processes | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4] | Establish/Maintain Documentation | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Establish/Maintain Documentation | Preventive | |
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Establish/Maintain Documentation | Preventive | |
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Communicate | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Establish/Maintain Documentation | Preventive | |
Validate recipients prior to sending electronic messages. CC ID 16981 | Business Processes | Preventive | |
Establish, implement, and maintain a Global Address List. CC ID 16934 | Data and Information Management | Preventive | |
Include roles and responsibilities in the e-mail policy. CC ID 17040 | Establish/Maintain Documentation | Preventive | |
Include content requirements in the e-mail policy. CC ID 17041 | Establish/Maintain Documentation | Preventive | |
Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Establish/Maintain Documentation | Preventive | |
Include usage restrictions in the e-mail policy. CC ID 17039 | Establish/Maintain Documentation | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Establish/Maintain Documentation | Preventive | |
Include message format requirements in the e-mail policy. CC ID 17038 | Establish/Maintain Documentation | Preventive | |
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Communicate | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Data and Information Management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Communicate | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Establish/Maintain Documentation | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Establish/Maintain Documentation | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Establish/Maintain Documentation | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Establish/Maintain Documentation | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Establish/Maintain Documentation | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Establish/Maintain Documentation | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Establish/Maintain Documentation | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Establish/Maintain Documentation | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Establish/Maintain Documentation | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Establish/Maintain Documentation | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Systems design, build, and implementation CC ID 00989 | IT Impact Zone | IT Impact Zone | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems Design, Build, and Implementation | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain project management standards. CC ID 00992 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4] | Establish/Maintain Documentation | Preventive | |
Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems Design, Build, and Implementation | Preventive | |
Include objectives in the project management standard. CC ID 17202 [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project program documentation standard. CC ID 00995 [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7 Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2] | Establish/Maintain Documentation | Preventive | |
Include budgeting for projects in the project management standard. CC ID 13136 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1 Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7] | Establish/Maintain Documentation | Preventive | |
Include time requirements in the project management standard. CC ID 17199 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain project management procedures. CC ID 17200 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1] | Establish/Maintain Documentation | Preventive | |
Formally approve the initiation of each project phase. CC ID 00997 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3] | Systems Design, Build, and Implementation | Detective | |
Establish, implement, and maintain integrated project plans. CC ID 01056 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Establish/Maintain Documentation | Preventive | |
Perform a risk assessment for each system development project. CC ID 01000 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1 When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3 Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3] | Testing | Detective | |
Establish, implement, and maintain a project control program. CC ID 01612 [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project test plan. CC ID 01001 [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project team plan. CC ID 06533 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2 In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1 Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2] | Establish/Maintain Documentation | Preventive | |
Identify accreditation tasks. CC ID 00999 | Systems Design, Build, and Implementation | Detective | |
Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a project management training plan. CC ID 01002 | Establish/Maintain Documentation | Preventive | |
Conduct a post implementation review when the system design project ends. CC ID 01003 [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3 Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1 Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4 Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9 {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6] | Testing | Detective | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems Design, Build, and Implementation | Preventive | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5 Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2] | Testing | Detective | |
Establish, implement, and maintain system testing procedures. CC ID 11744 [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1 Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2 Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3] | Establish/Maintain Documentation | Preventive | |
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Testing | Detective | |
Review and test source code. CC ID 01086 [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5] | Testing | Detective |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Submit closure reports at the conclusion of each information technology project. CC ID 16948 [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2] | Leadership and high level objectives | Preventive | |
Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1] | Leadership and high level objectives | Preventive | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Preventive | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Preventive | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d] | Audits and risk management | Detective | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Preventive | |
Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Preventive | |
Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Preventive | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Human Resources management | Preventive | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Preventive | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Preventive | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Preventive | |
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze the business environment in which the organization operates. CC ID 12798 [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2] | Leadership and high level objectives | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2 Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3] | Leadership and high level objectives | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3] | Leadership and high level objectives | Detective | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Leadership and high level objectives | Corrective | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Preventive | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Corrective | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Preventive | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Preventive | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Preventive | |
Review organizational personnel successes. CC ID 00767 | Human Resources management | Preventive | |
Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Detective | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2] | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Preventive | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Preventive | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Preventive | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Preventive | |
Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Preventive | |
Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Preventive | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Preventive | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5 Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5] | Operational management | Preventive | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Preventive | |
Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Preventive | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Preventive | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Preventive | |
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Preventive | |
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Preventive | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Preventive | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Preventive | |
Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Preventive | |
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Preventive | |
Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Preventive | |
Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Preventive | |
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Detective | |
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Preventive | |
Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Preventive | |
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Preventive | |
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Preventive | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Preventive | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Preventive | |
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Preventive | |
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Preventive | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
Include format requirements for data elements in the data dictionary. CC ID 17108 | Leadership and high level objectives | Preventive | |
Include notification requirements for data elements in the data dictionary. CC ID 17107 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data reconciliation procedures. CC ID 17118 | Leadership and high level objectives | Preventive | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Preventive | |
Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Preventive | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Detective | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Human Resources management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2] | Human Resources management | Preventive | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2] | Human Resources management | Preventive | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Detective | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3 A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7] | Leadership and high level objectives | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Preventive | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Preventive | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4] | Leadership and high level objectives | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13 Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3 Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5] | Leadership and high level objectives | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Leadership and high level objectives | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Preventive | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain security planning procedures. CC ID 14060 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1 Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Preventive | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Preventive | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Preventive | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Preventive | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Preventive | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Preventive | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Preventive | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain Information Technology project plans. CC ID 16944 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3] | Leadership and high level objectives | Preventive | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Preventive | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1 A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1] | Leadership and high level objectives | Preventive | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Preventive | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5] | Leadership and high level objectives | Preventive | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2 Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4 {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1] | Leadership and high level objectives | Preventive | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Corrective | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Preventive | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Preventive | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Preventive | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Preventive | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Preventive | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
Review past audit reports. CC ID 01155 [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4 Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6] | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a] | Audits and risk management | Detective | |
Review the issues of non-compliance from past audit reports. CC ID 01148 [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c] | Audits and risk management | Detective | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Operational management | Preventive | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Preventive | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Preventive | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Preventive | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Preventive | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Preventive | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Preventive | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Preventive | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Preventive | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Preventive | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Preventive | |
Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Preventive | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Preventive | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1 Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include cloud services in the internal control framework. CC ID 17262 | Operational management | Preventive | |
Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Preventive | |
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Preventive | |
Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Preventive | |
Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Preventive | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Preventive | |
Establish, implement, and maintain an information security program. CC ID 00812 [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4] | Operational management | Preventive | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Preventive | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Preventive | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Preventive | |
Include system development in the information security program. CC ID 12389 | Operational management | Preventive | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Preventive | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Preventive | |
Include access control in the information security program. CC ID 12386 | Operational management | Preventive | |
Include operations management in the information security program. CC ID 12385 | Operational management | Preventive | |
Include communication management in the information security program. CC ID 12384 | Operational management | Preventive | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Preventive | |
Include physical security in the information security program. CC ID 12382 | Operational management | Preventive | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Preventive | |
Include asset management in the information security program. CC ID 12380 | Operational management | Preventive | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Preventive | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Preventive | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Preventive | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Preventive | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Preventive | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Preventive | |
Include risk management in the information security program. CC ID 12378 | Operational management | Preventive | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Preventive | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Preventive | |
Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Preventive | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Preventive | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Preventive | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Preventive | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Preventive | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Preventive | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Preventive | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Preventive | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Preventive | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Preventive | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Preventive | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Preventive | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Preventive | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Preventive | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Preventive | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Preventive | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1] | Operational management | Preventive | |
Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Preventive | |
Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Preventive | |
Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Preventive | |
Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Preventive | |
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Preventive | |
Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Preventive | |
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Preventive | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Preventive | |
Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Preventive | |
Include roles and responsibilities in the operational control procedures. CC ID 17159 [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5] | Operational management | Preventive | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Preventive | |
Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Preventive | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Preventive | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Preventive | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Preventive | |
Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Preventive | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Preventive | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Preventive | |
Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Preventive | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Preventive | |
Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Preventive | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Preventive | |
Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Preventive | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Preventive | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Preventive | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Preventive | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Preventive | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Preventive | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Corrective | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Preventive | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Preventive | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Preventive | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Preventive | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Preventive | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Preventive | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Preventive | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Preventive | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Preventive | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Preventive | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Preventive | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Preventive | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Preventive | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Preventive | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Preventive | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Preventive | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Preventive | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Preventive | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Preventive | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Preventive | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Preventive | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Preventive | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Preventive | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Preventive | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Preventive | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Preventive | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Preventive | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Corrective | |
Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Preventive | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Preventive | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Preventive | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Preventive | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Preventive | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4] | Operational management | Preventive | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Preventive | |
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Preventive | |
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Preventive | |
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Preventive | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Preventive | |
Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Preventive | |
Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Preventive | |
Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Preventive | |
Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Preventive | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Preventive | |
Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Preventive | |
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Preventive | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Preventive | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Preventive | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Preventive | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Preventive | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Preventive | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Preventive | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Preventive | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Preventive | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Preventive | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Preventive | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Preventive | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Preventive | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Preventive | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Preventive | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain project management standards. CC ID 00992 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4] | Systems design, build, and implementation | Preventive | |
Include objectives in the project management standard. CC ID 17202 [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a project program documentation standard. CC ID 00995 [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7 Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2] | Systems design, build, and implementation | Preventive | |
Include budgeting for projects in the project management standard. CC ID 13136 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1 Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7] | Systems design, build, and implementation | Preventive | |
Include time requirements in the project management standard. CC ID 17199 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain project management procedures. CC ID 17200 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain integrated project plans. CC ID 01056 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a project control program. CC ID 01612 [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a project test plan. CC ID 01001 [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3] | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a project team plan. CC ID 06533 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2 In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1 Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2] | Systems design, build, and implementation | Preventive | |
Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Preventive | |
Establish, implement, and maintain system testing procedures. CC ID 11744 [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1 Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2 Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3] | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Preventive | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Preventive | |
Review and approve the Strategic Information Technology Plan. CC ID 13094 | Leadership and high level objectives | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1 {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1 {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1] | Human Resources management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
Implement a staff rotation plan. CC ID 12772 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Preventive | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Preventive | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Preventive | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Detective | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1 Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1] | Leadership and high level objectives | Detective | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1] | Leadership and high level objectives | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Preventive | |
Involve all stakeholders in the architecture review process. CC ID 16935 | Leadership and high level objectives | Preventive | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Preventive | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Preventive | |
Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Preventive | |
Review and approve access controls, as necessary. CC ID 13074 [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4] | Operational management | Detective | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Preventive | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Preventive | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Preventive | |
Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Preventive | |
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Preventive | |
Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Preventive | |
Coordinate outages with affected parties. CC ID 17160 | Operational management | Preventive | |
Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Preventive | |
Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Preventive | |
Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Preventive | |
Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Preventive | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Preventive | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include information sharing procedures in standard operating procedures. CC ID 12974 [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2] | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Leadership and high level objectives | Preventive | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Preventive | |
Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Preventive | |
Formally approve the initiation of each project phase. CC ID 00997 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3] | Systems design, build, and implementation | Detective | |
Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Detective | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Human Resources management | Preventive | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Detective | |
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Detective | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2 Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5 Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7 {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Human Resources management | Detective | |
Perform a risk assessment for each system development project. CC ID 01000 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1 When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3 Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3] | Systems design, build, and implementation | Detective | |
Conduct a post implementation review when the system design project ends. CC ID 01003 [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3 Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1 Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4 Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9 {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6] | Systems design, build, and implementation | Detective | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5 Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2] | Systems design, build, and implementation | Detective | |
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Detective | |
Review and test source code. CC ID 01086 [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5] | Systems design, build, and implementation | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
Correct errors and deficiencies in a timely manner. CC ID 13501 [Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Leadership and high level objectives | Business Processes | |
Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631 | Leadership and high level objectives | Business Processes | |
Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 | Leadership and high level objectives | Establish/Maintain Documentation | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Update operating procedures that contribute to user errors. CC ID 06935 | Operational management | Establish/Maintain Documentation | |
Include disciplinary actions in the Acceptable Use Policy. CC ID 00296 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Identify all interested personnel and affected parties. CC ID 12845 [The project's initiation phase begins with identifying stakeholders who determine the project's purpose, scope, and final deliverables. The following would typically be completed during this phase: IV.N.1(a) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1] | Leadership and high level objectives | Process or Activity | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Investigate | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Technical Security | |
Enforce a continuous Quality Control system. CC ID 01005 [Validating that any changes are authorized, quality is maintained, scope creep is mitigated, and stakeholders are informed. IV.N.2 ¶ 4 Bullet 3] | Leadership and high level objectives | Business Processes | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Testing | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
Establish and maintain a compliance oversight committee. CC ID 00765 | Leadership and high level objectives | Establish Roles | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Examiners should review the following: Board and committee minutes to evaluate how the entity prioritizes projects relative to business goals and objectives, evaluates the project's effect on operations, and monitors and supports projects during execution. IV.N Action Summary ¶ 2 Bullet 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634 [Examiners should review the following: Project plans and proposals to determine how well they identify the project purpose, the requirements to address business needs, and the deliverables for each project phase. IV.N Action Summary ¶ 2 Bullet 3 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1 Effective management understands the SDLC phases and the actions needed in each phase. The phases may be divided differently depending on the entity, the project type and characteristics, and the SDLC used. Management should identify the actions and assign responsibility and accountability for completing those actions. Key stakeholders of the system or component being developed or modified should monitor progress in each phase including the output of each phase. This involvement mitigates the risk that the system or component does not deliver the requested functionality. Management should maintain confidentiality, integrity, availability, and resilience throughout all phases of the SDLC. IV.O.1 ¶ 1] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 [Examiners should review the following: Project audit reports to determine whether the audit function provides independent, objective assurance of the effectiveness of an entity's development, acquisition, and maintenance activities. II Action Summary ¶ 2 Bullet 4 Examiners should review the following: Acquisition and procurement-related audits. VI Action Summary ¶ 2 Bullet 6] | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a] | Audits and risk management | Establish/Maintain Documentation | |
Review the issues of non-compliance from past audit reports. CC ID 01148 [Review management's response to issues raised during, or since, the last examination. Consider the following: Existence of any ound-color:#F0BBBC;" class="term_primary-noun">outstanding issues. App A Objective 1:2c] | Audits and risk management | Establish/Maintain Documentation | |
Review management's response to issues raised in past audit reports. CC ID 01149 [Review management's response to issues raised during, or since, the last examination. Consider the following: Resolution of d-color:#F0BBBC;" class="term_primary-noun">root causes rather than just specific issues. App A Objective 1:2b {corrective action} Review management's response to issues raised during, or since, the last examination. Consider the following: Whether management has taken positive action toward correcting exceptions reported in audit and examination reports. App A Objective 1:2d] | Audits and risk management | Audits and Risk Management | |
Document and communicate role descriptions to all applicable personnel. CC ID 00776 | Human Resources management | Establish Roles | |
Assign and staff all roles appropriately. CC ID 00784 | Human Resources management | Testing | |
Implement segregation of duties in roles and responsibilities. CC ID 00774 [IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2 Examiners should review the following: Segregation of duties in development, acquisition, and maintenance activities. IV Action Summary ¶ 2 Bullet 5 Independence: Quality management personnel should be independent of the project they are reviewing to objectively assess elements, such as progress, problem resolution, documentation, and adequacy of the project. IV.K ¶ 3 Bullet 7 {be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Human Resources management | Testing | |
Evaluate the staffing requirements regularly. CC ID 00775 | Human Resources management | Business Processes | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Review and approve access controls, as necessary. CC ID 13074 [Examiners should review the following: Access, authentication, and authorization controls for systems, components, data, and related documentation throughout the supply chain to ensure appropriate security. IV Action Summary ¶ 2 Bullet 4] | Operational management | Process or Activity | |
Perform social network analysis, as necessary. CC ID 14864 | Operational management | Investigate | |
Confirm operating instructions were received by the interested personnel and affected parties. CC ID 17110 | Operational management | Communicate | |
Confirm the requirements for the transmission of electricity with the affected parties. CC ID 17113 | Operational management | Behavior | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Formally approve the initiation of each project phase. CC ID 00997 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3] | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Perform a risk assessment for each system development project. CC ID 01000 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Execute the implementation plan, including the following: Assessing risk for issues that may occur during implementation activities (e.g., rollout, conversion, or update). IV.O.1(c) ¶ 4 Bullet 1 Sub-Bullet 1 When engaged in development, management may consider using design and coding techniques, appropriate tools (e.g., computer-aided design), and prototypes. When development personnel use design and coding techniques, they should appropriately manage risks (e.g., eliminating inaccurate techniques or outdated tools and prototypes). Prototypes may help illustrate a system's or component's functionality to stakeholders and help management identify, evaluate, and highlight design risks not apparent during the impact analysis or before production. Then the design risks may be resolved more efficiently. There are alternatives to prototyping, such as defining and building a system or component with only enough features to accomplish the essential user objectives of the system. V ¶ 3 Automation and orchestration give the DevOps approach several benefits including shorter development cycles, increased deployment frequency, faster time to market, and more stable operating environments. In the past, entities may have had changes that took place on a weekly basis; however, in a DevOps environment, the same number and type of changes can be made daily or even hourly. However, automation of previously manual activities, combined with frequent and rapid release cycles, may result in perpetuation of errors or invalid code. Management should assess the risks involved in using a DevOps approach and implement appropriate controls. Potential risks include the following: V.C.1 ¶ 3] | Systems design, build, and implementation | Testing | |
Identify accreditation tasks. CC ID 00999 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Conduct a post implementation review when the system design project ends. CC ID 01003 [Auditors may participate in an advisory capacity in IT projects and may perform pre- and post-implementation reviews. Post-implementation reviews should occur shortly after implementing the new or revised system or components. These reviews help validate that the system or component operates as expected and provide financial statement users with relevant information in ways that justify the cost of providing it. II.B.9 ¶ 3 Organizations formally perform a post-implementation review (PIR) for system development and implementation projects to continuously improve. Processes and techniques that were effective are passed to future projects as effective practices. Problems and their solutions are also passed along to help future projects avoid pitfalls. In agile projects when there are multiple implementations, smaller reviews are completed after each task or deliverable is implemented. Typical PIR steps are IV.M ¶ 1 Overseeing a post-implementation review. IV.N.2 ¶ 5 Bullet 4 Conduct PIRs (e.g., survey users, review complaints, plan future functionality, and identify other improvements). Additionally, the reviews may identify lessons learned and process improvement information. IV.O.1(c) ¶ 4 Bullet 9 {affected party} Training is critical to the success of the implementation and assessment phase as are training plans and supporting materials for operating, using, and maintaining the system. Training is often the first exposure to the system for most users and should be provided before system or component deployment to the production environment. Training enables users to familiarize themselves with the new or updated system or component. A positive training experience typically improves user acceptance. During this phase, appropriate personnel should coordinate training logistics, including who should be trained, what the training involves, and when training should be conducted. Effective management organizes a training and awareness campaign and notifies users of any implementation and training responsibilities. This helps establish user expectations regarding system and component capabilities. Those responsible for supporting the system or component in the entity should have a combination of technical documentation, training, and hands-on assistance enabling support personnel to provide operational support to the users. Once the product is implemented, management should perform a PIR (see the "Post-Implementation Review" section of this booklet for more information). IV.O.1(c) ¶ 6] | Systems design, build, and implementation | Testing | |
Perform Quality Management on all newly developed or modified systems. CC ID 01100 [Measurability: To accurately evaluate a project's success, management should assess results against defined expectations and requirements to determine project success. Quality management personnel should assess the quality of products and processes against measurable standards, metrics, and expectations. IV.K ¶ 3 Bullet 5 Management should establish development standards, including procedures for controlling changes during the development process that address the following: Quality management (also referred to as quality assurance and quality control [QA/QC]), including the development and implementation of a system or component so it meets predefined specifications and management's expectations. V.A ¶ 1 Bullet 2] | Systems design, build, and implementation | Testing | |
Review and test custom code to identify potential coding vulnerabilities. CC ID 01316 | Systems design, build, and implementation | Testing | |
Review and test source code. CC ID 01086 [Examiners should review the following: Quality assurance (QA) reports to evaluate processes for the detection of potential coding errors. II Action Summary ¶ 2 Bullet 6 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 Manual or automated code reviews help identify vulnerabilities. Manual code reviews are performed by entity personnel or a third party and may be less costly than an automated code review. However, limitations on reviewers' knowledge or experience may result in unidentified issues, such as syntax errors and code vulnerabilities due to human error. Additionally, manual reviews may not be effective for extensive volumes of testing. Automated code reviews, on the other hand, may be more sophisticated, can reduce human error, and generally provide more timely identification of weaknesses. These tools are scalable and can be continuously updated as technology and vulnerabilities evolve. Entities review software code that has been implemented to mitigate the risk that vulnerabilities may be introduced through routine updates and patches. If an automated code review process is implemented, management should ensure that the embedded rules of the code review tools are appropriately configured and used. Management selects code review types that are effective for the entity's project and available resources, and management validates that the code review process meets its needs. IV.D ¶ 4 To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 The types of testing performed should be appropriate for the development activity's inherent risk. Effective management has a methodical process to define and conduct testing necessary to demonstrate the effectiveness of a developed system or component. Typically, testing is performed in stages, and knowledgeable testing specialists and relevant stakeholders should be involved in testing. Regardless of the process, various tests may be used individually or in combination at different points in the development and testing phases. During system or component development, developers perform code reviews, which typically occur as part of the testing process. Appropriate personnel can perform testing manually, with automated tools, or a combination of both. V.B ¶ 5] | Systems design, build, and implementation | Testing |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Systems design, build, and implementation CC ID 00989 | Systems design, build, and implementation | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze the business environment in which the organization operates. CC ID 12798 [Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2] | Leadership and high level objectives | Business Processes | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
Include resources in the analysis of the internal business environment. CC ID 12942 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Process or Activity | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Business Processes | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
Include legal requirements in the analysis of the external environment. CC ID 12896 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Business Processes | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Process or Activity | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2 Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3] | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 [Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3 A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7] | Leadership and high level objectives | Establish/Maintain Documentation | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Data and Information Management | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include format requirements for data elements in the data dictionary. CC ID 17108 | Leadership and high level objectives | Data and Information Management | |
Include notification requirements for data elements in the data dictionary. CC ID 17107 | Leadership and high level objectives | Data and Information Management | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain data reconciliation procedures. CC ID 17118 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Involve all stakeholders in the architecture review process. CC ID 16935 | Leadership and high level objectives | Process or Activity | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 [Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4] | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 [Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13 Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3 Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5] | Leadership and high level objectives | Establish/Maintain Documentation | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an issue tracking system in the Quality Management program. CC ID 06824 [Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Regardless of the testing methods used, management should implement practices to document, report, and address identified issues, including security-related issues, in a timely manner. Tracking corrections and modifications resulting from testing facilitates the completeness of the overall program documentation. During the implementation and assessment phase, effective management reviews and finalizes all supporting documentation, such as user, operator, and maintenance manuals as well as any conversion, implementation, and training plans associated with a new release or significant update. V.B ¶ 9] | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Business Processes | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2] | Leadership and high level objectives | Establish Roles | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain security planning procedures. CC ID 14060 [Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entitywide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628 [Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1 Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Establish/Maintain Documentation | |
Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management | |
Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation | |
Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Business Processes | |
Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain Information Technology project plans. CC ID 16944 [Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 Planning, particularly in the project's early stages, should help the project team and management coordinate development activities and manage risks effectively. Planning helps the project team and management add or clarify the project's specific activities, resources, costs, and benefits. A critical part of planning is to coordinate stakeholder discussions to identify and document as many of the entity's functional, security, and network requirements as possible. IV.O.1(a) ¶ 3] | Leadership and high level objectives | Establish/Maintain Documentation | |
Submit closure reports at the conclusion of each information technology project. CC ID 16948 [If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2] | Leadership and high level objectives | Actionable Reports or Measurements | |
Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Actionable Reports or Measurements | |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2 Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846 [The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1 A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes | |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 {define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 [Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5] | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management | |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2 Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4 {project closeout} During the project's closeout phase, the project team delivers the agreed-upon scope items as outlined in the project plan. For example, in a systems development or acquisition project, project closeout is when the project team transitions the systems to the operations staff (i.e., moves application from a staging to a production environment). Often during the project closeout, project teams analyze the project (i.e., post-implementation review) to identify effective project practices and discuss issues encountered and how they were resolved. This information is used to inform and improve project management practices. Project teams review project documentation in the closeout phase to ensure that it is complete, supports maintenance, and can be used by future teams to identify effective practices. IV.N.1(d) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2 {strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 The initiation phase begins when entity personnel identify an opportunity to build, buy, or modify a system or component and formally seek approval with an IT project request. The project team should describe the IT project's purpose, identify expected benefits, and explain how the proposed system or component supports the entity's objectives. The project team should summarize the confidentiality, integrity, availability, resilience, and legal and regulatory requirements. They should identify alternative solutions and justify their recommended solution. Through IT project request development, stakeholders should gain a common understanding of the project's objectives, security considerations, and risk management planning to mitigate the risk of project failure. IV.O.1(a) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 [During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1] | Leadership and high level objectives | Actionable Reports or Measurements | |
Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements | |
Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements | |
Review and approve the Strategic Information Technology Plan. CC ID 13094 | Leadership and high level objectives | Human Resources Management | |
Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Human Resources management | Establish Roles | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 [Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1 {high risk} When evaluating whether to enter into a relationship with a third party, an entity's management typically determines whether a written contract is needed; and, if the proposed contract can meet the entity's business goals and risk management needs, then entity management typically negotiates appropriate contract provisions for development, acquisition, and maintenance activities. In certain circumstances, it may be advantageous to negotiate initial development, acquisition, and maintenance contracts with other organizations (e.g., banking associations or user groups). As part of its oversight responsibilities, the board should be aware of—and, as appropriate, may approve or delegate approval of—contracts involving higher-risk development, acquisition, and maintenance activities. Refer to the Interagency Guidance on Third-Party Relationships: Risk Management and FFIEC IT Handbook's "Outsourcing Technology Services" booklet for more information on contract negotiation concepts. IV.P.3 ¶ 1 {be effective} Development is the systematic application of knowledge toward the production of useful materials, devices, and systems. In this context, it involves the processes of defining, designing, developing, testing, and implementing systems or components. Development includes validation and demonstration of a chosen technology, use of test and production environments, improvement of developed prototypes, integration into systems and subsystems, and hardware builds. Understanding development concepts is important to all entities whether development is performed in-house or by a third party on the entity's behalf. Additionally, development can be a complex topic, which requires the entity's board, senior management, and business line management to understand risks and communicate effectively. For entities that develop or modify their own systems and software, effective management requires training in secure design and coding techniques of those responsible for development. If formal standards are not in place and development processes are not controlled, the following can occur, affecting confidentiality, integrity, availability, and resilience: V ¶ 1] | Human Resources management | Human Resources Management | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 [Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1 IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2] | Human Resources management | Establish Roles | |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 [Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2] | Human Resources management | Establish Roles | |
Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Behavior | |
Implement a staff rotation plan. CC ID 12772 | Human Resources management | Human Resources Management | |
Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Establish Roles | |
Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Business Processes | |
Review organizational personnel successes. CC ID 00767 | Human Resources management | Business Processes | |
Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Behavior | |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 [{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Human Resources management | Technical Security | |
Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Human Resources management | Behavior | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 [Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1 The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior | |
Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation | |
Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity | |
Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity | |
Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management | |
Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management | |
Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation | |
Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation | |
Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate | |
Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation | |
Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity | |
Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate | |
Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes | |
Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1 Management should maintain testing policies, standards, procedures, as well as other process controls that are effectively used to mitigate risks in internally and externally developed systems and components. V.B Action Summary ¶ 1] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 [Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2] | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation | |
Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Establish/Maintain Documentation | |
Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Establish/Maintain Documentation | |
Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Establish/Maintain Documentation | |
Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate | |
Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an information security program. CC ID 00812 [Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4] | Operational management | Establish/Maintain Documentation | |
Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation | |
Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation | |
Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation | |
Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation | |
Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation | |
Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation | |
Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation | |
Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation | |
Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation | |
Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation | |
Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation | |
Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation | |
Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation | |
Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation | |
Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation | |
include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation | |
Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate | |
Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate | |
Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation | |
Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation | |
Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation | |
Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity | |
Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation | |
Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes | |
Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation | |
Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation | |
Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation | |
Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation | |
Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation | |
Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation | |
Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation | |
Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation | |
Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation | |
Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity | |
Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes | |
Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate | |
Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation | |
Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity | |
Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles | |
Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management | |
Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation | |
Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management | |
Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate | |
Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation | |
Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes | |
Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes | |
Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior | |
Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate | |
Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate | |
Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation | |
Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation | |
Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain operational control procedures. CC ID 00831 [Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3 Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1] | Operational management | Establish/Maintain Documentation | |
Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation | |
Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation | |
Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate | |
Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate | |
Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation | |
Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation | |
Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity | |
Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity | |
Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation | |
Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate | |
Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation | |
Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate | |
Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation | |
Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes | |
Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation | |
Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity | |
Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity | |
Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity | |
Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity | |
Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity | |
Include roles and responsibilities in the operational control procedures. CC ID 17159 [Management is responsible for operations and maintenance phase task performance regardless of whether tasks are performed by entity or third-party personnel. For more information, refer to the FFIEC IT Handbook's "Outsourcing Technology Services," "Business Continuity Management," "Architecture, Infrastructure, and Operations," and "Information Security" booklets. IV.O.1(d) ¶ 5] | Operational management | Establish/Maintain Documentation | |
Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation | |
Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation | |
Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation | |
Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity | |
Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes | |
Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate | |
Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate | |
Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation | |
Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity | |
Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation | |
Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation | |
Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation | |
Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation | |
Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation | |
Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation | |
Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation | |
Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation | |
Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation | |
Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation | |
Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation | |
Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation | |
Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation | |
Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes | |
Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation | |
Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation | |
Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation | |
Include information sharing procedures in standard operating procedures. CC ID 12974 [FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2] | Operational management | Records Management | |
Establish, implement, and maintain information sharing agreements. CC ID 15645 [Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5 Agreements should address risks, including the following: Information sharing (e.g., collection, analysis, and distribution) of threat intelligence, incidents, and other key risk indicators throughout the supply chain. The intelligence gathered enables management to proactively identify and respond to threats in the entity's supply chain. Therefore, management should consider information-sharing clauses in agreements and contracts. IV.Q.1 ¶ 4 Bullet 11 Sub-Bullet 5] | Operational management | Business Processes | |
Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity | |
Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate | |
Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation | |
Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation | |
Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation | |
Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation | |
Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation | |
Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation | |
Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation | |
Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation | |
Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation | |
Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation | |
Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation | |
Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation | |
Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation | |
Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security | |
Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation | |
Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management | |
Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation | |
Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation | |
Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation | |
Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation | |
Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation | |
Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation | |
Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate | |
Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes | |
Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 [SBOMs typically do not identify intellectual property, patents, algorithms, or code; if they do, management should implement appropriate security for this proprietary information. IV.Q.2 ¶ 4] | Operational management | Establish/Maintain Documentation | |
Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation | |
Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation | |
Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate | |
Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation | |
Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes | |
Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management | |
Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation | |
Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation | |
Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation | |
Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation | |
Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation | |
Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation | |
Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate | |
Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management | |
Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate | |
Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation | |
Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation | |
Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation | |
Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation | |
Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation | |
Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation | |
Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation | |
Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation | |
Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation | |
Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain project management standards. CC ID 00992 [The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1 Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Include objectives in the project management standard. CC ID 17202 [The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a project program documentation standard. CC ID 00995 [{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4 Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2 An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7 Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6 Development standards should articulate the entity's minimum development requirements. For example, development standards may address the selection of programming styles, languages, and tools; layout or format of scripted code; naming conventions; and program library requirements. Effective management communicates in policy its reasons for using specific programming styles and languages on a project or service in project documentation. This is done to identify decisions made by management so developers can understand the reasons certain programming styles and languages were used and whether they remain appropriate for current functionality and stakeholder needs. Examples are included in table 3. V.A ¶ 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include budgeting for projects in the project management standard. CC ID 13136 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1 Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include time requirements in the project management standard. CC ID 17199 [Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain project management procedures. CC ID 17200 [Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3 A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain integrated project plans. CC ID 01056 [In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1 Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a project control program. CC ID 01612 [An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1 Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a project test plan. CC ID 01001 [Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a project team plan. CC ID 06533 [Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1 The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2 In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1 Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1 Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2] | Systems design, build, and implementation | Establish/Maintain Documentation | |
Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Establish/Maintain Documentation | |
Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation | |
Establish, implement, and maintain system testing procedures. CC ID 11744 [To establish development standards and controls, prudent practices include thorough development testing and validation of systems and component-related code. Effective management keeps completed systems and component-related code that have passed security certification in program libraries as discussed in the "Additional Control Considerations in Change Management" section of this booklet. V.A ¶ 4 Testing is essential to the development process to promote confidentiality, integrity, availability, and resilience. Whether developed internally or by a third party, appropriate personnel should test systems and components to identify and correct defects before deployment, including security-related defects. V.B ¶ 1 Testing should be sufficient to confirm that systems and components meet the entity's architectural, functional, information security, and legal/regulatory requirements. To help mitigate the risk that an integration point contains an undiscovered defect, entities test the system or component being developed, including how well that system or component interoperates with other systems and components. This scope is commonly achieved through a combination of code-level, system-level, and code vulnerability testing. V.B ¶ 2 Due to supply chain risk in development, for both in-house and supply chain partners, it is important to consider using the following standards and controls when developing information systems and components: Design relevant validation mechanisms to be used during implementation and operation. V.A ¶ 5 Bullet 3] | Systems design, build, and implementation | Establish/Maintain Documentation |