Analyze organizational objectives, functions, and activities. CC ID 00598
[Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entity�wide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Establish/Maintain Documentation |
Analyze the business environment in which the organization operates. CC ID 12798
[Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2] | Leadership and high level objectives | Business Processes |
| Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity |
| Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity |
| Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity |
Include resources in the analysis of the internal business environment. CC ID 12942
[Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entity�wide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Process or Activity |
| Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity |
| Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity |
| Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity |
| Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity |
| Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity |
| Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes |
| Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate |
| Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes |
| Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity |
| Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Business Processes |
| Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes |
| Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes |
| Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes |
| Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes |
| Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes |
| Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes |
| Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes |
Include legal requirements in the analysis of the external environment. CC ID 12896
[Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entity�wide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Business Processes |
| Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes |
| Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes |
| Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Business Processes |
| Establish, implement, and maintain organizational objectives. CC ID 09959 | Leadership and high level objectives | Establish/Maintain Documentation |
| Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 | Leadership and high level objectives | Process or Activity |
| Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity |
| Identify conditions that may affect organizational objectives. CC ID 12958 | Leadership and high level objectives | Process or Activity |
| Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes |
| Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes |
| Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes |
| Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes |
| Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate |
| Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate |
| Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate |
| Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 | Leadership and high level objectives | Establish/Maintain Documentation |
| Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes |
| Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity |
| Identify relationships between opportunities, threats, and external requirements. CC ID 12805 | Leadership and high level objectives | Process or Activity |
| Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes |
| Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Process or Activity |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
[Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entity�wide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2
Validating stakeholder support and engagement. IV.N.2 ¶ 3 Bullet 3] | Leadership and high level objectives | Business Processes |
Establish, implement, and maintain data governance and management practices. CC ID 14998
[Examiners should review the following: Inventory of all systems and components (e.g., open-source, proprietary, application programming interfaces [API], and container images and registries), including related licenses, and data as part of IT asset management (ITAM). IV Action Summary ¶ 2 Bullet 3
A distributed service registry should be deployed for large microservices applications, and data consistency should be maintained among multiple service registry instances. IV.G ¶ 6 Bullet 7] | Leadership and high level objectives | Establish/Maintain Documentation |
| Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the data source in the data governance and management practices. CC ID 17211 | Leadership and high level objectives | Data and Information Management |
| Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation |
| Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management |
| Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management |
| Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management |
| Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management |
| Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management |
| Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management |
| Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management |
| Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management |
| Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management |
| Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation |
| Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management |
| Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate |
| Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation |
| Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation |
| Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include format requirements for data elements in the data dictionary. CC ID 17108 | Leadership and high level objectives | Data and Information Management |
| Include notification requirements for data elements in the data dictionary. CC ID 17107 | Leadership and high level objectives | Data and Information Management |
| Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate |
| Establish, implement, and maintain data reconciliation procedures. CC ID 17118 | Leadership and high level objectives | Data and Information Management |
| Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation |
| Involve all stakeholders in the architecture review process. CC ID 16935 | Leadership and high level objectives | Process or Activity |
| Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Establish/Maintain Documentation |
| Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior |
| Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include supply chain management standards in the Quality Management framework. CC ID 13701 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate |
| Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate |
| Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation |
Establish, implement, and maintain a Quality Management standard. CC ID 01006
[Scalability: Projects vary in size and complexity. Quality management standards should match project characteristics and risks and may differ by project size and type. Quality reviews may consider whether the entity's systems and components can scale, as necessary. IV.K ¶ 3 Bullet 4] | Leadership and high level objectives | Establish/Maintain Documentation |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation |
Establish, implement, and maintain a Quality Management program. CC ID 07201
[Examiners should review the following: Evaluation process (e.g., post-implementation review, stakeholder interview, problem documentation and resolution, cost-benefit analysis, and reports to senior management) for development, acquisition, and maintenance projects. IV Action Summary ¶ 2 Bullet 13
Quality management is a critical part of well-managed development, acquisition, and maintenance activities. Comprehensive quality management, risk management, and testing standards provide a means to manage project risks and promote expected functionality, security, and interoperability in systems and components in a secure, resilient manner. Quality management policies, standards, and procedures should be applied to internally and externally developed programs and should address the following: IV.K ¶ 3
Generally, IT project plans consider the following: Quality management tasks (e.g., testing both developed systems and patches for procured systems). IV.N.3(d) ¶ 1 Bullet 5] | Leadership and high level objectives | Establish/Maintain Documentation |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203
[Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Leadership and high level objectives | Establish/Maintain Documentation |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation |
Include an issue tracking system in the Quality Management program. CC ID 06824
[Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Leadership and high level objectives | Systems Design, Build, and Implementation |
| Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain a policy and procedure management program. CC ID 06285 | Leadership and high level objectives | Establish/Maintain Documentation |
| Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632
[Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Business Processes |
| Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179
[Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
Additionally, the board generally approves Policies and standards. II.B.1 ¶ 1 Bullet 1 Sub-Bullet 2] | Leadership and high level objectives | Establish Roles |
| Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain a security planning policy. CC ID 14027 | Leadership and high level objectives | Establish/Maintain Documentation |
Establish, implement, and maintain security planning procedures. CC ID 14060
[Management should consider the needs of internal and external stakeholders when making decisions regarding IT development, acquisition, and maintenance activities. Effective communication helps stakeholders carry out their roles and responsibilities and supports entity�wide alignment of these IT activities with an entity's strategic plans. Effective communication also helps stakeholders appropriately identify, assess, and mitigate risks and their potential impacts. Additionally, when contemplating IT projects and activities, management should consider business strategies and objectives, resilience needs, information security requirements, legal and regulatory requirements, and allocation of resources (e.g., personnel, budget, and time). II ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation |
| Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 | Leadership and high level objectives | Communicate |
Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
[Examiners should review the following: Enterprise-wide IT policies, procedures, and standards describing the entity's requirements throughout the development, acquisition, and maintenance life cycle. II Action Summary ¶ 2 Bullet 1
Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053 | Leadership and high level objectives | Establish/Maintain Documentation |
| Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 | Leadership and high level objectives | Human Resources Management |
| Include the transparency goals in the Information Governance Plan. CC ID 10056 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the information integrity goals in the Information Governance Plan. CC ID 10057 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 | Leadership and high level objectives | Establish/Maintain Documentation |
| Align business continuity objectives with the business continuity policy. CC ID 12408 | Leadership and high level objectives | Establish/Maintain Documentation |
| Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 | Leadership and high level objectives | Business Processes |
| Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 | Leadership and high level objectives | Establish/Maintain Documentation |
Establish, implement, and maintain Information Technology project plans. CC ID 16944
[Examiners should review the following: Project plans and meeting minutes of the board and committees to ensure that activities and projects align with the entity's strategic objectives and the board's risk appetite. II Action Summary ¶ 2 Bullet 3
Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation |
Submit closure reports at the conclusion of each information technology project. CC ID 16948
[If a project is discontinued before implementation, determining and documenting the reasons for the abnormal project closure for use by future project teams. IV.N.2 ¶ 5 Bullet 2] | Leadership and high level objectives | Actionable Reports or Measurements |
| Review and approve the closure report. CC ID 16947 | Leadership and high level objectives | Actionable Reports or Measurements |
Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497
[Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2
Board: The board, or board-designated committee, typically confirms that IT-related development, acquisition, and maintenance activities align with entity strategic objectives and the board's risk appetite. The audit committee of the board is involved with reviewing and validating the entity's audit-related activities, including development, acquisition, and maintenance. Additionally, the board generally approves II.B.1 ¶ 1 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation |
Document the business case and return on investment in each Information Technology project plan. CC ID 06846
[The following would typically be completed during this phase: A project request that provides the business case including a description of the work, the benefits, alternatives considered, the impact of not doing the work, initial estimates of resources and schedule, and strategic match. IV.N.1(a) ¶ 1 Bullet 1
A business case conveys business related information to help management determine whether to fund a project. The goal is to justify the project resources (e.g., budget and staffing) to address a business need. Typically, the project's sponsor helps to develop and owns the resulting business case. Business cases often include the following: IV.N.3(b) ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation |
| Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 | Leadership and high level objectives | Business Processes |
Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916
[In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
{define} Validating that relevant stakeholders are identified and all stakeholders' project requirements are well-defined. IV.N.2 ¶ 2 Bullet 1] | Leadership and high level objectives | Establish/Maintain Documentation |
Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917
[Validating that appropriate success criteria are identified and the project is feasible. IV.N.2 ¶ 2 Bullet 5] | Leadership and high level objectives | Establish/Maintain Documentation |
| Assign senior management to approve business cases. CC ID 13068 | Leadership and high level objectives | Human Resources Management |
Include milestones for each project phase in the Information Technology project plan. CC ID 12621
[Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
Coordinating the project phases, including tasks and activities, sufficiency of resources, and process steps and timing for each phase. IV.N.2 ¶ 2 Bullet 2
Generally, IT project plans consider the following: Schedule, including completion of key tasks and achieving milestones. IV.N.3(d) ¶ 1 Bullet 4] | Leadership and high level objectives | Establish/Maintain Documentation |
| Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include a search plan in the counterterror protective security plan. CC ID 06865 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include an evacuation plan in the counterterror protective security plan. CC ID 06940 | Leadership and high level objectives | Establish/Maintain Documentation |
| Include a continuity plan in the counterterror protective security plan. CC ID 07031 | Leadership and high level objectives | Establish/Maintain Documentation |
Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673
[The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
An IT project should be managed in relation to the entity's size and complexity and consistent with the project's criticality and risks. An ineffectively managed IT project may result in late deliveries, cost overruns, or systems or components that do not meet entity, user, customer, or regulatory requirements. Systems or components that do not meet entity minimum standards or customer requirements can result in underused, insecure, or unreliable products or services. Adding functions, security, or automated controls into systems or components late in the initial development or after implementation to address missed requirements may incur substantial costs (e.g., personnel, time, and money), resulting in less effective systems or components. Furthermore, poor project management can lead to legal issues, such as violations of law and regulation and monetary penalties. IV.N ¶ 2
{strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2
{strategic objective} Effective management aligns implementation of any methodology with the overall strategic and business objectives. Planning, education, and communication are important elements to help ensure that critical resources are available when needed for IT projects. Management should promote effective planning through IT project management and support training for developers, quality management members, testers, and maintenance personnel. Entity staff should be proficient and qualified in the selected methodologies. Common examples used in the financial industry include waterfall and agile; however, examiners may encounter others. IV.J ¶ 2] | Leadership and high level objectives | Establish/Maintain Documentation |
Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633
[Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1] | Leadership and high level objectives | Establish/Maintain Documentation |
Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839
[During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1] | Leadership and high level objectives | Actionable Reports or Measurements |
| Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 | Leadership and high level objectives | Actionable Reports or Measurements |
| Include significant security risks in the Information Technology Plan status reports. CC ID 06939 | Leadership and high level objectives | Actionable Reports or Measurements |
| Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 | Leadership and high level objectives | Actionable Reports or Measurements |
| Review and approve the Strategic Information Technology Plan. CC ID 13094 | Leadership and high level objectives | Human Resources Management |
| Establish, implement, and maintain an audit program. CC ID 00684 | Audits and risk management | Establish/Maintain Documentation |
| Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation |
| Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management |
| Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 | Human Resources management | Establish Roles |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807
[Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Human Resources management | Establish Roles |
| Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management |
| Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation |
| Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management |
| Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation |
| Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation |
| Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management |
| Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management |
| Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles |
| Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662
[Board members should have appropriate knowledge of risks to provide a credible challenge to management responsible for development, acquisition, and maintenance functions. II.B.1 ¶ 1 Bullet 1 Sub-Paragraph 1] | Human Resources management | Human Resources Management |
| Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809
[Effective management develops and implements comprehensive, entity-wide IT policies, standards, and procedures covering the development, acquisition, and maintenance life cycle. Large or complex entities may have multiple policies for different business line functions and their underlying systems and components. The board and designated owners or committees should regularly review and approve IT policies. Policies should clearly delineate development, acquisition, and maintenance responsibilities and provide for communication to all personnel, stakeholders, and appropriate third parties. Standards, on the other hand, may be used to define the processes and rules to support IT policies. For example, software developers often use coding standards in their work. Procedures are often developed to provide instructions to perform a function or task to align with IT policies and standards and may be adjusted to meet changes in the entity's IT environment. Periodic adjustments to standards and procedures may be needed to continue to align with the board-defined risk appetite, threat environment, and risks to the entity and its customers. Management should review and approve deviations from policies, standards, and procedures related to development, acquisition, and maintenance. For example, if the entity's policy prohibits the use of open-source software, management should approve any exceptions when developers use open-source software. II.A ¶ 1
IT staff are generally responsible for maintaining an entity's systems and components to ensure that they continue to operate as expected. Maintenance generally includes performing updates and applying patches, monitoring the systems' or components' status, and monitoring the servers and infrastructure that support the entity's systems and components. Maintenance roles may have more granular responsibilities (e.g., network support) depending on the complexity of the entity's IT environment. Maintenance roles should be independent from development roles to prevent developers from accessing production environments. For more information, refer to the "Maintenance" section of this booklet. II.B.5 ¶ 2] | Human Resources management | Establish Roles |
Establish and maintain the staff structure in line with the strategic plan. CC ID 00764
[Examiners should review the following: Charters (e.g., board, management, or committee), organizational charts, relevant documentation, and practices to determine whether appropriate roles and responsibilities are identified and assigned with suitable decision-making authority. II Action Summary ¶ 2 Bullet 2] | Human Resources management | Establish Roles |
| Delegate authority for specific processes, as necessary. CC ID 06780 | Human Resources management | Behavior |
| Implement a staff rotation plan. CC ID 12772 | Human Resources management | Human Resources Management |
| Rotate duties amongst the critical roles and positions. CC ID 06554 | Human Resources management | Establish Roles |
| Place Information Technology operations in a position to support the business model. CC ID 00766 | Human Resources management | Business Processes |
| Review organizational personnel successes. CC ID 00767 | Human Resources management | Business Processes |
| Implement personnel supervisory practices. CC ID 00773 | Human Resources management | Behavior |
Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960
[{be independent} Quality management refers to coordinated activities to direct and control an organization regarding quality. It helps management assess whether newly developed, procured, or modified systems and components are operating as envisioned, and are designed and comply with an entity's policies, standards, and procedures. Entities assess quality through manual, automated, or hybrid methods throughout the SDLC. Quality management should be an independent function from development, and prudent practices typically include implementing compensating controls when segregation of duties cannot be fully achieved. For example, developers should not test and validate systems and components that they developed. IV.K ¶ 1] | Human Resources management | Technical Security |
| Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff. CC ID 00779 | Human Resources management | Behavior |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
[Management should establish, and the board of directors (board) should oversee, an effective governance framework for development, acquisition, and maintenance activities. Additionally, the board should oversee related IT project management processes to manage projects related to those activities. II Action Summary ¶ 1
The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1] | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955 | Operational management | Behavior |
| Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 | Operational management | Establish/Maintain Documentation |
| Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 | Operational management | Acquisition/Sale of Assets or Services |
| Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 | Operational management | Establish/Maintain Documentation |
| Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915 | Operational management | Process or Activity |
| Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895 | Operational management | Process or Activity |
| Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 | Operational management | Audits and Risk Management |
| Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 | Operational management | Human Resources Management |
| Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 | Operational management | Human Resources Management |
| Establish, implement, and maintain a compliance policy. CC ID 14807 | Operational management | Establish/Maintain Documentation |
| Include the standard of conduct and accountability in the compliance policy. CC ID 14813 | Operational management | Establish/Maintain Documentation |
| Include the scope in the compliance policy. CC ID 14812 | Operational management | Establish/Maintain Documentation |
| Include roles and responsibilities in the compliance policy. CC ID 14811 | Operational management | Establish/Maintain Documentation |
| Include a commitment to continual improvement in the compliance policy. CC ID 14810 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 | Operational management | Communicate |
| Include management commitment in the compliance policy. CC ID 14808 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a governance policy. CC ID 15587 | Operational management | Establish/Maintain Documentation |
| Conduct governance meetings, as necessary. CC ID 16946 | Operational management | Process or Activity |
| Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 | Operational management | Communicate |
| Include governance threshold requirements in the governance policy. CC ID 16933 | Operational management | Establish/Maintain Documentation |
| Include a commitment to continuous improvement in the governance policy. CC ID 15595 | Operational management | Establish/Maintain Documentation |
| Include roles and responsibilities in the governance policy. CC ID 15594 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a positive information control environment. CC ID 00813 | Operational management | Business Processes |
| Make compliance and governance decisions in a timely manner. CC ID 06490 | Operational management | Behavior |
Establish, implement, and maintain an internal control framework. CC ID 00820
[Examiners should review the following: Security controls (e.g., secure coding requirements and baseline configuration use) used to harden systems and components. IV Action Summary ¶ 2 Bullet 2
Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1] | Operational management | Establish/Maintain Documentation |
| Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes |
| Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles |
Assign resources to implement the internal control framework. CC ID 00816
[Senior management: Senior management approves and champions development, acquisition, and maintenance projects within its authority, ensures that project execution is in alignment with entity objectives and risk appetite, and ensures that adequate resources, including qualified staff, are available to complete IT projects. II.B.1 ¶ 1 Bullet 2] | Operational management | Business Processes |
| Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles |
| Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes |
| Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation |
| Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation |
| Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes |
| Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation |
| Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation |
| Include cloud services in the internal control framework. CC ID 17262 | Operational management | Establish/Maintain Documentation |
| Include cloud security controls in the internal control framework. CC ID 17264 | Operational management | Establish/Maintain Documentation |
| Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation |
| Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration |
| Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation |
| Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration |
| Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation |
| Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation |
| Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation |
| Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation |
| Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate |
| Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity |
| Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation |
| Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation |
| Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation |
| Coordinate emergency response activities with interested personnel and affected parties. CC ID 17152 | Operational management | Process or Activity |
| Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate |
| Establish, implement, and maintain a cybersecurity framework. CC ID 17276 | Operational management | Establish/Maintain Documentation |
| Organize the information security activities and cybersecurity activities into the cybersecurity framework. CC ID 17279 | Operational management | Establish/Maintain Documentation |
| Include protection measures in the cybersecurity framework. CC ID 17278 | Operational management | Establish/Maintain Documentation |
| Include the scope in the cybersecurity framework. CC ID 17277 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the cybersecurity policy to interested personnel and affected parties. CC ID 16835 | Operational management | Communicate |
| Establish, implement, and maintain a cybersecurity policy. CC ID 16833 | Operational management | Establish/Maintain Documentation |
Establish, implement, and maintain an information security program. CC ID 00812
[Chief information security officer (CISO): The CISO typically develops enterprise-wide cybersecurity and information security policies and standards, including procedures promoting secure development, acquisition, and maintenance practices, and provides input for the consideration and inclusion of security and resilience in IT projects. The CISO is responsible for validating that security and resilience are maintained throughout the life of a project, system, or component. II.B.1 ¶ 1 Bullet 4] | Operational management | Establish/Maintain Documentation |
| Include physical safeguards in the information security program. CC ID 12375 | Operational management | Establish/Maintain Documentation |
| Include technical safeguards in the information security program. CC ID 12374 | Operational management | Establish/Maintain Documentation |
| Include administrative safeguards in the information security program. CC ID 12373 | Operational management | Establish/Maintain Documentation |
| Include system development in the information security program. CC ID 12389 | Operational management | Establish/Maintain Documentation |
| Include system maintenance in the information security program. CC ID 12388 | Operational management | Establish/Maintain Documentation |
| Include system acquisition in the information security program. CC ID 12387 | Operational management | Establish/Maintain Documentation |
| Include access control in the information security program. CC ID 12386 | Operational management | Establish/Maintain Documentation |
| Include operations management in the information security program. CC ID 12385 | Operational management | Establish/Maintain Documentation |
| Include communication management in the information security program. CC ID 12384 | Operational management | Establish/Maintain Documentation |
| Include environmental security in the information security program. CC ID 12383 | Operational management | Establish/Maintain Documentation |
| Include physical security in the information security program. CC ID 12382 | Operational management | Establish/Maintain Documentation |
| Include human resources security in the information security program. CC ID 12381 | Operational management | Establish/Maintain Documentation |
| Include asset management in the information security program. CC ID 12380 | Operational management | Establish/Maintain Documentation |
| Include a continuous monitoring program in the information security program. CC ID 14323 | Operational management | Establish/Maintain Documentation |
| Include change management procedures in the continuous monitoring plan. CC ID 16227 | Operational management | Establish/Maintain Documentation |
| include recovery procedures in the continuous monitoring plan. CC ID 16226 | Operational management | Establish/Maintain Documentation |
| Include mechanisms for decommissioning a system in the continuous monitoring plan. CC ID 16225 | Operational management | Establish/Maintain Documentation |
| Include mechanisms for appeal and override in the continuous monitoring plan. CC ID 16223 | Operational management | Establish/Maintain Documentation |
| Notify interested personnel and affected parties when irregularities are mitigated. CC ID 17117 | Operational management | Communicate |
| Notify interested personnel and affected parties when continuous monitoring detects an irregularity. CC ID 17116 | Operational management | Communicate |
| Include how the information security department is organized in the information security program. CC ID 12379 | Operational management | Establish/Maintain Documentation |
| Include risk management in the information security program. CC ID 12378 | Operational management | Establish/Maintain Documentation |
| Include mitigating supply chain risks in the information security program. CC ID 13352 | Operational management | Establish/Maintain Documentation |
| Provide management direction and support for the information security program. CC ID 11999 | Operational management | Process or Activity |
| Monitor and review the effectiveness of the information security program. CC ID 12744 | Operational management | Monitor and Evaluate Occurrences |
| Establish, implement, and maintain an information security policy. CC ID 11740 | Operational management | Establish/Maintain Documentation |
| Align the information security policy with the organization's risk acceptance level. CC ID 13042 | Operational management | Business Processes |
| Include data localization requirements in the information security policy. CC ID 16932 | Operational management | Establish/Maintain Documentation |
| Include business processes in the information security policy. CC ID 16326 | Operational management | Establish/Maintain Documentation |
| Include the information security strategy in the information security policy. CC ID 16125 | Operational management | Establish/Maintain Documentation |
| Include a commitment to continuous improvement in the information security policy. CC ID 16123 | Operational management | Establish/Maintain Documentation |
| Include roles and responsibilities in the information security policy. CC ID 16120 | Operational management | Establish/Maintain Documentation |
| Include a commitment to the information security requirements in the information security policy. CC ID 13496 | Operational management | Establish/Maintain Documentation |
| Include information security objectives in the information security policy. CC ID 13493 | Operational management | Establish/Maintain Documentation |
| Include the use of Cloud Services in the information security policy. CC ID 13146 | Operational management | Establish/Maintain Documentation |
| Include notification procedures in the information security policy. CC ID 16842 | Operational management | Establish/Maintain Documentation |
| Approve the information security policy at the organization's management level or higher. CC ID 11737 | Operational management | Process or Activity |
| Establish, implement, and maintain information security procedures. CC ID 12006 | Operational management | Business Processes |
| Describe the group activities that protect restricted data in the information security procedures. CC ID 12294 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the information security procedures to all interested personnel and affected parties. CC ID 16303 | Operational management | Communicate |
| Document the roles and responsibilities for all activities that protect restricted data in the information security procedures. CC ID 12304 | Operational management | Establish/Maintain Documentation |
| Define thresholds for approving information security activities in the information security program. CC ID 15702 | Operational management | Process or Activity |
| Assign ownership of the information security program to the appropriate role. CC ID 00814 | Operational management | Establish Roles |
| Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role. CC ID 11884 | Operational management | Human Resources Management |
| Assign information security responsibilities to interested personnel and affected parties in the information security program. CC ID 11885 | Operational management | Establish/Maintain Documentation |
| Assign the responsibility for distributing the information security program to the appropriate role. CC ID 11883 | Operational management | Human Resources Management |
| Disseminate and communicate the information security policy to interested personnel and affected parties. CC ID 11739 | Operational management | Communicate |
| Establish, implement, and maintain a social media governance program. CC ID 06536 | Operational management | Establish/Maintain Documentation |
| Refrain from requiring supervision when users are accessing social media applications. CC ID 14011 | Operational management | Business Processes |
| Refrain from requiring users to disclose social media account usernames or authenticators. CC ID 14009 | Operational management | Business Processes |
| Refrain from accepting instant messages from unknown senders. CC ID 12537 | Operational management | Behavior |
| Require social media users to clarify that their communications do not represent the organization. CC ID 17046 | Operational management | Communicate |
| Require social media users to identify themselves when communicating on behalf of the organization. CC ID 17044 | Operational management | Communicate |
| Include instant messaging, texting, and tweeting in the social media acceptable use policy. CC ID 04578 | Operational management | Establish/Maintain Documentation |
| Include explicit restrictions in the social media acceptable use policy. CC ID 06655 | Operational management | Establish/Maintain Documentation |
| Include contributive content sites in the social media acceptable use policy. CC ID 06656 | Operational management | Establish/Maintain Documentation |
Establish, implement, and maintain operational control procedures. CC ID 00831
[Chief information officer (CIO): The CIO leads day-to-day IT system and component development, acquisition, and maintenance in accordance with the entity's policies and business strategy. Prudent practices include the CIO consulting with the entity's risk management function and legal counsel to ensure that development, acquisition, and maintenance decisions are consistent with sound risk management principles and applicable laws and regulations. Additionally, the CIO facilitates the integration of any new projects, systems, and components into the entity's operations to ensure that they align with strategic objectives and IT strategies. The CIO helps determine the feasibility of proposed projects or changes. II.B.1 ¶ 1 Bullet 3
Management should maintain a secure operating environment throughout development, acquisition, and maintenance activities whether entity employees are operating the system or a third party's employees are operating the system. Entities use various controls to secure operating environments, such as configuration management, access control, and business continuity planning and testing. Effective application of formal policies addressing the least privilege principle help control access to systems, components, and data. An effective entity establishes documented policies to communicate and implement operating environment controls and provides for periodic audits for validation of the controls to determine whether systems and components are functioning as intended. Additional operating environment control examples are listed below: IV.F ¶ 1] | Operational management | Establish/Maintain Documentation |
| Define the nomenclature requirements in the operating instructions. CC ID 17112 | Operational management | Establish/Maintain Documentation |
| Define the situations that require time information in the operating instructions. CC ID 17111 | Operational management | Establish/Maintain Documentation |
| Implement alternative actions for oral communications not received or understood. CC ID 17122 | Operational management | Communicate |
| Reissue operating instructions, as necessary. CC ID 17121 | Operational management | Communicate |
| Include congestion management actions in the operational control procedures. CC ID 17135 | Operational management | Establish/Maintain Documentation |
| Update the congestion management actions in a timely manner. CC ID 17145 | Operational management | Establish/Maintain Documentation |
| Coordinate alternate congestion management actions with affected parties. CC ID 17136 | Operational management | Process or Activity |
| Include actions to prevent system operating limit exceedances in the operational control procedures. CC ID 17138 | Operational management | Process or Activity |
| Include actions to mitigate system operating limit exceedances in the operational control procedures. CC ID 17146 | Operational management | Establish/Maintain Documentation |
| Confirm the receiver's response to operating instructions received by oral communications. CC ID 17120 | Operational management | Communicate |
| Include continuous monitoring in the operational control procedures. CC ID 17137 | Operational management | Establish/Maintain Documentation |
| Repeat operating instructions received by oral communications to the issuer. CC ID 17119 | Operational management | Communicate |
| Write operating instructions in the English language, unless agreement exists to use another language. CC ID 17109 | Operational management | Establish/Maintain Documentation |
| Coordinate the transmission of electricity between affected parties. CC ID 17114 | Operational management | Business Processes |
| Include assigning and approving operations in operational control procedures. CC ID 06382 | Operational management | Establish/Maintain Documentation |
| Include coordination amongst entities in the operational control procedures. CC ID 17147 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain an outage coordination process. CC ID 17161 | Operational management | Process or Activity |
| Coordinate outages with affected parties. CC ID 17160 | Operational management | Process or Activity |
| Coordinate energy resource management with affected parties. CC ID 17150 | Operational management | Process or Activity |
| Coordinate the control of voltage with affected parties. CC ID 17149 | Operational management | Process or Activity |
| Coordinate energy shortages with affected parties. CC ID 17148 | Operational management | Process or Activity |
| Include roles and responsibilities in the operational control procedures. CC ID 17159 | Operational management | Establish/Maintain Documentation |
| Include startup processes in operational control procedures. CC ID 00833 | Operational management | Establish/Maintain Documentation |
| Include alternative actions in the operational control procedures. CC ID 17096 | Operational management | Establish/Maintain Documentation |
| Include change control processes in the operational control procedures. CC ID 16793 | Operational management | Establish/Maintain Documentation |
| Approve or deny requests in a timely manner. CC ID 17095 | Operational management | Process or Activity |
| Comply with requests from relevant parties unless justified in not complying. CC ID 17094 | Operational management | Business Processes |
| Disseminate and communicate the operational control procedures to interested personnel and affected parties. CC ID 17151 | Operational management | Communicate |
| Notify interested personnel and affected parties of inability to comply with compliance requirements. CC ID 17093 | Operational management | Communicate |
| Establish and maintain a data processing run manual. CC ID 00832 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a Standard Operating Procedures Manual. CC ID 00826 | Operational management | Establish/Maintain Documentation |
| Use systems in accordance with the standard operating procedures manual. CC ID 15049 | Operational management | Process or Activity |
| Include system use information in the standard operating procedures manual. CC ID 17240 | Operational management | Establish/Maintain Documentation |
| Include metrics in the standard operating procedures manual. CC ID 14988 | Operational management | Establish/Maintain Documentation |
| Include maintenance measures in the standard operating procedures manual. CC ID 14986 | Operational management | Establish/Maintain Documentation |
| Include logging procedures in the standard operating procedures manual. CC ID 17214 | Operational management | Establish/Maintain Documentation |
| Include the expected lifetime of the system in the standard operating procedures manual. CC ID 14984 | Operational management | Establish/Maintain Documentation |
| Include resources in the standard operating procedures manual. CC ID 17212 | Operational management | Establish/Maintain Documentation |
| Include technical measures used to interpret output in the standard operating procedures manual. CC ID 14982 | Operational management | Establish/Maintain Documentation |
| Include human oversight measures in the standard operating procedures manual. CC ID 17213 | Operational management | Establish/Maintain Documentation |
| Include predetermined changes in the standard operating procedures manual. CC ID 14977 | Operational management | Establish/Maintain Documentation |
| Include specifications for input data in the standard operating procedures manual. CC ID 14975 | Operational management | Establish/Maintain Documentation |
| Include risks to health and safety or fundamental rights in the standard operating procedures manual. CC ID 14973 | Operational management | Establish/Maintain Documentation |
| Include circumstances that may impact the system in the standard operating procedures manual. CC ID 14972 | Operational management | Establish/Maintain Documentation |
| Include what the system was tested and validated for in the standard operating procedures manual. CC ID 14969 | Operational management | Establish/Maintain Documentation |
| Adhere to operating procedures as defined in the Standard Operating Procedures Manual. CC ID 06328 | Operational management | Business Processes |
| Include the intended purpose in the standard operating procedures manual. CC ID 14967 | Operational management | Establish/Maintain Documentation |
| Include information on system performance in the standard operating procedures manual. CC ID 14965 | Operational management | Establish/Maintain Documentation |
| Include contact details in the standard operating procedures manual. CC ID 14962 | Operational management | Establish/Maintain Documentation |
Include information sharing procedures in standard operating procedures. CC ID 12974
[FOSS is typically acquired and used in an as-is manner. An entity may not be aware of the developer(s) in public domain FOSS. There may or may not be updates made available for the software, and changes made to the software may be made by other individuals besides the developer. Risks associated with FOSS include the potential for unidentified or unpatched vulnerabilities and development changes by unknown parties. An accurate inventory of FOSS should be maintained as part of an effective ITAM process, and management should understand and abide by the requirements of FOSS licenses. Additionally, some licenses require users to contribute software additions or enhancements, or they may prohibit the use for commercial purpose or profit. Management should be aware of what information is shared when contributing an enhancement to the FOSS development community. IV.C.1(a) ¶ 2] | Operational management | Records Management |
| Establish, implement, and maintain information sharing agreements. CC ID 15645 | Operational management | Business Processes |
| Provide support for information sharing activities. CC ID 15644 | Operational management | Process or Activity |
| Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties. CC ID 12026 | Operational management | Communicate |
| Establish, implement, and maintain a job scheduling methodology. CC ID 00834 | Operational management | Establish/Maintain Documentation |
| Establish and maintain a job schedule exceptions list. CC ID 00835 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a data processing continuity plan. CC ID 00836 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain Voice over Internet Protocol operating procedures. CC ID 04583 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain the Acceptable Use Policy. CC ID 01350 | Operational management | Establish/Maintain Documentation |
| Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy. CC ID 01351 | Operational management | Establish/Maintain Documentation |
| Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy. CC ID 11894 | Operational management | Establish/Maintain Documentation |
| Include Bring Your Own Device agreements in the Acceptable Use Policy. CC ID 15703 | Operational management | Establish/Maintain Documentation |
| Include the obligations of users in the Bring Your Own Device agreement. CC ID 15708 | Operational management | Establish/Maintain Documentation |
| Include the rights of the organization in the Bring Your Own Device agreement. CC ID 15707 | Operational management | Establish/Maintain Documentation |
| Include the circumstances in which the organization may confiscate, audit, or inspect assets in the Bring Your Own Device agreement. CC ID 15706 | Operational management | Establish/Maintain Documentation |
| Include the circumstances in which the organization may manage assets in the Bring Your Own Device agreement. CC ID 15705 | Operational management | Establish/Maintain Documentation |
| Include Bring Your Own Device usage in the Acceptable Use Policy. CC ID 12293 | Operational management | Establish/Maintain Documentation |
| Include a web usage policy in the Acceptable Use Policy. CC ID 16496 | Operational management | Establish/Maintain Documentation |
| Include Bring Your Own Device security guidelines in the Acceptable Use Policy. CC ID 01352 | Operational management | Establish/Maintain Documentation |
| Include asset tags in the Acceptable Use Policy. CC ID 01354 | Operational management | Establish/Maintain Documentation |
| Specify the owner of applicable assets in the Acceptable Use Policy. CC ID 15699 | Operational management | Establish/Maintain Documentation |
| Include asset use policies in the Acceptable Use Policy. CC ID 01355 | Operational management | Establish/Maintain Documentation |
| Include authority for access authorization lists for assets in all relevant Acceptable Use Policies. CC ID 11872 | Operational management | Establish/Maintain Documentation |
| Include access control mechanisms in the Acceptable Use Policy. CC ID 01353 | Operational management | Establish/Maintain Documentation |
| Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy. CC ID 11892 | Operational management | Technical Security |
| Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy. CC ID 11893 | Operational management | Establish/Maintain Documentation |
| Include a removable storage media use policy in the Acceptable Use Policy. CC ID 06772 | Operational management | Data and Information Management |
| Correlate the Acceptable Use Policy with the network security policy. CC ID 01356 | Operational management | Establish/Maintain Documentation |
| Include appropriate network locations for each technology in the Acceptable Use Policy. CC ID 11881 | Operational management | Establish/Maintain Documentation |
| Correlate the Acceptable Use Policy with the approved product list. CC ID 01357 | Operational management | Establish/Maintain Documentation |
| Include facility access and facility use in the Acceptable Use Policy. CC ID 06441 | Operational management | Establish/Maintain Documentation |
| Include usage restrictions in the Acceptable Use Policy. CC ID 15311 | Operational management | Establish/Maintain Documentation |
| Include a software installation policy in the Acceptable Use Policy. CC ID 06749 | Operational management | Establish/Maintain Documentation |
| Document idle session termination and logout for remote access technologies in the Acceptable Use Policy. CC ID 12472 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties. CC ID 12431 | Operational management | Communicate |
| Require interested personnel and affected parties to sign Acceptable Use Policies. CC ID 06661 | Operational management | Establish/Maintain Documentation |
| Require interested personnel and affected parties to re-sign Acceptable Use Policies, as necessary. CC ID 06663 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain an Intellectual Property Right program. CC ID 00821 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain domain name registration and renewal procedures. CC ID 07075 | Operational management | Business Processes |
| Establish, implement, and maintain Intellectual Property Rights protection procedures. CC ID 11512 | Operational management | Establish/Maintain Documentation |
| Protect against circumvention of the organization's Intellectual Property Rights. CC ID 11513 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a fax machine and multifunction device usage policy. CC ID 16962 | Operational management | Establish/Maintain Documentation |
| Include contact lists in the fax machine and multifunction device usage policy. CC ID 16979 | Operational management | Establish/Maintain Documentation |
| Include consequences in the fax machine and multifunction device usage policy. CC ID 16957 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the fax machine and multifunction device usage policy to interested personnel and affected parties. CC ID 16965 | Operational management | Communicate |
| Establish, implement, and maintain an e-mail policy. CC ID 06439 | Operational management | Establish/Maintain Documentation |
| Validate recipients prior to sending electronic messages. CC ID 16981 | Operational management | Business Processes |
| Establish, implement, and maintain a Global Address List. CC ID 16934 | Operational management | Data and Information Management |
| Include roles and responsibilities in the e-mail policy. CC ID 17040 | Operational management | Establish/Maintain Documentation |
| Include content requirements in the e-mail policy. CC ID 17041 | Operational management | Establish/Maintain Documentation |
| Include the personal use of business e-mail in the e-mail policy. CC ID 17037 | Operational management | Establish/Maintain Documentation |
| Include usage restrictions in the e-mail policy. CC ID 17039 | Operational management | Establish/Maintain Documentation |
| Include business use of personal e-mail in the e-mail policy. CC ID 14381 | Operational management | Establish/Maintain Documentation |
| Include message format requirements in the e-mail policy. CC ID 17038 | Operational management | Establish/Maintain Documentation |
| Include the consequences of sending restricted data in the e-mail policy. CC ID 16970 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate the e-mail policy to interested personnel and affected parties. CC ID 16980 | Operational management | Communicate |
| Identify the sender in all electronic messages. CC ID 13996 | Operational management | Data and Information Management |
| Protect policies, standards, and procedures from unauthorized modification or disclosure. CC ID 10603 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain nondisclosure agreements. CC ID 04536 | Operational management | Establish/Maintain Documentation |
| Disseminate and communicate nondisclosure agreements to interested personnel and affected parties. CC ID 16191 | Operational management | Communicate |
| Require interested personnel and affected parties to sign nondisclosure agreements. CC ID 06667 | Operational management | Establish/Maintain Documentation |
| Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary. CC ID 06669 | Operational management | Establish/Maintain Documentation |
| Establish, implement, and maintain a use of information agreement. CC ID 06215 | Operational management | Establish/Maintain Documentation |
| Include use limitations in the use of information agreement. CC ID 06244 | Operational management | Establish/Maintain Documentation |
| Include disclosure requirements in the use of information agreement. CC ID 11735 | Operational management | Establish/Maintain Documentation |
| Include information recipients in the use of information agreement. CC ID 06245 | Operational management | Establish/Maintain Documentation |
| Include reporting out of scope use of information in the use of information agreement. CC ID 06246 | Operational management | Establish/Maintain Documentation |
| Include disclosure of information in the use of information agreement. CC ID 11830 | Operational management | Establish/Maintain Documentation |
| Include information security procedures assigned to the information recipient in the use of information agreement. CC ID 07130 | Operational management | Establish/Maintain Documentation |
| Include information security procedures assigned to the originator in the use of information agreement. CC ID 14418 | Operational management | Establish/Maintain Documentation |
| Include a do not contact rule for the individuals identified in a data set in the use of information agreement. CC ID 07131 | Operational management | Establish/Maintain Documentation |
| Include the information recipient's third parties accepting the agreement in the use of information agreement. CC ID 07132 | Operational management | Establish/Maintain Documentation |
| Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 | Operational management | Business Processes |
| Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity |
| Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity |
| Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity |
| Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity |
| Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity |
| Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity |
| Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior |
| Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes |
| Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes |
| Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes |
| Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior |
| Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior |
| Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes |
| Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior |
| Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior |
| Comply with all implemented policies in the organization's compliance framework. CC ID 06384 | Operational management | Establish/Maintain Documentation |
| Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate |
| Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes |
| Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior |
| Initiate the System Development Life Cycle planning phase. CC ID 06266 | Systems design, build, and implementation | Systems Design, Build, and Implementation |
| Establish, implement, and maintain a system design project management framework. CC ID 00990 | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain project management standards. CC ID 00992
[The board should oversee and management should establish an effective governance structure that allows for the effective oversight and management of the development, acquisition, and maintenance of the entity's systems and components. Additionally, the board should oversee related IT project management processes and projects related to those activities. The board should oversee significant projects to ensure that they align with an entity's strategic plans. Projects that do not align may cause lost revenue or diminished economies of scale resulting in budget shortfalls. Misalignment may cause unexpected harm to the entity or its reputation (e.g., customer dissatisfaction, user frustration, noncompliance with laws and regulations, and IT or operational performance issues). Ineffective communication or coordination by the board with appropriate stakeholders can lead to problems (e.g., scope creep on projects and cost overruns) and processes that do not facilitate appropriate communication across business departments. When IT activities are siloed away from business departments or other business line IT departments (i.e., when an entity has multiple lines of business that have their own IT departments), it may result in management establishing counterproductive objectives. II ¶ 1
Examiners should review the following: Process of selecting and implementing methodologies to enable effective management and control of development, acquisition, or maintenance projects and alignment with entity objectives. IV Action Summary ¶ 2 Bullet 6
Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
Evaluating the application of project management policy, standards, and procedures. IV.N.2 ¶ 2 Bullet 4] | Systems design, build, and implementation | Establish/Maintain Documentation |
| Include participation by each affected user department in the implementation phase of the project plan. CC ID 00993 | Systems design, build, and implementation | Systems Design, Build, and Implementation |
Include objectives in the project management standard. CC ID 17202
[The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain a project program documentation standard. CC ID 00995
[{be comprehensive} Verifying that the project plan and associated project documents are appropriate, comprehensive, and approved. IV.N.2 ¶ 3 Bullet 4
Types of IT project documentation range from simple documents, such as meeting minutes and project status reports, to more complex documents such as feasibility studies, project plans, requirements, and PIRs. Project documentation allows management to track and monitor security, resilience, and compliance concerns throughout the project and after its completion. Entities establish documentation standards and procedures to mitigate the risk of inconsistent or incomplete documentation. When determining the amount of project documentation needed, various factors to consider include an entity's size and complexity, the project type (e.g., development, acquisition, or maintenance), and the project's complexity. The following subsections describe common examples of project documentation. IV.N.3 ¶ 2
An agile methodology may create unique challenges in documentation of development; therefore, the entity's documentation requirements should be clearly defined in the entity's project management requirements. Effective documentation relies on real-time communication between the development team and stakeholders, including end users. In any methodology, a lack of clarity or poor communication can negatively affect project deliverables and timelines (e.g., delays, scope creep, costs, and quality). This may have increased significance in an agile methodology because multiple parts of the overall project in process may be affected, leading to a greater impact than if only one segment of a project in process is affected. IV.J.2 ¶ 7
Tracking: Quality management personnel should validate that project personnel properly document a project's progress; record, report, and monitor problems to resolution; and communicate progress and concerns to management. IV.K ¶ 3 Bullet 6] | Systems design, build, and implementation | Establish/Maintain Documentation |
Include budgeting for projects in the project management standard. CC ID 13136
[Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1
Generally, IT project plans consider the following: Task budgets. IV.N.3(d) ¶ 1 Bullet 7] | Systems design, build, and implementation | Establish/Maintain Documentation |
Include time requirements in the project management standard. CC ID 17199
[Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain project management procedures. CC ID 17200
[Completeness: Each phase of a project life cycle should include procedures to follow and expected deliverables. Quality management personnel should verify the business case for a project, required functional features, and appropriateness of project considerations to determine completeness in each project phase before moving to the next phase. Audit and compliance personnel should verify that quality management includes quality standards to validate that the project meets internal and external requirements. IV.K ¶ 3 Bullet 3
A methodology is used to facilitate the development, acquisition, or maintenance of a system or component project. Management should establish appropriate methodologies to enable effective management and control of system and component development, acquisition, and maintenance activities. Management can apply various methodologies, or a hybrid, to different projects based on stakeholder needs and project objectives. Methodologies can be a combination of strategies, design philosophies, and accepted practices designed as a structured, organized set of rules that allow a project team to work together effectively. If the entity employs multiple methodologies, the chosen methodology should be defined for each IT project. IV.J ¶ 1] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain integrated project plans. CC ID 01056
[In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
During the project's execution phase, the project team completes the project plan tasks. The team tracks and compares actual task execution with the project plan, maintains a log of problems (e.g., inability to meet milestones, resource changes, and unanticipated risks), tracks problem resolution, reports on effects to the project timeline, and monitors interdependency issues. During the execution phase, scope creep is a common problem that can occur as developers address issues or receive subsequent requests to add or modify a system's features. It may result from inadequately defined requirements, a lack of a project change control process, inaccurate time and budget analysis, or a weak project manager or executive sponsor. Establishing change approval procedures during development and cutoff dates (after which time requested changes are deferred to subsequent versions) helps mitigate scope creep. IV.N.1(c) ¶ 1
Validating the appropriateness of the project plan's tasks and time frames as well as resource sufficiency. IV.N.2 ¶ 3 Bullet 1] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain a project control program. CC ID 01612
[An effective audit function provides independent, objective validation of controls and statements of assurance on the effectiveness of an entity's development, acquisition, and maintenance activities. Although auditors should not have any direct involvement in management decisions, they should raise objections if they believe the control environment is inadequate. Auditors may plan for their advisory capacity in development, acquisition, and maintenance activities by developing an understanding of the proposed system or changes. Auditors may require specialized knowledge of IT to advise on or review these activities. They should validate schedule adherence and management. Auditors should determine the effectiveness of controls in the entity's development, acquisition, and maintenance activities and recommend appropriate mitigation. They may communicate with developers regarding appropriate control standards and frameworks throughout IT projects. II.B.9 ¶ 1
Monitoring and controlling are important parts of the processes of IT project management. This takes place throughout all phases of IT project development (refer to figure 3). Monitoring and controlling are helpful for tracking, reviewing, and evaluating the progress of an IT project. Monitoring and controlling helps management identify IT project management risks (e.g., errors, cost overrun, scope creep, and missing milestones). A combination of management and the project manager or sponsor are responsible for monitoring and controlling the entire project throughout all phases. IV.N.2 ¶ 1] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain a project test plan. CC ID 01001
[Strong testing and other QC procedures can mitigate the risk that the entity's project goals and stakeholder requirements are not met during the execution phase. Testing helps find deficiencies or defects and helps ensure that the system or components operate as intended. Depending on the project type, testing may be scheduled throughout the project during any phase. For example, testing may not always occur during every sprint when using an agile development methodology. Users, designers, developers, and IT staff may be involved in testing. Throughout the testing process, management should maintain comprehensive and accurate documentation reflecting the testing methodology employed, tests performed, and test results. IV.N.1(c) ¶ 3] | Systems design, build, and implementation | Establish/Maintain Documentation |
Establish, implement, and maintain a project team plan. CC ID 06533
[Project management is the use of specific knowledge, skills, tools, and techniques to deliver something of value to people. Effective project management includes established policies, standards, and procedures that project personnel apply enterprise-wide. Examples of projects include developing a new product or service, expanding into a new geographic market, and investing in a new system. When reviewing and prioritizing projects, effective management considers the project's effect on operations and the entity's needs (e.g., IT, information security, lines of business, customer needs, and regulatory and legal compliance). Entity projects often include a supporting IT project due to the underlying systems and components in business operations. For instance, when management considers offering a new product or service or expanding into a new geographic market, there are often IT implications. Effective IT project management processes, which are a subset of and align with the enterprise project management policies, standards, and procedures, should address issues specific to IT projects. Effective management develops and follows consistent processes to identify risks and oversee IT projects to address any risks identified. IT projects generally include IT system development, acquisition of a new IT system or component, or significant maintenance of or change to an IT product or service. If the entity has a PMO, IT project managers should work with the PMO to oversee and carry out IT projects. IV.N ¶ 1
The following would typically be completed during this phase: A project charter that identifies the project owner (i.e., the responsible party), and defines the mission and main goals of the project. IV.N.1(a) ¶ 1 Bullet 2
In the planning phase, management forms a project team that defines and refines project deliverables to achieve the objective and develops the project plan. Project plan common elements are tasks and milestones, task timelines, and names of those who are responsible for completing each task. Project teams engage stakeholders to define deliverables that achieve objectives and meet the entity's functional, IT, information security, and legal and regulatory requirements. Requirements include systems, components, and resources that will support and interact with any new product or service. Clearly defined deliverables (including documentation deliverables) help stakeholders understand expectations. The project team should also define testing requirements and objective acceptance criteria, which are unbiased and predefined criteria for determining whether the project meets the stated objectives through milestones and project completion. Additionally, security and resilience design should be included from the beginning of the project to be most effective. Information regarding project management governance is in the FFIEC IT Handbook's "Management" booklet. IV.N.1(b) ¶ 1
Meeting regularly with the project team to track progress, address impediments or issues, and track task and milestone completion. IV.N.2 ¶ 4 Bullet 1
Generally, IT project plans consider the following: Roles and responsibilities. IV.N.3(d) ¶ 1 Bullet 2] | Systems design, build, and implementation | Establish/Maintain Documentation |
| Include the addition of new hires, part-time employees, or third party assistance in the project team plan. CC ID 11731 | Systems design, build, and implementation | Establish/Maintain Documentation |
| Establish, implement, and maintain a project management training plan. CC ID 01002 | Systems design, build, and implementation | Establish/Maintain Documentation |
| Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase. CC ID 06267 | Systems design, build, and implementation | Systems Design, Build, and Implementation |
| Establish, implement, and maintain system testing procedures. CC ID 11744 | Systems design, build, and implementation | Establish/Maintain Documentation |
Common Controls and
Audits and risk management