Assess system performance regularly.

UCF ID: 00651

Control Type: Process or Activity

Status: Live

Supporting and supported controls

This control directly supports:

Establish monitoring and logging operations for all key systems. [UCF Control ID 00637]

There are no supporting controls.

Authority documents complied with:

AICPA Suitable Trust Services Principles and Criteria, ¶ .20 § 4.1, ¶ .24 § 4.1; COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 36; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 620(g); FFIEC IT Examination Handbook – E-Banking, August 2003, Pg 21; FFIEC IT Examination Handbook – Management, Pg 33, Pg 34, Exam Obj 5.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier II Obj G.6; Clinger-Cohen Act (Information Technology Management Reform Act), § 5123; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § H.4.2; CobiT, Version 4.1, ME1.4; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 4.3.1; German Corporate Governance Code ("The Code"), June 6, 2008, ¶ 3.4; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 9.3; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.6 ¶ 2(e); Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 42; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 10.2.3

Sarbanes Oxley Guidance

The organization should compare expected performance to actual performance to ensure it is within the acceptable risk tolerance parameters. [Pg 36, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

Banking and Finance Guidance

The internal assessments should be evaluated over time for their performance, and adjustments should be made, as necessary. [¶ 620(g), Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

The Board of Directors and management should periodically evaluate the effectiveness of the e-banking strategy by comparing the actual performance with the organization's goals and expectations. The Board should also determine if the proper procedures and policies are in effect and if the risks are being controlled. [Pg 21, FFIEC IT Examination Handbook – E-Banking, August 2003]

The organization should establish performance benchmarks and monitor them on a regular basis. [Pg 33, Pg 34, Exam Obj 5.1, FFIEC IT Examination Handbook – Management]

[Exam Tier II Obj G.6, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

Calls for performance and results-based management techniques. Performance measurements should be prescribed and agency performance should be quantitatively benchmarked in terms of cost, speed, productivity, and quality of outputs and outcomes. [§ 5123, Clinger-Cohen Act (Information Technology Management Reform Act)]

Management should monitor and measure the performance of technology-related products, services, delivery channels, and processes in order to avoid potential operational failures and to mitigate the damage that may arise if such failures occur. Established controls should identify and manage risks so that the bank can adequately manage them. To ensure accountability, management should specify which managers are responsible for the business goals, objectives, and results of specific technology projects or systems and should establish controls, which are independent of the business unit, to ensure that risks are properly managed. Technology processes should be reviewed periodically for quality and compliance with control requirements. [¶ 42, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

Records Management Guidance

The use of benchmarks to assess performance as well as any monitoring reports to establish performance indicators is called for. [§ H.4.2, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

ISO Guidance

It is a best practice for ICT disaster recovery service providers to perform performance measurements to quantify how effective the provided ICT disaster recovery services are. These measurements should be supplied to the organization as agreed upon in the relevant SLA or other arrangement. The performance measurement will allow the service effectiveness to be assessed and reviewed; allow the adverse impacts of unavailability of ICT system assets and information to be estimated, thereby providing input to the business impact analysis and other aspects of the risk assessment; demonstrate the ability of ICT systems to recover from failures and disasters; allow ICT disaster recovery services to be compared over periods of time for continuous improvement; and allow benchmarking over the ICT disaster recovery services industry. The requirements of the organization will decide the types and numbers of performance measurements. The following types of indicators can be considered: resource and operation readiness indicators; ICT disaster recovery plan maturity indicators; exercise effectiveness indicators; simultaneous disaster invocation risk indicators; and industry best practice compliance indicators. [§ 9.3, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

Monitoring of Security Awareness Programs. An organization should monitor security awareness programs by:
· periodic performance evaluations - to determine the effectiveness of an awareness program by monitoring security related behavior and identify where changes affecting the program delivery might be required, and
· awareness change management - whenever there are changes to the overall security program (i.e. policy or strategy changes, new assets or technology are introduced, variations in threats occur, etc.), it is necessary to alter the security awareness program to update the existing knowledge and skill levels to reflect those changes. [¶ 10.2.3, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

General Guidance

The organization should use system monitoring tools to monitor the network performance 24 hours a day, 7 days a week. [¶ .20 § 4.1, ¶ .24 § 4.1, AICPA Suitable Trust Services Principles and Criteria]

The organization should periodically review the performance against targets, perform root cause analysis and initiate remedial action to address the underlying causes. [ME1.4, CobiT, Version 4.1]

UK and Canadian Guidance

[§ 4.3.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

A key factor for ensuring the Information Technology Service Continuity (ITSC) strategy and plans are appropriate as the organization and its environment changes is to ensure that service levels are reviewed on a monthly basis at Board meetings. [§ 5.6 ¶ 2(e), PAS 77 IT Service Continuity Management. Code of Practice, 2006]

Other European and African Guidance

The Management Board must report the reasons for any deviation between the actual results and the planned results. [¶ 3.4, German Corporate Governance Code ("The Code"), June 6, 2008]