Identify significant information processes, applications, and systems that fall under internal or external governance or compliance laws, regulations, or rules.

UCF ID: 00688
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

    Establish and maintain the scope of the organizational compliance framework and controls for your organization. [UCF Control ID 01241]

This control has the following supporting controls:

    Maintain asset discovery audit trails. [UCF Control ID 00689]
    Identify system boundaries and assign information assurance categories that are needed for delivering key business processes. [UCF Control ID 00695]
    Establish and maintain information system assurance categories. [UCF Control ID 01608]

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 11, Exam Tier I Obj 2.2; Federal Information System Controls Audit Manual (FISCAM), February 2009, App VI.1.1; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § B.4, § B.4.2 thru § B.4.2.3; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1, § 1.5, § 2.1 thru § 2.4; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, § B.5.a(i), § B.5.a(ii); CobiT, Version 4.1, PO1.3; The GAIT Methodology, Executive Summary, Phase 1.1; ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009, § 2.1.1; The Standard of Good Practice for Information Security, NW1.3.1; ISO/IEC 17799 Code of Practice for Information Security Management, 2005, § 7.1.1; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 5.2.1, Annex A.7.1.1; ISO/IEC 27002 Code of practice for information security management, 2005, § 7.1.1; ISACA Cross-Border Privacy Impact Assessment, Principle 7.40; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1, § 8.1.1; Australia Better Practice Guide - Business Continuity Management, January 2000, Step 2 Pg 34, Step 2 Pg 35; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 2; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.3.1 ¶ 1(a); ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 3.9; ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998, ¶ 9.3.2; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.1.1(6), ¶ 8.2.4; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 9.5

Banking and Finance Guidance

The risk assessment should identify all information and systems that need to be protected by the organization. These assets can be either paper-based or electronic-based. [Pg 11, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

States the need for organizations to identify computer applications significant to the financial statements of the organization. Significant applications are those with auditable line items and accounts under investigation or that are material to the organization. [App VI.1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Records Management Guidance

Suggests that the interview identify:
• “your organization’s goals and the strategies to achieve these goals;
• the broad functions the organization undertakes to support its goals and strategies;
• the activities that contribute to the fulfillment of the organization’s functions; and
• the groups of recurring transactions or processes that make up each of these activities.”
§ B.4.2 Further defines the differences between function, activity, and transaction as such:
• Functions are the largest unit of business activity in an organization. They represent the major responsibilities that are managed by the organization to fulfill its goals. Functions are high-level aggregates of the organization’s activities.
• Activities are the major tasks performed by the organization to accomplish each of its functions. Several activities may be associated with each function.
• Transactions are the smallest unit of business activity. They should be tasks, not subjects or record types. Transactions will help define the scope or boundaries of activities and provide the basis for identifying the records that are required to meet the business needs of the organization. The identification of transactions will also help in the formulation of the records description part of a records disposal authority.
§ B.4.2.1 suggests to assign specific terms to functions and activities. The choice of terminology should depend upon the way in which the organization has defined its functions, activities, and transactions. By choosing and documenting terminology, you will be able to create an unambiguous and integrated business classification scheme .
§ B.4.2.2 Takes this further and then asks the analyst to create a glossary entry for each of the terms, much like the glossary entry used for writing purposes. The analyst produces much the same thing, using documentary sources or interviewees as the authority sources and the interview or research material as the basis for the definition of the term being described.
§ B.4.2.3 Takes this one step further by asking the analyst to document dates for functions and activities. These dates “establish a time frame, which will be useful for the development and application of the linked record keeping tools such as a thesaurus and disposal authority”. In practical terms, it provides more metadata that you can feed into your recordkeeping system. [§ B.4, § B.4.2 thru § B.4.2.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

Prior to conducting a risk assessment, the system under consideration must be identified and analyzed, documenting the system’s level of detail and formality. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Information resources should be clearly assigned to an information system – which directly supports business processing and therefore supports the business functions, activities, and tasks. Doing this creates clear boundaries for all information systems. Methods for grouping resources are provided. Generally a group of resources should serve the same function or meet the same objective and reside in the same general operating environment.
A definition for major applications in an organization is given. They are applications that are critical to an organization’s success and require special management in order to be properly maintained. System owners should be notified if they oversee a major application and provided with a copy of the application’s system security plan. The plan should contain a reference to the general support system security plan.
A general support system is defined as an interconnected set of information resources under the same direct management control that shares common functionality. It often includes hardware, software, information, data, applications, communications, facilities, people and provides support for a variety of users and applications.
Minor applications are defined as those applications not selected as major applications. It is important to be sure security controls are covering these applications, and that the minor applications are documented in the system security plan as an appendix or a paragraph. [§ 1.5, § 2.1 thru § 2.4, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1]

US State Laws and Protectorates Guidance

Inventory records systems, critical computing systems, and storage media to identify those containing personal information. [Part I ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

The organization's assets should be identified; an inventory should be conducted to document and prioritize the importance of all assets. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, back-up information, license number, and business value. The types of assets that should be inventoried include information, software, hardware, services, and people. [§ 7.1.1, ISO/IEC 17799 Code of Practice for Information Security Management, 2005]

The organization should identify all the resources needed to establish, implement, operate, monitor, review, maintain, and improve the Information Security Management System. An inventory should be maintained of all the organization's identified assets. [§ 5.2.1, Annex A.7.1.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

The organization's assets should be identified; an inventory should be conducted to document and prioritize the importance of all assets. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, back-up information, license number, and business value. The types of assets that should be inventoried include information, software, hardware, services, and people. [§ 7.1.1, ISO/IEC 27002 Code of practice for information security management, 2005]

Security element relationships. An organization should implement the security of ICT systems from different perspectives. Assets are potentially subject to a number of threats. This collection of threats changes constantly over time and is only partially known. As well, the environment changes over time and this change may impact the nature of threats and the probability of their occurrence. Safeguards may be implemented to monitor the threat environment to ensure that no threats develop which can exploit the vulnerability. Constraints affect the selection of safeguards.
Any ICT system comprises assets (particularly information, but also hardware, software, communications services, etc.) that are important to the success of an organization’s business. These assets have value to the organization, which is normally expressed in terms of the impact on business operations from unauthorized disclosure, modification or repudiation of information, or unavailability or destruction of information or service. The impact is first determined regardless of which threats might occur to cause the impact, to be sure of identifying the real values. Then the question of what threats might occur to cause such impact, and the probability of their occurrence, is addressed, i.e. assets could be subject to a number of threats. Then the question of what vulnerabilities (or weaknesses) might be exploited by the threats to cause the impact is addressed, i.e. threats could exploit vulnerabilities to expose assets. Each of these components, i.e. values, threats and vulnerabilities, can increase risk. Measures of risk will then indicate the overall protection requirement, which in real terms is effected or met by the implementation of safeguards. The implemented safeguards then reduce the risk, protect against threats and indeed can reduce vulnerabilities. [§ 3.9, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

Identification of Assets. An asset is a component or part of a total system to which an organization directly assigns value and hence for which the organization requires protection. For the identification of assets it should be borne in mind that an IT system consists of more than hardware and software. For example, asset types can be any of the following:
· information/data (e.g. files containing payment details, product information),
· hardware (e.g. computer, printer),
· software, including applications (e.g. text processing programs, programs developed for special purposes),
· communications equipment (e.g. telephones, copper cable, fiber),
· firmware (e.g. floppy discs, CD Read Only Memories, Programmable ROMs),
· documents (e.g. contracts),
· funds (e.g. in Automatic Teller Machines),
· manufactured goods,
· services (e.g. information services, computing resources),
· confidence and trust in services (e.g. payment services),
· environmental equipment,
· personnel,
· image of the organization.
All assets within the review boundary established must be identified. Conversely, any assets to be excluded from a review boundary, for whatever reason, need to be assigned to another review to ensure that they do not get forgotten or overlooked. [¶ 9.3.2, ISO/IEC 13335-3 Information technology — Guidelines for the management of IT Security — Part 3: Techniques for the management of IT Security, 1998]

¶ 8.1.1(6) IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning of what should be done, assignment of responsibilities for these processes, and all other relevant activities. Safeguards in this area are listed below.
6. Asset Identification and Valuation
All assets within an organization and for each IT system should be identified, and their value to the conduct of business should be assessed.
¶ 8.2.4 Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of network management are listed below.
1. Operational Procedures
The establishment of operational procedures and responsibilities is necessary to ensure the correct and secure operation of networks. This includes the documentation of the operating procedures and the establishment of procedures to react to security relevant incidents.
2. System Planning
In order to ensure reliable functioning and adequate network capacity, advanced planning and preparation, and monitoring (including of loading statistics) should be implemented. Acceptance criteria for new systems should be applied and changes should be controlled and reacted to.
3. Network Configuration
An appropriate network configuration should be implemented for reliable functioning. This includes a standardized approach for the configuration of servers throughout the organization, and good documentation. Servers used for special purposes should only used for these purposes (e.g. no other tasks should run on a firewall), and that sufficient protection from failure is in place.
4. Network Segregation
In order to minimize the risks and the possibilities of misuse in a network in operation, business areas dealing with critical business issues and information should be kept separate, logically or physically. As well, development facilities should be separated from operational facilities.
5. Network Monitoring
Network monitoring should be used to identify the weaknesses within the existing network configuration. It allows for reconfiguration caused by traffic analysis and helps to identify attackers.
6. Intrusion Detection
Attempts to gain entry to systems or networks and successful unauthorized entry should be detected so that the organization can respond in an appropriate and effective manner. [¶ 8.1.1(6), ¶ 8.2.4, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

¶ 9.5 Other Considerations. When reviewing the network architecture and applications, consideration should also be given to existing network connections within, to or from the organization, and to the network to which the connection is proposed. The organizations existing connections may restrict or prevent new connections, e.g. because of agreements or contracts. The existence of other connections to or from the network to which the connection is required could introduce additional vulnerabilities and thus higher risks, possibly warranting stronger and/or additional safeguards. [¶ 9.5, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

Points out that a key to defining business continuity is being able to identify and confirm the processing and documentation critical to the organization’s key business activities. Their point is that you can’t determine which processes and systems should be replicated off site unless you can place them into their context within the organization’s day-to-day business activities. [§ B.5.a(i), § B.5.a(ii), Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should assess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses. [PO1.3, CobiT, Version 4.1]

The organization should review the key controls, key reports, and other functionality in the company’s financial processes and determine which are manual and which are automated. [Executive Summary, Phase 1.1, The GAIT Methodology]

Prior to conducting a risk assessment, the organization should identify and prioritize their business objectives and ensure that identification of objectives is consistent across all levels of the organization. [§ 2.1.1, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009]

Facilities that are critical to the functioning of the network should be identified. [NW1.3.1, The Standard of Good Practice for Information Security]

A formal and documented evaluation process must be established, implemented, and maintained by the organization to systematically conduct asset identification and valuation to identify critical activities, products, services, partnerships, functions, stakeholder relationships, supply chains, and the potential impact of an incident based on risk scenarios. [§ 4.3.1 ¶ 1(a), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

EU Guidance

[Principle 7.40, ISACA Cross-Border Privacy Impact Assessment]

UK and Canadian Guidance

[§ 5.6.1, § 8.1.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

It is required that key business processes be identified and ranked. When determining how to rank each process, consider what would happen if any of the following happened:
• failure to meet statutory obligations for service delivery
• failure to meet key stakeholder expectations
• loss of cash flows essential to business operations
• degree of dependency on business processes by internal business units or clients
Concerns of executive and senior management should also be obtained before determining a rank. For each business process to be ranked, determine the activities that constitute that process. Then match resources to the activities. Resources include people, buildings and property, equipment and consumables and finance. To ensure all key business processes, activities and resources are identified use this checklist:
• Document and confirm organizational objectives and outputs
• List key business processes that underpin achievement of objectives and delivery of outputs
• Review the functional organization chart to identify general areas of operational responsibility
• Interview managers responsible for key business processes to confirm understanding of activities (complex organization only)
• Document the activities and resources essential to each key business process
• Formally communicate the list of key business processes and supporting activities and resources to the project steering committee [Step 2 Pg 34, Step 2 Pg 35, Australia Better Practice Guide - Business Continuity Management, January 2000]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of key IT assets for which an assurance strategy has been implemented. [UCF Control ID 01657]
    Report on the percentage of key organizational functions for which an assurance strategy has been implemented. [UCF Control ID 01658]
    Report on the percentage of key external requirements for which an assurance strategy has been implemented. [UCF Control ID 01659]
    Report on the percentage of critical information assets and information-dependent functions. [UCF Control ID 02040]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.