Identify information processes, applications, and systems significant to the organization

Status: Live

Each department will identify and map all information processes and applications that are significant enough to fall under external or internal information governance and compliance. [UCF ID 00688]

Supporting and supported controls

This control directly supports:

    Defining the scope of the organizational compliance framework and controls for your organization [UCF Control ID 01241]

This control has the following supporting controls:

Authority documents complied with:

FFIEC IT Examination Handbook – Information Security, Pg 11, Exam Tier I Obj 2.2; Federal Information System Controls Audit Manual (FISCAM), February 2009, App VI.1.1; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § B.4, § B.4.2 thru § B.4.2.3; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.3.1; Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1, § 1.5, § 2.1 thru § 2.4; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, § B.5.a(i), § B.5.a(ii); CobiT 4.1, PO1.3; The GAIT Methodology, Executive Summary, Phase 1.1; ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009, § 2.1.1; The Standard of Good Practice for Information Security, NW1.3.1; ISO 17799:2005 Code of Practice for Information Security Management, § 7.1.1; ISO 27001:2005, Information Security Management Systems - Requirements, § 5.2.1, Annex A.7.1.1; ISO/IEC 27002-2005 Code of practice for information security management, § 7.1.1; ISACA Cross-Border Privacy Impact Assessment, Principle 7.40; IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005, § 5.6.1, § 8.1.1; Australia Better Practice Guide - Business Continuity Management, January 2000, Step 2 Pg 34, Step 2 Pg 35; Archer Control Table, ATCS-643; California OPP Recommended Practices on Notification of Security Breach, May 2008, Part I ¶ 2

Banking and Finance Guidance

The risk assessment should identify all information and systems that need to be protected by the organization. These assets can be either paper-based or electronic-based. [Pg 11, Exam Tier I Obj 2.2, FFIEC IT Examination Handbook – Information Security]

US Federal Security Guidance

States the need for organizations to identify computer applications significant to the financial statements of the organization. Significant applications are those with auditable line items and accounts under investigation or that are material to the organization. [App VI.1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009]

Records Management Guidance

Suggests that the interview identify:
• “your organization’s goals and the strategies to achieve these goals;
• the broad functions the organization undertakes to support its goals and strategies;
• the activities that contribute to the fulfillment of the organization’s functions; and
• the groups of recurring transactions or processes that make up each of these activities.”
§ B.4.2 Further defines the differences between function, activity, and transaction as such:
• Functions are the largest unit of business activity in an organization. They represent the major responsibilities that are managed by the organization to fulfill its goals. Functions are high-level aggregates of the organization’s activities.
• Activities are the major tasks performed by the organization to accomplish each of its functions. Several activities may be associated with each function.
• Transactions are the smallest unit of business activity. They should be tasks, not subjects or record types. Transactions will help define the scope or boundaries of activities and provide the basis for identifying the records that are required to meet the business needs of the organization. The identification of transactions will also help in the formulation of the records description part of a records disposal authority.
§ B.4.2.1 suggests to assign specific terms to functions and activities. The choice of terminology should depend upon the way in which the organization has defined its functions, activities, and transactions. By choosing and documenting terminology, you will be able to create an unambiguous and integrated business classification scheme .
§ B.4.2.2 Takes this further and then asks the analyst to create a glossary entry for each of the terms, much like the glossary entry used for writing purposes. The analyst produces much the same thing, using documentary sources or interviewees as the authority sources and the interview or research material as the basis for the definition of the term being described.
§ B.4.2.3 Takes this one step further by asking the analyst to document dates for functions and activities. These dates “establish a time frame, which will be useful for the development and application of the linked record keeping tools such as a thesaurus and disposal authority”. In practical terms, it provides more metadata that you can feed into your recordkeeping system. [§ B.4, § B.4.2 thru § B.4.2.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

Prior to conducting a risk assessment, the system under consideration must be identified and analyzed, documenting the system’s level of detail and formality. [§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

Information resources should be clearly assigned to an information system – which directly supports business processing and therefore supports the business functions, activities, and tasks. Doing this creates clear boundaries for all information systems. Methods for grouping resources are provided. Generally a group of resources should serve the same function or meet the same objective and reside in the same general operating environment.
A definition for major applications in an organization is given. They are applications that are critical to an organization’s success and require special management in order to be properly maintained. System owners should be notified if they oversee a major application and provided with a copy of the application’s system security plan. The plan should contain a reference to the general support system security plan.
A general support system is defined as an interconnected set of information resources under the same direct management control that shares common functionality. It often includes hardware, software, information, data, applications, communications, facilities, people and provides support for a variety of users and applications.
Minor applications are defined as those applications not selected as major applications. It is important to be sure security controls are covering these applications, and that the minor applications are documented in the system security plan as an appendix or a paragraph. [§ 1.5, § 2.1 thru § 2.4, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1]

US State Laws and Protectorates Guidance

Inventory records systems, critical computing systems, and storage media to identify those containing personal information. [Part I ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008]

ISO Guidance

The organization's assets should be identified; an inventory should be conducted to document and prioritize the importance of all assets. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, back-up information, license number, and business value. The types of assets that should be inventoried include information, software, hardware, services, and people. [§ 7.1.1, ISO 17799:2005 Code of Practice for Information Security Management]

The organization should identify all the resources needed to establish, implement, operate, monitor, review, maintain, and improve the Information Security Management System. An inventory should be maintained of all the organization's identified assets. [§ 5.2.1, Annex A.7.1.1, ISO 27001:2005, Information Security Management Systems - Requirements]

The organization's assets should be identified; an inventory should be conducted to document and prioritize the importance of all assets. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, back-up information, license number, and business value. The types of assets that should be inventoried include information, software, hardware, services, and people. [§ 7.1.1, ISO/IEC 27002-2005 Code of practice for information security management]

General Guidance

Points out that a key to defining business continuity is being able to identify and confirm the processing and documentation critical to the organization’s key business activities. Their point is that you can’t determine which processes and systems should be replicated off site unless you can place them into their context within the organization’s day-to-day business activities. [§ B.5.a(i), § B.5.a(ii), Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization should assess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses. [PO1.3, CobiT 4.1]

The organization should review the key controls, key reports, and other functionality in the company’s financial processes and determine which are manual and which are automated. [Executive Summary, Phase 1.1, The GAIT Methodology]

Prior to conducting a risk assessment, the organization should identify and prioritize their business objectives and ensure that identification of objectives is consistent across all levels of the organization. [§ 2.1.1, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009]

Facilities that are critical to the functioning of the network should be identified. [NW1.3.1, The Standard of Good Practice for Information Security]

EU Guidance

[Principle 7.40, ISACA Cross-Border Privacy Impact Assessment]

UK and Canadian Guidance

[§ 5.6.1, § 8.1.1, IT Service Management Standard - Code of Practice, BS ISO/IEC 20000-2:2005]

Asia and Pacific Rim Guidance

It is required that key business processes be identified and ranked. When determining how to rank each process, consider what would happen if any of the following happened:
• failure to meet statutory obligations for service delivery
• failure to meet key stakeholder expectations
• loss of cash flows essential to business operations
• degree of dependency on business processes by internal business units or clients
Concerns of executive and senior management should also be obtained before determining a rank. For each business process to be ranked, determine the activities that constitute that process. Then match resources to the activities. Resources include people, buildings and property, equipment and consumables and finance. To ensure all key business processes, activities and resources are identified use this checklist:
• Document and confirm organizational objectives and outputs
• List key business processes that underpin achievement of objectives and delivery of outputs
• Review the functional organization chart to identify general areas of operational responsibility
• Interview managers responsible for key business processes to confirm understanding of activities (complex organization only)
• Document the activities and resources essential to each key business process
• Formally communicate the list of key business processes and supporting activities and resources to the project steering committee [Step 2 Pg 34, Step 2 Pg 35, Australia Better Practice Guide - Business Continuity Management, January 2000]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of key IT assets for which an assurance strategy has been implemented [UCF Control ID 01657]
    Report on the percentage of key organizational functions for which an assurance strategy has been implemented [UCF Control ID 01658]
    Report on the percentage of key external requirements for which an assurance strategy has been implemented [UCF Control ID 01659]
    Report on the percentage of critical information assets and information-dependent functions [UCF Control ID 02040]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.