Perform a gap analysis to review existing controls for identified risks and implement new controls.

UCF ID: 00704
Control Type: Establish/Maintain Documentation
Status: Live

Supporting and supported controls

This control directly supports:

There are no supporting controls.

Authority documents complied with:

Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § I.iv; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj D.2; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Pg 12, Pg D-6; FFIEC IT Examination Handbook – Operations, July 2004, Pg 15; Army Regulation 380-19: Information Systems Security, February 27, 1998, § 5-4.a; The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003, § D.4.2; Business Continuity Institute (BCI) Good Practice Guidelines, 2005, Stage 1.3 Process; Australian Government ICT Security Manual (ACSI 33), § 3.5.15; OMB Circular A-123 Management’s Responsibility for Internal Control, § I.A; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 37, Pg 39; The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002, ¶ 3.2.1; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.3.1 ¶ 2(c), § 4.3.1 ¶ 2(d); BS 25999-1, Business continuity management. Code of practice, 2006, § 6.6.1; BS 25999-2, Business continuity management. Specification, 2007, § 4.1.3.1; Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft), § 3.3

Sarbanes Oxley Guidance

After a risk assessment is completed, the old controls should be reviewed to ensure they are still protecting the system against the identified risks. If they are not, new controls should be examined to determine if they should be implemented, or it should be determined if a way exists to upgrade the existing control to dissipate the risk. [§ I.A, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should develop a list of all controls that exist for each identified risk and determine if the control is functioning effectively and correctly. If the control is not functioning correctly, management should decide if they want to accept the risk or if a compensating control should be implemented to fix the problem. [Pg 37, Pg 39, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

If the organization fails to meet any standard, it should create a plan to meet the compliance requirements. [App A § I.iv, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

[Exam Tier II Obj D.2, FFIEC IT Examination Handbook – Audit, August 2003]

The organization should perform a gap analysis. A gap analysis is a comparison of the existing continuity plan versus what procedures should be implemented to recover and resume normal business operations. [Pg 12, Pg D-6, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

Controls should be implemented to reduce the internal and external threats to the organization. Management should ensure the controls are balanced by the cost, effectiveness, and operational requirements of the organization. [Pg 15, FFIEC IT Examination Handbook – Operations, July 2004]

US Federal Security Guidance

The organization should review all risks and determine countermeasures for each of the risks. [§ 5-4.a, Army Regulation 380-19: Information Systems Security, February 27, 1998]

Records Management Guidance

[§ D.4.2, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003]

NIST Guidance

Outage impacts may be eliminated or mitigated by preventive measures that deter, detect, and/or reduce the impact to a system. Taking preventive measures is preferable to having to take actions after a disruption occurs. Some common preventive controls are as follows: appropriately-sized uninterruptible power supplies systems, gasoline- or diesel-powered generators, air conditioning systems with excess capacity, fire suppression systems, smoke and fire detectors, water sensors in computer rooms, plastic tarps to cover equipment, waterproof and heat-resistant containers, a shutdown switch for the emergency master system, off-site storage, technical security controls, and frequently scheduled backups. [§ 3.3, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft)]

General Guidance

It is recommended that an organization reviews existing control strategies for identified risks and implements new controls for them if necessary, or considers appropriate measures for transferring, accepting, reducing or avoiding each critical risk. [Stage 1.3 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005]

The organization must ensure that recovery time objectives and priorities have been established, and it must evaluate both the direct and indirect costs and benefits of all available options to reduce risk and enhance resilience and sustainability. [§ 4.3.1 ¶ 2(c), § 4.3.1 ¶ 2(d), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

UK and Canadian Guidance

Based on the results of the risk assessment and the business impact analysis, the organization should identify measures that will reduce the chances of a disruption occurring; shorten the time period of a disruption; and limit the disruption's impact on key services and products. [§ 6.6.1, BS 25999-1, Business continuity management. Code of practice, 2006]

The organization must, for each of the critical activities, identify the risk treatments that are available to reduce the likelihood of a disruption, shorten the disruption time, and limit the disruption's impact on key services and products. [§ 4.1.3.1, BS 25999-2, Business continuity management. Specification, 2007]

Other European and African Guidance

The Board of Directors should establish a control system to ensure that all identified risks are corrected. [¶ 3.2.1, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002]

Asia and Pacific Rim Guidance

When vulnerabilities cannot be patched, the organization should use other controls to minimize the risks associated with the vulnerabilities. [§ 3.5.15, Australian Government ICT Security Manual (ACSI 33)]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.