Operational management

UCF ID: 00805

Control Type: IT Impact Zone

Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Establish and maintain operational roles and responsibilities. [UCF Control ID 00806]

Establish and maintain a Help Desk operations policy. [UCF Control ID 00846]

Identify and allocate IT costs. [UCF Control ID 00871]

Establish and maintain a systems preventive maintenance policy. [UCF Control ID 00885]

Establish a change-management program with all necessary policies and procedures to prevent unauthorized changes. [UCF Control ID 00886]

Establish and maintain a process to manage the intrusion/incident detection and response framework. [UCF Control ID 00579]

Establish and maintain a systems redeployment or disposal policy. [UCF Control ID 00901]

Establish and maintain a software accountability policy. [UCF Control ID 00868]

Establish and maintain an organizational framework of policies, standards, and procedures. [UCF Control ID 01406]

Establish and maintain a performance and a capacity management policy. [UCF Control ID 01615]

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 737; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; The Standard of Good Practice for Information Security, CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.2(f); Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.4.6; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 6.1

Banking and Finance Guidance

The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. [¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

ISO Guidance

The organization should manage the operation of the Information Security Management System. [§ 4.2.2(f), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Successful ICT. An organization should include the following activities within security management; Planning, Implementation, and Operations and maintenance. [§ 6.1, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

General Guidance

Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

The operational impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of loss of management control, decreased competitiveness with other companies, and new ventures being delayed. [CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3, The Standard of Good Practice for Information Security]

The organization must ensure that all operations associated with the identified significant risks and consistent with the organizational resilience management policy, impact analysis, risk assessment, targets, and objectives are identified and planned to ensure they are being executed under specific conditions. To determine if they are being carried out under specific conditions, the organization must develop, implement, and maintain procedures that are related to the threats, hazards, and risks to the organization's functions, products, activities, and services and communicate the applicable procedures and requirements to the suppliers; the organization must develop, implement, and maintain documented procedures to control any situations that could lead to a deviation from the organizational resilience management policy, targets, and objectives, if they were absent; and the organization must stipulate operating criteria. The operational control procedures must address the safety and health of persons, resiliency and reliability, and the protection of property and the environment affected by a disruptive incident. [§ 4.4.6, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]