Operational management

Status: Live

The organization will develop, disseminate, and review: 1) a formal operational management policy and standards that address purpose, scope, RACI info, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00805]

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 737; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; The Standard of Good Practice for Information Security, CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.2(f); Archer Control Table, ATCS-021, ATCS-029

Sarbanes Oxley Guidance

Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

Banking and Finance Guidance

The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. [¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

ISO Guidance

The organization should manage the operation of the Information Security Management System. [§ 4.2.2(f), ISO 27001:2005, Information Security Management Systems - Requirements]

General Guidance

The operational impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of loss of management control, decreased competitiveness with other companies, and new ventures being delayed. [CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3, The Standard of Good Practice for Information Security]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.