Status: Live
The organization will develop, disseminate, and review: 1) a formal operational management policy and standards that address purpose, scope, RACI info, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00805]
Supporting and supported controls
This is a top level control.
This control has the following supporting controls:
- • Defining operational roles and responsibilities [UCF Control ID 00806]
• Help Desk operations [UCF Control ID 00846]
• Identify and allocate IT costs [UCF Control ID 00871]
• Systems preventative maintenance [UCF Control ID 00885]
• A change management program, with all necessary policies, and procedures will be established to prevent unauthorized changes [UCF Control ID 00886]
• Manage the intrusion and incident detection and response framework [UCF Control ID 00579]
• Systems redeployment or disposal [UCF Control ID 00901]
• Software accountability [UCF Control ID 00868]
• Establish an organizational framework of policies, standards, and procedures [UCF Control ID 01406]
• Performance and capacity management [UCF Control ID 01615]
Authority documents complied with:
AICPA/CICA Privacy Framework, ID 1.2.4; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 737; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; The Standard of Good Practice for Information Security, CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3; ISO 27001:2005, Information Security Management Systems - Requirements, § 4.2.2(f); Archer Control Table, ATCS-021, ATCS-029
Sarbanes Oxley Guidance
Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]
Banking and Finance Guidance
The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. [¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]
[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]
ISO Guidance
The organization should manage the operation of the Information Security Management System. [§ 4.2.2(f), ISO 27001:2005, Information Security Management Systems - Requirements]
General Guidance
The operational impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of loss of management control, decreased competitiveness with other companies, and new ventures being delayed. [CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3, The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.