Operational management

UCF ID: 00805
Control Type: IT Impact Zone
Status: Live

Supporting and supported controls

This is a top level control.

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.2.4; Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 737; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.3; The Standard of Good Practice for Information Security, CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.2(f); Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.4.6; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 6.1

Banking and Finance Guidance

The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. [¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier I Obj 1.3, FFIEC IT Examination Handbook – Operations, July 2004]

ISO Guidance

The organization should manage the operation of the Information Security Management System. [§ 4.2.2(f), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Successful ICT. An organization should include the following activities within security management; Planning, Implementation, and Operations and maintenance. [§ 6.1, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

General Guidance

Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. [ID 1.2.4, AICPA/CICA Privacy Framework]

The operational impact of the loss of availability, the disclosure of confidential information, and/or the accidental or deliberate manipulation of data should be analyzed for the organization in terms of loss of management control, decreased competitiveness with other companies, and new ventures being delayed. [CB1.1.2, CB1.2.2, CB1.3.2, SD3.2.3, SD3.3.3, SD3.4.3, The Standard of Good Practice for Information Security]

The organization must ensure that all operations associated with the identified significant risks and consistent with the organizational resilience management policy, impact analysis, risk assessment, targets, and objectives are identified and planned to ensure they are being executed under specific conditions. To determine if they are being carried out under specific conditions, the organization must develop, implement, and maintain procedures that are related to the threats, hazards, and risks to the organization's functions, products, activities, and services and communicate the applicable procedures and requirements to the suppliers; the organization must develop, implement, and maintain documented procedures to control any situations that could lead to a deviation from the organizational resilience management policy, targets, and objectives, if they were absent; and the organization must stipulate operating criteria. The operational control procedures must address the safety and health of persons, resiliency and reliability, and the protection of property and the environment affected by a disruptive incident. [§ 4.4.6, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]


Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.