Status: Live
The organization will ensure that the system development life cycle methodology includes analyses of alternative courses of action. [UCF ID 01128]
Supporting and supported controls
This control directly supports:
- • Acquisition of, facilities, technology, and services [UCF Control ID 01123]
There are no supporting controls.
Authority documents complied with:
CobiT 4.1, AI1.3; The Standard of Good Practice for Information Security, SD4.4.4(c)
General Guidance
The organization is called upon to develop a feasibility study that examines the possibility of implementing the requirements. It should identify alternative courses of action for software, hardware, services and skills that meet established business functional and technical requirements, and evaluate the technological and economic feasibility (potential cost and benefit analysis) of each of the identified courses of action in the context of the IT-enabled investment program. There may be several iterations in developing the feasibility study, as the effect of factors such as changes to business processes, technology and skills are assessed. Business management, supported by the IT function, should assess the feasibility and alternative courses of action and make a recommendation to the business sponsor. [AI1.3, CobiT 4.1]
Consideration of alternative courses of action is called for provided the identified solution cannot meet security requirements.
If the hardware or software does not meet the required level of security, alternative methods of providing the appropriate security level should be considered. [SD4.4.4(c), The Standard of Good Practice for Information Security]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.