UCF ID: 01148 |
Control Type: Process or Activity |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Conduct a Business Impact Analysis. [UCF Control ID 01147]
There are no supporting controls.
Authority documents complied with:
SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.11; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Obj 1; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Development and Acquisition, Exam Obj 1.1; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 1.1; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 1.1, Exam Tier II Obj L.2; FFIEC IT Examination Handbook – Management, Exam Obj 1.1; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 1.1; FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004, Exam Tier I Obj 1.1; CobiT, Version 4.1, PO1.3; The Standard of Good Practice for Information Security, SM3.4.5(d), CB5.3.4(d), CI5.4.5(d), NW4.4.5(d), SD3.5.5(d); ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.3(b); OMB Circular A-123 Management’s Responsibility for Internal Control, § II.B; PAS 77 IT Service Continuity Management. Code of Practice, 2006, § 5.4 ¶ 2
Sarbanes Oxley Guidance
When the auditor uses past audit reports to gain information about the organization and its environment, he/she should determine if any changes have been made that could affect the previous conditions. [§ 314.11, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]
Risks previously identified by auditors and management reviews should be reviewed when identifying current risks. [§ II.B, OMB Circular A-123 Management’s Responsibility for Internal Control]
Banking and Finance Guidance
Review past examination findings, prior examination working papers, audit reports, and policies and procedures to identify any problems that require follow-up action. [Obj 1, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Audit, August 2003]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]
[Exam Obj 1.1, FFIEC IT Examination Handbook – Development and Acquisition]
[Obj 1.1, FFIEC IT Examination Handbook – E-Banking, August 2003]
[Exam Tier I Obj 1.1, Exam Tier II Obj L.2, FFIEC IT Examination Handbook – Information Security]
[Exam Obj 1.1, FFIEC IT Examination Handbook – Management]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Operations, July 2004]
[Exam Tier I Obj 1.1, FFIEC IT Examination Handbook – Outsourcing Technology Services, June 2004]
ISO Guidance
The organization should regularly review the results of security audits to ensure their effectiveness. [§ 4.2.3(b), ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]
General Guidance
The organization is called upon to assess the performance of the existing plans and information systems. In order to do that, the organization can turn to reviewing past audit reports as a solid source of historical information. [PO1.3, CobiT, Version 4.1]
Previous risk analyses should be reviewed when performing a risk analysis. [SM3.4.5(d), CB5.3.4(d), CI5.4.5(d), NW4.4.5(d), SD3.5.5(d), The Standard of Good Practice for Information Security]
UK and Canadian Guidance
History and trend reports that highlight downtime experiences, proven areas of weaknesses, and service level reports should be used to aid in the Information Technology Service Continuity (ITSC) strategy. [§ 5.4 ¶ 2, PAS 77 IT Service Continuity Management. Code of Practice, 2006]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.