UCF ID: 01615 |
Control Type: Behavior |
Status: Live |
Supporting and supported controls
This control directly supports:
- • Operational management [UCF Control ID 00805]
This control has the following supporting controls:
- • Establish and maintain capacity modeling tools. [UCF Control ID 00936]
• Ensure the organization uses proactive performance management. [UCF Control ID 00937]
• Ensure the organization uses workload forecasting. [UCF Control ID 00938]
• Ensure the organization conducts resource capacity management practices. [UCF Control ID 00939]
• Ensure the organization conducts resource availability management practices. [UCF Control ID 00940]
• Ensure the organization follows a resource workload and maintenance schedule. [UCF Control ID 00941]
• Perform current capacity and performance reviews. [UCF Control ID 01616]
• Establish future capacity and performance forecasting methods. [UCF Control ID 01617]
• Align IT resource availability planning with capacity planning. [UCF Control ID 01618]
• Establish and maintain a standard and procedures for ongoing capacity and performance monitoring. [UCF Control ID 01619]
Authority documents complied with:
FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 5.1; CobiT, Version 4.1, DS3.1; ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008, § 13.3, § 13.5, § H.3, § H.5; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 7.7, § 7.14.5
Banking and Finance Guidance
[Exam Tier I Obj 5.1, FFIEC IT Examination Handbook – Operations, July 2004]
ISO Guidance
The system data that should have limits placed on them should be specified. Some examples are number of users logged on the system and the size of the audit trail. The system should also state what actions are to be taken if the limit is reached or exceeded. Security attributes should have expiration times set and actions to take when the time period expires. Examples are certificates, access control attributes, identification and authentication attributes, and audit attributes. [§ 13.3, § 13.5, § H.3, § H.5, ISO/IEC 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008]
Outsourced service providers should ensure several organizations can be provided recovery services at the recovery facilities simultaneously and each organization can operate its subscribed services in a manner independent of each other. Services and supporting resources that are offered during simultaneous recoveries should not be diminished, reduced, or affected in any manner. Outsourced service providers should ensure changes in capacity and capability to contracted services are communicated to organizations for their own internal deliberations. Summaries of new capabilities, services, capacities, and related tests and test results should be communicated to the organization. [§ 7.7, § 7.14.5, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]
General Guidance
The organization is called upon to establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and performance are available to process the agreed-upon workloads as determined by the service level agreements. Capacity and performance plans should leverage appropriate modeling techniques to produce a model of the current and forecasted performance, capacity and throughput of the IT resources. [DS3.1, CobiT, Version 4.1]
Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.