Back

Establish, implement, and maintain sustainable infrastructure planning.


CONTROL ID
00603
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Take into account the need for protecting information confidentiality during infrastructure planning., CC ID: 06486


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The computerization committee must define how technologies are introduced into the organization and must stay current with information technology trends. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. (App 2-1 Item Number I.2.1(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organisation's technology direction. (AI3.1 Technological Infrastructure Acquisition Plan, CobiT, Version 4.1)
  • Create and maintain a technology infrastructure plan that is in accordance with the IT strategic and tactical plans. The plan should be based on the technological direction and include contingency arrangements and direction for acquisition of technology resources. It should consider changes in the c… (PO3.2 Technology Infrastructure Plan, CobiT, Version 4.1)
  • ensures its contribution to sustainable development; (§ 5 ¶ 2 b) 4), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. (Table 1 Column 4 Row 12, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should ensure that the organization remains viable, and performs over time, without compromising the ability of current and future generations to meet their needs. (§ 6.11.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The aim of governance, and the duty of the governing body, is to create the conditions for, and to enable, the organization to perform over time, such that it fulfils its organizational purpose and generates value as intended. An organization can be said to be contributing to sustainable development… (§ 4.2.4 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The output of this planning shall be suitable for the organization's operations. (8.1 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • if planning has been implemented effectively; (9.1.3 ¶ 2(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the use of suitable infrastructure and environment for the operation of processes; (8.5.1 ¶ 2(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall integrate the planning to achieve IT asset management objectives with other organizational planning activities, including financial, human resources and other support functions. (Section 6.2.4 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Determine the placement of the system within the enterprise architecture. (TASK P-16, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Once a risk profile has been determined for the chosen strategy, management is better able to consider the types and amount of risk it will face in carrying out that strategy. Specifically, knowing the risk profile allows management to determine what resources will be required and allocated to suppo… (Understanding the Implications from Chosen Strategy ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The CIO is responsible for developing, maintaining, and facilitating the implementation of a sound and integrated information technology architecture. (§ 5125(b)(2), Clinger-Cohen Act (Information Technology Management Reform Act))
  • Management implements an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. (V, "Infrastructure") (App A Objective 13, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to saf… (V Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Develop, implement, and recommend changes to appropriate planning procedures and policies. (T0670, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop strategy and processes for partner planning, operations, and capability development. (T0669, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain situational awareness and functionality of organic operational infrastructure. (T0740, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0876, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop strategy and processes for partner planning, operations, and capability development. (T0669, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Maintain situational awareness and functionality of organic operational infrastructure. (T0740, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)