Back

Establish, implement, and maintain a Strategic Information Technology Plan.


CONTROL ID
00628
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a strategic plan., CC ID: 12784

This Control has the following implementation support Control(s):
  • Include the Information Governance Plan in the Strategic Information Technology Plan., CC ID: 10053
  • Include business continuity objectives in the Strategic Information Technology Plan., CC ID: 06496
  • Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs., CC ID: 00631
  • Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan., CC ID: 00630
  • Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan., CC ID: 06491
  • Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary., CC ID: 13959
  • Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan., CC ID: 00632
  • Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan., CC ID: 13673
  • Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties., CC ID: 00633
  • Monitor and evaluate the implementation and effectiveness of Information Technology Plans., CC ID: 00634
  • Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors., CC ID: 13094


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • In general, the IT planning or steering committee should also be responsible for developing an IT strategy to cover longer and short-term technology-related initiatives, taking into account new business initiatives, organisational changes, technological evolution, regulatory requirements, staffing a… (2.2.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Approving and monitoring major information security projects and the status of information security plans and budgets, establishing priorities, approving standards and procedures (Information Security Committee ¶ 3 Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • More attacks may be targeted at FIs’ internet systems as financial services are increasingly being provided via the internet and more customers transact on this platform. As a counter-measure, the FI should devise a security strategy and put in place measures to ensure the confidentiality, integri… (§ 12.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The organization should develop a strategy for replacing assets or implementing compensating controls for the assets that were implemented before the current security management framework became active and do not meet the requirements. (¶ 61, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • the planned strategy and evolution of the architecture of ICT, including third party dependencies; (3.2.2 5(b), Final Report EBA Guidelines on ICT and security risk management)
  • Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be … (3.2.2 6, Final Report EBA Guidelines on ICT and security risk management)
  • how financial institutions' ICT should evolve to effectively support and participate in their business strategy, including the evolution of the organisational structure, ICT system changes and key dependencies with third parties; (3.2.2 5(a), Final Report EBA Guidelines on ICT and security risk management)
  • Competent authorities should assess whether the institution has a framework in place, proportionate to the nature, scale and complexity of its ICT activities, for the preparation and development of the institution's ICT strategy. In conducting this assessment competent authorities should take into a… (Title 2 2.2.1 26., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the proportionality principle as referred to in Article 4; (Art. 7 ¶ 1(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The determinations of the protection needs of the IT systems must be reasoned so that the decisions also will be understandable for persons not involved. In this case reference may be made to the definition of protection needs of the applications. (§ 8.2.4 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Determine protection needs of the IT, ICS systems and other devices on the basis of the protection needs of the business processes and applications (§ 8.2.6 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Planning, implementation, maintenance and continuous improvement of a framework regarding information security within the organisation. (Section 5.1 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization's strategic approach must be coordinated by the Management Board with the Supervisory Board. The current implementation level of the strategy must be reported in regular intervals by the Management Board to the Supervisory Board. (¶ 3.2, German Corporate Governance Code ("The Code"), June 6, 2008)
  • The management board shall define an IT strategy that is consistent with the business strategy. The IT strategy shall contain as a minimum: (II.1.2, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Integration into local protective measures (such as secure authentication mechanisms) is established and documented. (C, I, A) (1.2.4 Additional requirements for high protection needs Bullet 5, Information Security Assessment, Version 5.1)
  • (§ 5.2.3, OGC ITIL: Security Management)
  • The Board should review the corporate strategy of the organization. (§ VI.D, OECD Principles of Corporate Governance, 2004)
  • Does cyber-risk play in the corporate governance, mission, and philosophy of the organization? (§ I.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is the security program part of organizations long-term plans and short-term plans? (Table Row I.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Has the organization developed a protection strategy and risk mitigation plan to support the organization's mission and priorities? (Table Row I.11, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Enable board and executive understanding of strategic IT issues, such as the role of IT, technology insights and capabilities. Ensure that there is a shared understanding between the business and IT regarding the potential contribution of IT to the business strategy. Work with the board and the esta… (ME4.2 Strategic Alignment, CobiT, Version 4.1)
  • Analyse existing and emerging technologies, and plan which technological direction is appropriate to realise the IT strategy and the business systems architecture. Also identify in the plan which technologies have the potential to create business opportunities. The plan should address systems archit… (PO3.1 Technological Direction Planning, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • The Information Technology Service Continuity (ITSC) strategy should be aligned with the overall IT strategy and business goals, and both strategies should be assessed and updated continually. (§ 5.2 ¶ 3(b), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The overall IT strategy needs to be identified after the Chief Audit Executives (CAEs) and internal auditors have become familiar with the objectives of the organization. The CAEs and internal auditors need to read, obtain, and understand the documentation that shows the relationship between the bus… (§ 5.1.2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Long-term and short-term IT strategic plans should be developed by the IT department and they should be aligned with the long- and short-term plans of the organization. (§ 3.1, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must ensure that it has established and maintains at least one strategic program to achieve its objectives and targets. The strategic program must include designating responsibility and resources; consideration of its functions, activities, legal or regulatory requirements, stakehol… (§ 4.3.3 ¶ 4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization's governing body (e.g., board of directors or equivalent) should ensure that the information security governance framework is supported by an information security strategy. (SG.01.01.02c-1, The Standard of Good Practice for Information Security)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should approve changes to the information security strategy, where appropriate. (SG.02.01.05b, The Standard of Good Practice for Information Security)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls, and meetings) to help them determine the best approach to apply security measures in the local environment. (CF.12.02.06d, The Standard of Good Practice for Information Security)
  • The organization's governing body (e.g., board of directors or equivalent) should ensure that the information security governance framework is supported by an information security strategy. (SG.01.01.02c-1, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should approve changes to the information security strategy, where appropriate. (SG.02.01.05b, The Standard of Good Practice for Information Security, 2013)
  • An organization-wide group of information protection champions should be established (supported by mailing lists, regular teleconference calls, and meetings) to help them determine the best approach to apply security measures in the local environment. (CF.12.02.06d, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body should support the Chief Information Security Officer (or equivalent) in establishing the organization's overall approach to Information Security by reviewing the overall information security strategy prior to sign off by the governing body… (SG.01.02.06b, The Standard of Good Practice for Information Security, 2013)
  • The information security policy shall be supported by a strategic plan and a security program with well defined roles and responsibilities for leadership and officer roles. (IS-03, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Security principles. An organization should establish an effective ICT (Information and Communications Technology) security program. This document should utilize the following high-level security principles. Risk management: Assets should be protected through the adoption of appropriate safeguards. … (§ 3.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • An organization should select a corporate risk analysis strategy, after assessing the security requirements of the IT systems and services. The recommended option involves conducting a high level risk analysis for all IT systems to identify those systems at high risk. These systems are then examined… (¶ 6, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning of what should be … (¶ 8.1.1, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network connecti… (¶ 7.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The governing body should provide direction for, and have sufficient oversight of, the use of data and its supporting information technology to ensure the organization remains within its established risk appetite and organizational risk framework. This can include: (§ 6.8.3.4 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; (§ 6.8.3.4 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • innovation processes to ensure that changes in information technology can quickly be assessed and, if necessary and appropriate, governance policies can be updated to leverage new opportunities; (§ 6.8.3.4 ¶ 2 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall develop a strategic IT asset management plan which includes documentation of the role of the IT asset management system in supporting achievement of the IT asset management objectives. (Section 4.4 ¶ 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • ensuring that the IT asset management policy, the strategic IT asset management plan and IT asset management objectives are established and are compatible with the strategic direction of the organization and organizational objectives; (Section 5.1 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when crafting business strategies that incorporate the use of AI; (§ 4.3 ¶ 6 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • the service organization's use of technology, including its applications, infrastructure, network architecture, use of mobile devices, use of cloud technologies, and the types of external party access or connectivity to the system; (¶ 3.59 Bullet 9 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The vision, mission, objectives, and goals of the program must be defined in the strategic plan. The strategic plan should be reviewed annually, updated when necessary, and re-evaluated when regulatory requirements change; when new hazards are identified; when existing hazards change; when organizat… (§ 5.8.3.3, Annex A.5.8.3.3, Disaster / Emergency Management and Business Continuity, NFPA 1600, 2007 Edition)
  • Does the information security function develop and maintain an overall strategic security plan? (§ C.1.4, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • The agency head must ensure the strategic and operational planning processes are integrated with the information security management processes. (§ 3544(a)(1)(C), Federal Information Security Management Act of 2002, Deprecated)
  • Assessment of future enterprise IT needs. (IV Action Summary ¶ 2 Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assessing and updating management's strategies and plans for AIO functions. (App A Objective 2:4c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Responsibilities within the AIO functions through defining those responsibilities and determining the effectiveness of the IT strategic planning process. (App A Objective 2:5b, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Documentation of the architecture plan, including policies, standards, and procedures. (IV Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements: - Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon. - Alignment of the IT strategic plan with the… (I.B.6 Planning IT Operations and Investment, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Is responsible for effective strategic IT planning, oversight of IT performance, and aligning IT with business needs. (App A Objective 2:6 i., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • IT strategic plans. (App A Objective 4:1 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions; (TIER II OBJECTIVES AND PROCEDURES A:1. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for management adequately consider ▪ The ability of management to plan for and initiate new activities or products in response to information needs and to address risks that may arise from changing business conditions; ▪ The ability of management to provide rep… (Exam Tier II Obj A.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Obj 2.1 Pg 19, Pg A-2 The Board of Directors should be responsible for approving an e-banking strategy. The level of e-banking should be based on the customer's needs and risk assessment findings. E-banking decisions should be consistent with the organization's strategic and operating plans. (Obj 2.1, Pg 19, Pg A-2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Pg 13, Pg 17, Exam Obj 3.5 The strategic plan should include long-term goals, how to allocate IT resources, budgets, how to report to the Board, and the status of controls. The Management Information System (MIS) should be used to support the organization's strategic goals and objectives. Pg 16 The … (Pg 13, Pg 17, Exam Obj 3.5, Pg 16, FFIEC IT Examination Handbook - Management)
  • The Board of Directors and senior management should create a strategic technology plan. (Pg 4, Exam Tier I Obj 8.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • The organization's strategic plan should state that management has assessed the risks to the organization and has documented the ways to mitigate them. (Pg 26, Exam Tier I Obj 6.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization should create a strategic plan to address the goals and objectives of the application, including the information technology and network components required for the business plan. (Pg 23, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • All information systems are required to be covered by a system security plan and labeled as a major application or general support system. Minor applications do not require system security plans because the general security system often covers them already. If they are not covered, then they should … (§ 1.5, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • Manage the information technology (IT) planning process to ensure that developed solutions meet customer requirements. (T0497, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide strategic guidance to corporate officers regarding information resources and technology (T0874, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop and implement a strategic planning policy. (SG.PL-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The strategic planning policy must include the objectives, roles, and responsibilities of the program. (SG.PL-1 Requirement 1.a.i, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The strategic planning policy must include the scope of the program. (SG.PL-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Provide strategic guidance to corporate officers regarding information resources and technology (T0874, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Manage the information technology (IT) planning process to ensure that developed solutions meet customer requirements. (T0497, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization should develop strategic plans and set performance goals. (§ III (GPRA), OMB Circular A-123, Management's Responsibility for Internal Control)
  • The strategic information resources management (IRM) plan shall include a summary of the security plans. (§ A.3.a.2, § A.3.b.2, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Preserving and extending the open, free, global, interoperable, reliable, and secure Internet requires sustained engagement in standards development processes to instill our values and ensure that technical standards produce technologies that are more secure and resilient. As autocratic regimes seek… (STRATEGIC OBJECTIVE 4.1 ¶ 2, National Cybersecurity Strategy)