Back

Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan.


CONTROL ID
00630
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The ICT strategy should be aligned with financial institutions' overall business strategy and should define: (3.2.2 5, Final Report EBA Guidelines on ICT and security risk management)
  • Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution's management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implem… (Title 2 2.2 25., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance. This entity should direct IT architecture design, ensuring that it enables the business strategy and considers regulatory compliance and continuity requirements. This is r… (PO3.5 IT Architecture Board, CobiT, Version 4.1)
  • Enable board and executive understanding of strategic IT issues, such as the role of IT, technology insights and capabilities. Ensure that there is a shared understanding between the business and IT regarding the potential contribution of IT to the business strategy. Work with the board and the esta… (ME4.2 Strategic Alignment, CobiT, Version 4.1)
  • To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum sho… (PO3.4 Technology Standards, CobiT, Version 4.1)
  • The organisation's governing body (e.g., board of directors or equivalent) should define the objectives of the information security governance framework, which include aligning the information security strategy with business strategy. (SG.01.01.03a, The Standard of Good Practice for Information Security)
  • Information security governance should be supported by a documented information security strategy that states how Information Security activity will be aligned with the organization's overall objectives. (SG.02.01.01, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g., board of directors or equivalent) should define the objectives of the information security governance framework, which include aligning the information security strategy with business strategy. (SG.01.01.03a, The Standard of Good Practice for Information Security, 2013)
  • Information security governance should be supported by a documented information security strategy that states how Information Security activity will be aligned with the organization's overall objectives. (SG.02.01.01, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group should support the Chief Information Security Officer (or equivalent) in establishing the organisation's overall approach to information security by adopting an agile, business-oriented perspective (i.e., forward-looking, dynamic, and flexible enough to scale in size and… (SG.01.02.06a, The Standard of Good Practice for Information Security, 2013)
  • Safeguards. An organization should assess and implement safeguards for an effective ICT security program. Safeguards are practices, procedures or mechanisms that may protect against a threat, reduce a vulnerability, limit the impact of an information security incident, detect incidents and facilitat… (§ 3.7, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • ¶ 8.1 Baseline Approach. An organization could apply baseline security to all IT systems by selecting standard safeguards. A variety of standard safeguards are suggested in baseline documents and codes of practice. If all of an organization's IT systems have only a low level of security requirement… (¶ 8.1, ¶ 8.2, ¶ 8.3, ¶ 8.4, ¶ 9.4, ¶ 9.4.2, ¶ 9.7, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 8 Safeguards. An organization should implement safeguards to improve security. Some of these safeguards are mechanisms, others can be considered as procedures, which should be in place. Organizational and physical safeguards which could be applicable for IT systems are summarized in 8.1. Safeguar… (¶ 8, ¶ 8.1, ¶ 8.2, ¶ 12, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ensuring that human behaviour is considered when applying information technology, including safety, fit for purpose and alignment with the organizational purpose; (§ 6.8.3.4 ¶ 2 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Determine if test plans adequately complement testing strategies. (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The IT planning process should include four key factors: senior management participation, determining the role of IT, determining the impact of IT, and monitoring past performance. (Pg 18, FFIEC IT Examination Handbook - Management)
  • The alignment of the institution's business plans with its technology and operational plans for retail payment systems. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Strategic risk mitigation: Review whether management incorporates its decisions to provide MFS into its strategic planning process. (AppE.7 Objective 5:4 a., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Ensure operational planning efforts are effectively transitioned to current operations. (T0679, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Collaborate with other internal and external partner organizations on target access and operational issues. (T0600, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Ensure operational planning efforts are effectively transitioned to current operations. (T0679, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Collaborate with other internal and external partner organizations on target access and operational issues. (T0600, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)