Back

Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.


CONTROL ID
00631
CONTROL TYPE
Business Processes
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A steering committee serves as an effective communication channel for management's aims and directions and provides an ongoing basis for ensuring alignment of the security programme with organizational objectives. It is also instrumental in achieving behavior change toward a culture that promotes go… (Information Security Committee ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • An information security strategy that is aligned with business objectives and the legal requirements (Critical components of information security 1) 2) a., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Protection against growing cyber threats requires multiple layers of defenses, known as defense in depth. As every organization is different, this strategy should therefore be based on a balance between protection, capability, cost, performance, and operational considerations. Defense in depth for m… (Critical components of information security 24) i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event t… (Critical components of information security 29) ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution's management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implem… (Title 2 2.2 25., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT… (Art. 24.3., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Financial entities shall weigh the benefits and costs of alternative solutions, such as the use of different ICT third-party service providers, taking into account if and how envisaged solutions match the business needs and objectives set out in their digital resilience strategy. (Art. 29.1. ¶ 2, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Decision on which approach is to be selected for which areas of the organisation for their corresponding protection (§ 3.3.5 Subsection 4 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Establish processes of bi-directional education and reciprocal involvement in strategic planning to achieve business and IT alignment and integration. Mediate between business and IT imperatives so priorities can be mutually agreed. (PO1.2 Business-IT Alignment, CobiT, Version 4.1)
  • Produce a plan for the acquisition, implementation and maintenance of the technological infrastructure that meets established business functional and technical requirements and is in accord with the organisation's technology direction. (AI3.1 Technological Infrastructure Acquisition Plan, CobiT, Version 4.1)
  • Implement a process to monitor the benefits from providing and maintaining appropriate IT capabilities. IT's contribution to the business, either as a component of IT-enabled investment programmes or as part of regular operational support, should be identified and documented in a business case, agre… (PO5.5 Benefit Management, CobiT, Version 4.1)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • Define the elements of a control environment for IT, aligned with the enterprise's management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accou… (PO6.1 IT Policy and Control Environment, CobiT, Version 4.1)
  • The information security strategy should support the organization's overall objectives by outlining how Information Security will add value to the organization (for example, in terms of reduced cost and enhanced reputation). (SG.02.01.02a, The Standard of Good Practice for Information Security)
  • The information security strategy should support the organization's overall objectives by outlining how Information Security will protect the interests of stakeholders. (SG.02.01.02a, The Standard of Good Practice for Information Security)
  • The information security strategy should help defend the organization against threats by outlining how the information security program will enable the organization to maintain its strategic direction (e.g., by responding to the evolving threat landscape). (SG.02.01.03a, The Standard of Good Practice for Information Security)
  • The information security strategy should support the organization's overall objectives by outlining the importance of Information Security in addressing market-related and regulation-related risks legal-related and compliance-related risks and technology-related risks. (SG.02.01.02c, The Standard of Good Practice for Information Security)
  • The information security strategy should describe how the value of the information security function, and therefore its profile in the organization, will be raised over time. (SG.02.01.04, The Standard of Good Practice for Information Security)
  • The value actually delivered to stakeholders by key Information Security initiatives should be recorded in a way that can be clearly understood by those absent a detailed knowledge of Information Security, for example in a business-focused case study or financial benefits statement. (SG.02.02.04a, The Standard of Good Practice for Information Security)
  • The information security strategy should support the organization's overall objectives by outlining how Information Security will protect the interests of stakeholders. (SG.02.01.02a, The Standard of Good Practice for Information Security, 2013)
  • The information security strategy should help defend the organization against threats by outlining how the information security program will enable the organization to maintain its strategic direction (e.g., by responding to the evolving threat landscape). (SG.02.01.03a, The Standard of Good Practice for Information Security, 2013)
  • The information security strategy should support the organization's overall objectives by outlining the importance of Information Security in addressing market-related and regulation-related risks legal-related and compliance-related risks and technology-related risks. (SG.02.01.02c, The Standard of Good Practice for Information Security, 2013)
  • The information security strategy should describe how the value of the information security function, and therefore its profile in the organization, will be raised over time. (SG.02.01.04, The Standard of Good Practice for Information Security, 2013)
  • The value actually delivered to stakeholders by key Information Security initiatives should be recorded in a way that can be clearly understood by those absent a detailed knowledge of Information Security, for example in a business-focused case study or financial benefits statement. (SG.02.02.04a, The Standard of Good Practice for Information Security, 2013)
  • Management of IT security includes the ongoing task of dealing with various follow up activities, which can lead to changes to earlier results and decisions. Follow-up activities include: maintenance, security compliance checking, change management, monitoring, and incident handling. (¶ 6, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization's AI capacity, knowledge level and ability to mitigate realized AI risks should be considered when deciding its AI risk appetite. (§ 6.3.4 Table 4 Column 2 Row 7 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Address the scope of use. Ensure that the scope of automation is overseen by the governing body and implemented by appropriately authorized and skilled people (see 6.3). The governing body should ensure that the requisite authority, responsibility and accountability are maintained and that the conse… (§ 5.5 ¶ 1 Bullet 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, CRI Profile, v1.2)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, CRI Profile, v1.2)
  • The organization has a cyber risk management strategy and framework that is approved by the appropriate governing authority (e.g., the Board or one of its committees) and incorporated into the overall business strategy and enterprise risk management framework. (GV.SF-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization establishes a systematic and comprehensive program to periodically evaluate and improve the monitoring and detection processes and controls, as well as incorporate the lessons learned, as the threat landscape evolves. (DE.DP-5.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: (App A Objective 2:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Participation of senior management by supporting AIO activities, confirming that those activities are in the IT strategic plan, reviewing the strategic planning process, and incorporating changes. (App A Objective 2:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Alignment with the entity's strategic plan and support for the business and strategic objectives of the entity. (App A Objective 12:3a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should design, apply, and align its IT architecture to meet the strategic and business objectives of the enterprise. The architecture plan should meet the entity's needs for confidentiality, integrity, and availability to minimize operational and reputational risks resulting from poorly d… (IV Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Financial institution boards should oversee, while senior management should implement, an IT planning process with the following elements: - Long-term goals and the allocation of IT resources to achieve them, usually within a three- to five-year horizon. - Alignment of the IT strategic plan with the… (I.B.6 Planning IT Operations and Investment, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Is responsible for effective strategic IT planning, oversight of IT performance, and aligning IT with business needs. (App A Objective 2:6 i., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the adequacy of the institution's IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution's business strategy, including planning for IT resources and budgeting. (App A Objective 4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The planning process adjusts for new or changing risks. (App A Objective 4:2 i., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • IT strategic plans. (App A Objective 10:2 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization's plan should be adjusted continuously for new risks or opportunities. (Pg 16, FFIEC IT Examination Handbook - Management)
  • Whether the institution uses leading edge technologies or only mature technologies. (App A Tier 1 Objectives and Procedures Objective 1:5 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Bank management should periodically assess its uses of technology as part of its overall business planning. An enterprise-wide and ongoing approach helps to ensure that all major technology projects are consistent with the bank's plans. Proper planning minimizes the likelihood of computer hardware a… (¶ 23, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)