Back

Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.


CONTROL ID
00632
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan., CC ID: 01609
  • Document lessons learned at the conclusion of each Information Technology project., CC ID: 13654
  • Establish, implement, and maintain a counterterror protective security plan., CC ID: 06862


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • FIs should establish IT policies, standards and procedures, which are critical components of the framework, to manage technology risks and safeguard information system assets in the organisation. (§ 3.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The Key Management Plan should include the cryptographic system objectives and the Key Management Plan objectives, including the organizational aims. (Control: 0510 Table Row "Objectives", Australian Government Information Security Manual: Controls)
  • The organization should align the information technology security Risk Management Framework with its business strategies and Information Technology strategies. (¶ 24, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should implement controls to manage, monitor, and align the information technology security with the business objectives. (¶ 54(e), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • strategic development of the institution's organisational and operational structure of IT and of the outsourcing of IT services; (II.1.2(a), Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Is the security program part of organizations long-term plans and short-term plans? (Table Row I.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Create a portfolio of tactical IT plans that are derived from the IT strategic plan. The tactical plans should address IT-enabled programme investments, IT services and IT assets. The tactical plans should describe required IT initiatives, resource requirements, and how the use of resources and achi… (PO1.5 IT Tactical Plans, CobiT, Version 4.1)
  • Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by identifying, defining, evaluating, prioritising, selecting, initiating, managing and controlling programmes. This should include clarifying desired busine… (PO1.6 IT Portfolio Management, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • To provide consistent, effective and secure technological solutions enterprisewide, establish a technology forum to provide technology guidelines, advice on infrastructure products and guidance on the selection of technology, and measure compliance with these standards and guidelines. This forum sho… (PO3.4 Technology Standards, CobiT, Version 4.1)
  • The Chief Audit Executive (CAE) should analyze how the IT short-term plans impact the IT risk assessment. (§ 4.2 ¶ 3, IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The plan lists strategic initiatives and considers all necessary factors around those initiatives. (App A Objective 4:2 e., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • (Obj 2.1, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Management should review and revise operational plans at least annually. (Pg 19, FFIEC IT Examination Handbook - Management)
  • Financial institution management incorporates (or plans to incorporate) its plan for implementing MFS into its strategic planning process. (AppE.7 Objective 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Develop or shape international cyber engagement strategies, policies, and activities to meet organization objectives. (T0666, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct long-range, strategic planning efforts with internal and external partners in cyber activities. (T0763, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Coordinate, synchronize and draft applicable intelligence sections of cyber operations plans. (T0639, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop or shape international cyber engagement strategies, policies, and activities to meet organization objectives. (T0666, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct long-range, strategic planning efforts with internal and external partners in cyber activities. (T0763, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)