Back

Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.


CONTROL ID
00633
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be … (3.2.2 6, Final Report EBA Guidelines on ICT and security risk management)
  • Firms should make outsourced and third party providers aware of relevant internal policies, including those on outsourcing, ICT, information security, or operational resilience. Where firms' policies include confidential or sensitive information, firms can omit or redact it and only share those sect… (§ 4.11, SS2/21 Outsourcing and third party risk management, March 2021)
  • (§ 5.1, OGC ITIL: Security Management)
  • The organization should establish and implement mechanisms to promote collaboration, coordination and communication across disciplines and departments inside the organization, with emphasis on integrating administrative activities, quality improvement, and where present, clinical operations. (CORE - 5, URAC Health Utilization Management Standards, Version 6)
  • Roll out and enforce IT policies to all relevant staff, so they are built into and are an integral part of enterprise operations. (PO6.4 Policy, Standard and Procedures Rollout, CobiT, Version 4.1)
  • Manage IT-enabled investment programmes and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise's strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achie… (ME4.3 Value Delivery, CobiT, Version 4.1)
  • Enable board and executive understanding of strategic IT issues, such as the role of IT, technology insights and capabilities. Ensure that there is a shared understanding between the business and IT regarding the potential contribution of IT to the business strategy. Work with the board and the esta… (ME4.2 Strategic Alignment, CobiT, Version 4.1)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should ensure the current version of the information security strategy is disseminated throughout the organization. (SG.02.01.05c, The Standard of Good Practice for Information Security)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should ensure the current version of the information security strategy is disseminated throughout the organization. (SG.02.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually. (GRC-01, Cloud Controls Matrix, v4.0)
  • Corporate IT Security Policy. To ensure adequate support for all security related measures, the corporate IT security policy should be approved by top management. Based on the corporate IT security policy, a directive should be written, which is binding for all managers and employees. This may requi… (¶ 7.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization shall communicate the results of the corrective action plan throughout the organization. (§ 6.2.5.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall develop and communicate a plan to review, manage, and execute the project. (§ 6.3.1.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall report the decision outcomes to verify all problems are resolved, opportunities are taken, and adverse trends are reversed. (§ 6.3.3.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • Beside these broad constraints on the use of AI by the organization (and any others that are applicable to the organization or its stakeholders), AI systems themselves will have technology constraints. The governing body should also seek assurance from management that such constraints are adequately… (§ 5.5 ¶ 2, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Management also communicates information about the entity's strategy and business objectives to shareholders and other external parties. Enterprise risk management is a key topic in these communications so that external stakeholders not only understand the performance against strategy but the action… (Communicating with Stakeholders ¶ 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Internally, management communicates the entity's strategy and business objectives clearly throughout the organization so that all personnel at all levels understand their individual roles. Specifically, communication channels enable management to convey: (Communicating with Stakeholders ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The entity has prepared an objective description of the system and boundaries and communicated this description to the authorized users. (Security Prin. and Criteria Table § 2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity has prepared an objective description of the system and boundaries and communicated this description to the authorized users. (Availability Prin. and Criteria Table § 2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity has prepared an objective description of the system and boundaries and communicated this description to the authorized users. (Processing Integrity Prin. and Criteria Table § 2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity has prepared an objective description of the system and boundaries and communicated this description to the authorized users. (Confidentiality Prin. and Criteria Table § 2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Has an oversight process that includes receiving updates on major projects, IT budgets, IT priorities, and overall IT performance; and has an approval process for critical projects and activities. (App A Objective 2:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The ability of management to provide reports necessary for informed planning and decision making in an effective and efficient manner; (TIER II OBJECTIVES AND PROCEDURES A:1. Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • (§ 3.1.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The management of the organization should develop a plan to communicate the organization's objectives to all employees. (Pg 3, Pg 24, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Management should communicate the objectives of the internal controls to all employees and third party personnel. Also, the organization should be committed to implementing effective controls on the system. (§ I.A, OMB Circular A-123, Management's Responsibility for Internal Control)
  • The organization shall include a summary of the major application plans and system security plans in its strategic plan. (§ A.5.c, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)