Back

Monitor and evaluate the implementation and effectiveness of Information Technology Plans.


CONTROL ID
00634
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

This Control has the following implementation support Control(s):
  • Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans., CC ID: 06839


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Approving and monitoring major information security projects and the status of information security plans and budgets, establishing priorities, approving standards and procedures (Information Security Committee ¶ 3 Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Financial institutions should establish sets of action plans that contain measures to be taken to achieve the objective of the ICT strategy. These should be communicated to all relevant staff (including contractors and third party providers where applicable and relevant). The action plans should be … (3.2.2 6, Final Report EBA Guidelines on ICT and security risk management)
  • Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution's management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implem… (Title 2 2.2 25., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Establish an IT steering committee (or equivalent) composed of executive, business and IT management to: - Determine prioritisation of IT-enabled investment programmes in line with the enterprise's business strategy and priorities - Track status of projects and resolve resource conflict - Monitor se… (PO4.3 IT Steering Committee, CobiT, Version 4.1)
  • Develop senior management reports on IT's contribution to the business, specifically in terms of the performance of the enterprise's portfolio, IT-enabled investment programmes, and the solution and service deliverable performance of individual programmes. Include in status reports the extent to whi… (ME1.5 Board and Executive Reporting, CobiT, Version 4.1)
  • Create a portfolio of tactical IT plans that are derived from the IT strategic plan. The tactical plans should address IT-enabled programme investments, IT services and IT assets. The tactical plans should describe required IT initiatives, resource requirements, and how the use of resources and achi… (PO1.5 IT Tactical Plans, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programmes that have solid business cases. Recognise that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes … (PO1.1 IT Value Management, CobiT, Version 4.1)
  • The tactical actions the IT department will perform during a defined period of time should be identified in the IT plan. (§ 5.1.2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The information security governance framework should include a process that requires the governing body to evaluate the extent to which the information security strategy is meeting the needs of the business, and respond accordingly. (SG.01.01.05a, The Standard of Good Practice for Information Security)
  • The information security governance framework should include a process that requires the governing body to evaluate the extent to which the information security strategy is meeting the needs of the business, and respond accordingly. (SG.01.01.05a, The Standard of Good Practice for Information Security, 2013)
  • Monitoring. Monitoring is an ongoing activity which checks whether the system, its users, and the environment maintain the level of security as laid out by the IT security plan. A plan for day to day monitoring should be prepared to provide additional guidance and procedures for ensuring ongoing sec… (¶ 11.4, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • The organization monitors the effectiveness of its internal dependency management strategy. (DM.ID-1.2, CRI Profile, v1.2)
  • The organization monitors the effectiveness of its internal dependency management strategy. (DM.ID-1.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, asset management records, and other system documentation to understand IT policies and procedures and controls over data loss prevention, access provisioning and deprovisioning, user identification and authentication… (¶ 3.50 Bullet 4, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (Section 4.C ¶ 1(5), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Aligns KPIs with the entity's ERM processes and uses those KPIs to assess the performance of IT and operations across the entity. (App A Objective 17:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Has an oversight process that includes receiving updates on major projects, IT budgets, IT priorities, and overall IT performance; and has an approval process for critical projects and activities. (App A Objective 2:2 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reports to the board on the status of IT activities to enable the board to make decisions. (App A Objective 2:6 g., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Is responsible for effective strategic IT planning, oversight of IT performance, and aligning IT with business needs. (App A Objective 2:6 i., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Provides regular reports to the board on IT risks, IT strategies, and IT changes. (App A Objective 2:8 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the adequacy of the institution's IT operations planning and investment. Assess the adequacy of the risk assessment and the overall alignment with the institution's business strategy, including planning for IT resources and budgeting. (App A Objective 4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should periodically reevaluate the e-banking strategy to ensure it is appropriate for the overall business strategy. (Pg 19, Pg A-2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The steering committee should monitor and evaluate IT plans and give the Board enough input to make informed decisions. Management should monitor the current strategies and review plans for any changes. (Pg 5, Pg 16, FFIEC IT Examination Handbook - Management)
  • Regularly test or otherwise monitor the effectiveness of the safeguards' key controls, systems, and procedures, including those to detect actual and attempted attacks on, or intrusions into, information systems. (§ 314.4 ¶ 1(d)(1), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule, Amended February 15, 2022)
  • Act as a primary stakeholder in the underlying information technology (IT) operational processes and functions that support the service, provide direction and monitor all significant activities so the service is delivered successfully. (T0340, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the key controls, systems, and procedures of the safeguards. (Section 27-62-4(c)(5), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Review your security plan at least annually or whenever there is a material change in business practices that may reasonably implicate the security of personal information. (Part I ¶ 12, California OPP Recommended Practices on Notification of Security Breach, May 2008)
  • Not less than annually, assess the effectiveness of such licensee's safeguards' key controls, systems and procedures. (Part VI(c)(3)(F), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in the licensee's ongoing assessment under paragraph (c)(2) of this section and, at least annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 8604.(c)(5), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§431:3B-202(b)(5), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Implementing information safeguards to manage the threats identified under subdivision (2), and assessing the effectiveness of the safeguards' key controls, systems, and procedures at least one (1) time each year. (Sec. 17.(5), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Implements information safeguards to manage threats identified in the licensee’s ongoing risk assessments and, at least annually, assesses the effectiveness of the information safeguards’ key controls, systems, and procedures. (507F.4 3.e., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§2504.C.(5), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • At least annually, assess the effectiveness of the key controls, information systems and procedures and other safeguards in paragraph D implemented to manage the threats described in paragraph B that are identified in the licensee's ongoing assessment. (§2264 3.E., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (Sec. 555.(3)(e), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 60A.9851 Subdivision 3(5), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards’ key controls, systems and procedures. (§ 83-5-807 (3)(e), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in its ongoing assessment, and no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (§ 420-P:4 III.(e), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Implement information safeguards to manage the threats identified in the licensee's ongoing assessment and assess the effectiveness of the safeguards' key controls, systems, and procedures on an annual basis. (26.1-02.2-03. 3.e., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Not less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures. (Section 3965.02 (C)(6), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • implement information safeguards to manage the threats identified in its ongoing assessment, and at least annually assess the effectiveness of the safeguards' key controls, systems, and procedures. (SECTION 38-99-20. (C)(5), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Implement information safeguards to manage the threats identified in the licensee's risk assessment and, no less than annually, assess the effectiveness of the safeguards' key controls, systems, and procedures; (§ 56-2-1004 (3)(E), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • No less than annually, assess the effectiveness of security safeguards, including key controls, systems, and procedures. (§ 601.952(3)(e), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)