Back

Monitor the usage and capacity of Information Technology assets.


CONTROL ID
00668
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitor the usage and capacity of critical assets., CC ID: 14825

This Control has the following implementation support Control(s):
  • Monitor all outbound traffic from all systems., CC ID: 12970
  • Notify the interested personnel and affected parties before the storage unit will reach maximum capacity., CC ID: 06773
  • Monitor systems for errors and faults., CC ID: 04544
  • Compare system performance metrics to organizational standards and industry benchmarks., CC ID: 00667


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • The network should be monitored on a continuous basis. This would reduce the likelihood of network traffic overload and detect network intrusions. Monitoring activities include: - monitoring network services and performance against pre-defined targets; - reviewing volumes of network traffic, utiliza… (6.1.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • App 2-1 Item Number IV.4(4): Data usage must be recorded and reviewed on a periodic basis. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. App 2-1 Item Number IV.5(7): Output data usage must be recorded and reviewed on a period… (App 2-1 Item Number IV.4(4), App 2-1 Item Number IV.5(7), App 2-1 Item Number IV.6(3), App 2-1 Item Number IV.7(5), App 2-1 Item Number IV.8(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O54: The organization shall examine resources for capability and usage of computer systems by identifying capacity and usage of all resources and implement measures to avoid degradation in and failure of computer systems throughput. O54.1: The organization shall analyze continuously the capability a… (O54, O54.1, O54.3, O78, O78.1, T18, T50.2(3), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • In addition, if it is possible to monitor standby devices due to being connected to the production environment, they should be treated similarly to the production machine. (P102.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Capacity and performance analysis of security systems (Critical components of information security 22) iii. Bullet 7, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • To ensure that IT systems and infrastructure are able to support business functions, the FI should ensure that indicators such as performance, capacity and utilisation are monitored and reviewed. (§ 7.5.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should maintain high resiliency and availability of online systems and supporting systems (such as interface systems, backend host systems and network equipment). The FI should put in place measures to plan and track capacity utilisation as well as guard against online attacks. These online a… (§ 12.1.6, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Cloud service providers' ability to dynamically scale resources due to a genuine spike in demand or a denial-of-service attack is tested as part of capacity planning processes. (Security Control: 1579; Revision: 0, Australian Government Information Security Manual, March 2021)
  • Continuous real-time monitoring of the capacity and availability of online services is performed. (Control: ISM-1581; Revision: 3, Australian Government Information Security Manual, June 2023)
  • Continuous real-time monitoring of the capacity and availability of online services is performed. (Control: ISM-1581; Revision: 3, Australian Government Information Security Manual, September 2023)
  • Financial institutions should implement performance and capacity planning and monitoring processes to prevent, detect and respond to important performance issues of ICT systems and ICT capacity shortages in a timely manner. (3.5 56, Final Report EBA Guidelines on ICT and security risk management)
  • fully understand the capacities and limitations of the high-risk AI system and be able to duly monitor its operation, so that signs of anomalies, dysfunctions and unexpected performance can be detected and addressed as soon as possible; (Article 14 4(a), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Users shall monitor the operation of the high-risk AI system on the basis of the instructions of use. When they have reasons to consider that the use in accordance with the instructions of use may result in the AI system presenting a risk within the meaning of Article 65(1) they shall inform the pro… (Article 29 4. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced; (Art. 7 ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Auditors need to determine, during outsourced data services reviews, whether or not the service provider has the capacity to host the outsourced services. (§ 3 (Data Center Management), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Network performance should be monitored by reviewing logs of network activity regularly. (NW 3.1.1(d), ISF Security Audit of Networks)
  • Business applications should incorporate security controls to help ensure availability of information by performing load-monitoring. (CF.04.01.05b-2, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover monitoring the security controls that protect the critical infrastructure. (CF.08.03.02e, The Standard of Good Practice for Information Security)
  • Critical infrastructure security controls should include methods of monitoring and tracking critical infrastructure components and dependencies on Information Systems. (CF.08.03.07a, The Standard of Good Practice for Information Security)
  • Business applications should incorporate security controls to help ensure availability of information by performing load-monitoring. (CF.04.01.05b-2, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover monitoring the security controls that protect the critical infrastructure. (CF.08.03.02e, The Standard of Good Practice for Information Security, 2013)
  • Critical infrastructure security controls should include methods of monitoring and tracking critical infrastructure components and dependencies on Information Systems. (CF.08.03.07a, The Standard of Good Practice for Information Security, 2013)
  • Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business. (IVS-02, Cloud Controls Matrix, v4.0)
  • The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses. (Annex A: § CLD.12.4.5 ¶ 2, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. The cloud service customer should monitor the use of cloud services, and forecast their capacity needs, to ensure performance of the cloud services over ti… (§ 12.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. (A1.1 ¶ 1, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The entity's system availability and related security policies include monitoring system capacity to achieve customer commitments or other agreements about availability. (Availability Prin. and Criteria Table § 1.2 o, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. (A1.1, Trust Services Criteria)
  • The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives. (A1.1 ¶ 1, Trust Services Criteria, (includes March 2020 updates))
  • Current processing capacity and usage are maintained, monitored, and evaluated to manage capacity demand and to enable the implementation of additional capacity to help meet the entity’s availability commitments and system requirements. (A1.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The Facilities Protection Committee shall coordinate Technical Surveillance Countermeasure professional training, development, research, evaluation, and test programs. (§ 149.2(b)(1), 32 CFR Part 149, Policy of Technical Surveillance Countermeasures)
  • Technical Surveillance Countermeasure program managers shall monitor the research, procurement, evaluation, testing, and development of Technical Surveillance Countermeasure equipment to ensure the greatest integration, standardization, and compatibility between organizations. (§ 5.9.1, DoD Instruction 5240.5, DoD Technical Surveillance Countermeasures (TSCM) Survey Program, May 23, 1984)
  • Data centers and computer operations; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Back-room operations; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:2 Bullet 1 Sub-Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The ability to handle increased workloads supporting critical operations for extended periods. (TIER II OBJECTIVES AND PROCEDURES Testing Strategy Objective 1: Event Scenarios 1 Bullet 8, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Stress testing online banking, telephone banking, ATMs, and call centers capacities to handle increased customer volumes; (TIER I OBJECTIVES AND PROCEDURES BCP - Pandemic Issues Objective 8:11 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Whether plans test capacity and data integrity capabilities through the use of simulated transaction data; and (TIER II OBJECTIVES AND PROCEDURES Test Planning Objective 2: Scenarios - Test Content 3 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Processes to identify, track, and monitor infrastructure components. (V Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Registers and tracks assets in the inventories and includes EOL information. (App A Objective 4:4g Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames… (App A Objective 4:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Monitors its use. (App A Objective 13:6b Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Methods to monitor, condition, or stabilize the electricity source voltage and minimize effects of power fluctuations. (App A Objective 13:9d Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • (Obj 4.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Capacity planning should address both internal and external factors. The organization should monitor processing speed, data storage, and data communications bandwidth. (Pg 40, Pg 41, FFIEC IT Examination Handbook - Operations, July 2004)
  • Security configuration, provisioning, logging, and monitoring. Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computin… (Risk Management Cloud Security Management Bullet 4, FFIEC Security in a Cloud Computing Environment)
  • Adequate capacity to ensure availability is maintained. (PR.DS-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • Organizational records and documents should be examined to ensure the system can limit flooding from denial of service attacks by managing capacity and bandwidth. Test the system by using automated tools to simulate the launching of denial of service and distributed denial of service attacks to ensu… (SC-5(2), SC-5.10, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Mainframes require different contingency strategies from distributed systems because data is stored in a single location. Contingency strategies should emphasize the mainframe's data storage capabilities and underlying architecture. Redundant system components are critical to ensure that a failure o… (§ 5.4.2 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The smart grid Information System should manage excess bandwidth, capacity, or other redundancies in order to limit information flooding types of Denial of Service attacks. (SG.SC-5 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Monitor network capacity and performance. (T0153, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Personnel activity and technology usage are monitored to find potentially adverse events (DE.CM-03, The NIST Cybersecurity Framework, v2.0)
  • Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events (DE.CM-09, The NIST Cybersecurity Framework, v2.0)