Back

Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents.


CONTROL ID
00688
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish and maintain the scope of the organizational compliance framework and Information Assurance controls., CC ID: 01241

This Control has the following implementation support Control(s):
  • Establish and maintain an Information Systems Assurance Categories Definitions document., CC ID: 01608


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Legal requirements shall still be enforceable upon information that is wholly or partly in the form of a data message. (§ 4(1), The Electronic Communications and Transactions Act, 2002)
  • Legal requirements shall still be enforceable on information that is not in a data message, but is referred to in the data message. (§ 4(2), The Electronic Communications and Transactions Act, 2002)
  • Legal requirements shall still be enforceable on an expression of intent or other statement between the originator and the addressee of a data message, even if it is in the form of a data message. (§ 17(a), The Electronic Communications and Transactions Act, 2002)
  • Legal requirements shall still be enforceable on an expression of intent or other statement between the originator and the addressee of a data message, even if it is not evidenced by an electronic signature but by other means from which the person's intent can be inferred. (§ 17(b§ ), The Electronic Communications and Transactions Act, 2002)
  • A financial institution shall put in place a framework and process to identify critical systems. (Technology Risk Management ¶ 4, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall put in place a framework and process to identify critical systems. (Technology Risk Management ¶ 4, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • It is required that key business processes be identified and ranked. When determining how to rank each process, consider what would happen if any of the following happened: • failure to meet statutory obligations for service delivery • failure to meet key stakeholder expectations • loss of cas… (Step 2 Pg 34, Step 2 Pg 35, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • identification, authorisation and granting of access to information assets (refer to Attachment C for further guidance); (21(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Suggests that the interview identify: • "your organization's goals and the strategies to achieve these goals; • the broad functions the organization undertakes to support its goals and strategies; • the activities that contribute to the fulfillment of the organization's functions; and • the … (§ B.4, § B.4.2 thru § B.4.2.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • a process to identify ICT systems, services and commensurate security requirements reflecting potential fraud risk and/or possible misuses and/or abuses of confidential data along with documented security expectations to be adhered to for these identified ICT systems, services and data, aligned with… (Title 3 3.3.4(b) 55.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • a mechanism to identify relevant assets and an assessment of the risks in that Member State; (Article 7 1(d), DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive))
  • When documenting the applications and related information security professionals should find out which applications are required for the business process being examined after consulting with the specialized department, the person responsible for the application, and the it department providing suppo… (4.2.2 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Participation of the level of management in the brainstorming is not mandatory. However, it is much more important that each participant is capable of providing information on the area represented by such participant, and that such participant is able to name the essential business processes of the … (§ 3.2.1 Subsection 4 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Determining IT, ICS and IoT systems and similar objects (§ 8.1 ¶ 5 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The supporting assets processing the information assets are identified and recorded: (1.3.1 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • firms remain responsible for correctly identifying and classifying data in line with their legal and regulatory obligations, and adopting a risk based approach to the location of data. They also remain responsible for configuration and monitoring of their data in the cloud to reduce security and com… (Table 3 ¶ 1 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • Firms should evaluate what would be involved in delivering an effective stressed exit and use this to formulate plans for such an exit, assisting them to identify any assets and skills required. As soon as practically possible, firms should seek to test the stressed exit plans to ensure they are fun… (§ 10.18, SS2/21 Outsourcing and third party risk management, March 2021)
  • The organization must identify assets and who is responsible for them. (Security Policy No. 1 ¶ 7.1, HMG Security Policy Framework, Version 6.0 May 2011)
  • The entity identifies, inventories, validates, classifies and manages information assets. (S7.1 Identifies and manages the inventory of information assets, Privacy Management Framework, Updated March 1, 2020)
  • Has an identification and prioritization of information assets been performed? (Table Row I.12, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Ensure all data in Amazon S3 has been discovered, classified and secured when required. Description: Amazon S3 buckets can contain sensitive data, that for security purposes should be discovered, monitored, classified and protected. Macie along with other 3rd party tools can automatically provide an… (2.1.4, CIS Amazon Web Services Foundations Benchmark, v1.4.0, Level 2)
  • (Principle 7.40, ISACA Cross-Border Privacy Impact Assessment)
  • Prior to conducting a risk assessment, the organization should identify and prioritize their business objectives and ensure that identification of objectives is consistent across all levels of the organization. (§ 2.1.1, ISACA IS Standards, Guidelines, and Procedures for Auditing and Control Professionals, May 15, 2009)
  • A process is in place to identify the information required and expected to support the functioning of the other components of internal control and the achievement of the entity’s objectives. (§ 3 Principle 13 Points of Focus: Identifies Information Requirements, COSO Internal Control - Integrated Framework (2013))
  • Points out that a key to defining business continuity is being able to identify and confirm the processing and documentation critical to the organization's key business activities. Their point is that you can't determine which processes and systems should be replicated off site unless you can place … (§ B.5.a(i), § B.5.a(ii), Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • The IT universe needs to be defined by auditors. This can be accomplished with a top-down approach to identify the key business processes and objectives, the infrastructure needed for applications, significant applications that support business processes, the service support model, and the role of c… (§ 2.1 ¶ 3, § 3.2 ¶ 2, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The business applications to which the audit department will require access must be identified and the ones which are most critical must be identified. (§ 6 (Negotiate Access to Data) ¶ 1, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • Auditors should gain a comprehensive understanding of what personal data the organization has, how it is used, handled, and processed; identify the rules governing the data processing of the organization; and determine what governmental bodies and regulations enforce the organization's privacy rules… (§ 5.5 (Understanding Personal Data Processing), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization should review the key controls, key reports, and other functionality in the company's financial processes and determine which are manual and which are automated. (Executive Summary, Phase 1.1, The GAIT Methodology)
  • A formal and documented evaluation process must be established, implemented, and maintained by the organization to systematically conduct asset identification and valuation to identify critical activities, products, services, partnerships, functions, stakeholder relationships, supply chains, and the… (§ 4.3.1 ¶ 1(a), Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Roles and responsibilities of contractors, employees, and third-party users shall be documented as they relate to information assets and security. (HRS-08, Cloud Controls Matrix, v3.0)
  • Document and communicate roles and responsibilities of employees, as they relate to information assets and security. (HRS-09, Cloud Controls Matrix, v4.0)
  • Roles and responsibilities of contractors, employees and third party users shall be documented as they relate to information assets and security. (IS-13, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Security element relationships. An organization should implement the security of ICT systems from different perspectives. Assets are potentially subject to a number of threats. This collection of threats changes constantly over time and is only partially known. As well, the environment changes over … (§ 3.9, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Identification of Assets. An asset is a component or part of a total system to which an organization directly assigns value and hence for which the organization requires protection. For the identification of assets it should be borne in mind that an IT system consists of more than hardware and softw… (¶ 9.3.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 8.1.1(6) IT Security Management and Policies. An organization should implement safeguards is to achieve an appropriate and consistent level of security throughout an organization. This safeguard category contains all those safeguards dealing with the management of IT security, the planning of wha… (¶ 8.1.1(6), ¶ 8.2.4, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 9.5 Other Considerations. When reviewing the network architecture and applications, consideration should also be given to existing network connections within, to or from the organization, and to the network to which the connection is proposed. The organizations existing connections may restrict o… (¶ 9.5, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The organization should identify the requirements for creating, receiving, and keeping records of its business activities. (§ 3.2.4, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The organization should identify compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations in order to identify situations where noncompliance can occur. The organization should identify the causes for and consequences of non… (§ 4.6 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Documented information of external origin determined by the organization to be necessary for the planning and operation of the BCMS shall be identified, as appropriate, and controlled. (§ 7.5.3.2 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Assets associated with information and information processing facilities shall be identified and an inventory of these assets shall be drawn up and maintained. (A.8.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its information security management system. (§ 4.1 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. (A.18.1.1 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization's assets should be identified; an inventory should be conducted to document and prioritize the importance of all assets. The asset inventory should include information to help recover from a disaster, such as type of asset, location, format, back-up information, license number, and … (§ 7.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The organization should identify assets at a level of detail that provides sufficient information for risk assessments. This level of detail will affect the amount of information that will be collected during the risk assessment. (§ 8.2.2 ¶ 4, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • The governing body should ensure that the organization identifies, manages, monitors and communicates the nature and extent of its use of data (see 6.5.3). (§ 6.8.3.1 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identification of all resources involved in the model; (§ 6.2.3.1 ¶ 4 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • identifies the key resources (e.g. capitals such as human, social and relational, intellectual, the natural environmental, financial and manufactured), structures, processes, relationships, information, decision-making, reporting and other aspects of the organization that allow it to create sustaine… (§ 6.11.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the relevant external systems on which the organization depends; (§ 6.11.3.3 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall identify compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations. (§ 4.6 ¶ 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • determine how these legal requirements and other requirements apply to the organization and what needs to be communicated; (§ 6.1.3 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall determine external and internal issues that are relevant to its purpose and its strategic direction and that affect its ability to achieve the intended result(s) of its quality management system. (4.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall identify compliance risks by relating its compliance obligations to its activities, products, services and relevant aspects of its operations. (§ 6.4 ¶ 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Assets of and their value to communities and societies: (§ 6.4.2.2 ¶ 1 Bullet 3, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Assets of and their value to individuals: (§ 6.4.2.2 ¶ 1 Bullet 2, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • establishing criteria for the required processes; (Section 8.1 ¶ 1 bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the complexity of the IT asset(s); and (Section 7.6.1 ¶ 1 bullet 7, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended outcome(s) of its IT asset management system. (Section 4.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the implications of the mixed responsibilities involved (including the associated risks and how the mixed responsibilities can be effectively discharged with accountability for those responsible); (Section 8.8 ¶ 3(b), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. (§ 7.5.3 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. (§ 8.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • All relevant legislative statutory, regulatory, contractual requirements and the organization’s approach to meet these requirements should be explicitly identified, documented and kept up to date for each information system and the organization. (§ 18.1.1 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • Legal, statutory, regulatory and contractual requirements relevant to information security and the organization's approach to meet these requirements should be identified, documented and kept up to date. (§ 5.31 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Where the use of utility programs is permitted, the cloud service customer should identify the utility programs to be used in its cloud computing environment, and ensure that they do not interfere with the controls of the cloud service. (§ 9.4.4 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Identify assets that require protection. (TASK P-10, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The entity identifies, inventories, classifies, and manages information assets (for example, infrastructure, software, and data). (CC6.1 ¶ 3 Bullet 1 Identifies and Manages the Inventory of Information Assets, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. (CC6.1 ¶ 3 Bullet 6 Manages Points of Access, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization identifies and addresses the effect of business operations and processes on privacy requirements. (Generally Accepted Privacy Principles and Criteria § 1.2.11 Bullet 4, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should identify, monitor, assess, and address, on an ongoing basis, the effect of changes in the business processes and business operations on privacy requirements. (Table Ref 1.2.11, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should identify, monitor, assess, and address, on an ongoing basis, the effect of changes in security personnel and privacy personnel on the privacy requirements. (Table Ref 1.2.11, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • the service organization's network environment and the information and systems the service organization uses when interacting with customers, and (¶ 3.59 Bullet 2 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • other matters related to the system (¶ 3.59 Bullet 2 Sub-Bullet 3, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The entity identifies, inventories, classifies, and manages information assets. (CC6.1 Identifies and Manages the Inventory of Information Assets, Trust Services Criteria)
  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. (CC6.1 Manages Points of Access, Trust Services Criteria)
  • The entity identifies, inventories, classifies, and manages information assets. (CC6.1 ¶ 2 Bullet 1 Identifies and Manages the Inventory of Information Assets, Trust Services Criteria, (includes March 2020 updates))
  • Points of access by outside entities and the types of data that flow through the points of access are identified, inventoried, and managed. The types of individuals and systems using each point of access are identified, documented, and managed. (CC6.1 ¶ 2 Bullet 5 Manages Points of Access, Trust Services Criteria, (includes March 2020 updates))
  • The responsible entity shall implement and document a program to identify, classify, and protect information associated with critical cyber assets. (§ R.4, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • The critical cyber asset information to be protected shall include, at a minimum and regardless of media type, operational procedures, lists as required in standard CIP-002-3, network topology or similar diagrams, floor plans of computing centers that contain critical cyber assets, equipment layouts… (§ R4.1, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • The Transmission Owner shall identify the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement R1 risk assessment. (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-2, Version 2)
  • The Transmission Owner shall identify the primary control center that operationally controls each Transmission station or Transmission substation identified in the Requirement R1 risk assessment. (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Physical Security CIP-014-3, Version 3)
  • Is a mainframe used to transmit scoped systems and data? (§ G.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is a mainframe used to process scoped systems and data? (§ G.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is a mainframe used to store scoped systems and data? (§ G.18, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an as400 used to transmit scoped systems and data? (§ G.19, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an as400 used to process scoped systems and data? (§ G.19, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an as400 used to store scoped systems and data? (§ G.19, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an open vms (vax or alpha) system used to transmit scoped systems and data? (§ G.20, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an open vms (vax or alpha) system used to process scoped systems and data? (§ G.20, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is an open vms (vax or alpha) system used to store scoped systems and data? (§ G.20, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are electronic commerce websites or applications used to transmit scoped systems and data? (§ G.21.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are electronic commerce websites or applications used to process scoped systems and data? (§ G.21.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are electronic commerce websites or applications used to store scoped systems and data? (§ G.21.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are desktop computers used to transmit scoped systems and data? (§ G.22, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are desktop computers used to process scoped systems and data? (§ G.22, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are desktop computers used to store scoped systems and data? (§ G.22, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Title XXX of the Public Health Service Act (42 U.S.C. 300jj et seq.), § 3021(b)(1) is amended to state that any organization receiving Federal funds for health information technology investments shall follow the standards for electronic matching. (§ 1561, Patient Protection and Affordable Care Act, Public Law 111-148, 111th Congress)
  • Title IX of the Public Health Service Act (42 U.S.C. 299b-24), § 924(a)(1)(A), is amended to state that an entity that seeks to be a patient safety organization shall submit an initial certification to the Secretary of Health and Human Services that the entity has policies and procedures in place t… (§ 2(a)(5), Patient Safety And Quality Improvement Act Of 2005, Public Law 109-41, 109th Congress)
  • § 3.102(a)(1)(ii) An entity, seeking patient safety organization initial or continued listing, will be required to submit certification that it meets § 3.102(b). § 3.106(a) A patient safety organization must secure patient safety work product according to the security framework of 42 CFR 3, § 3.… (§ 3.102(a)(1)(ii), § 3.106(a), § 3.106(b)(1)(i), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
  • Identification of the entity's information and technology assets. (IV Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has a comprehensive inventory of its electronic (or digital) and physical information assets, in accordance with the Information Security Standards. Evaluate whether management specifically identifies its information assets, determines the appropriate classification of t… (App A Objective 4:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identifying the technology assets the entity possesses and manages. (App A Objective 4:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Processes to identify, track, and monitor infrastructure components. (V Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of infrastructure assets (e.g., hardware and software) and associated interconnectivity critical to business and IT operations. (App A Objective 2:8b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not … (App A Objective 4:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of the infrastructure, including the appropriate systems and software, necessary to support file exchange activities. (App A Objective 11:1c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. (App A Objective 12:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Organization charts of retail lines of business to determine reporting relationships and how the collective retail lines of business are structured and managed. (App A Tier 1 Objectives and Procedures Objective 2:4 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • States the need for organizations to identify computer applications significant to the financial statements of the organization. Significant applications are those with auditable line items and accounts under investigation or that are material to the organization. (App VI.1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Has the Credit Union conducted due diligence about the legal implications of providing a Certification Authority function? (IT - Authentication Q 24, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Establish policies and procedures identifying and accommodating unique issues for each workstation type and workstation device. (§ 4.11.1 Bullet 2, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Prior to conducting a risk assessment, the system under consideration must be identified and analyzed, documenting the system's level of detail and formality. (§ 3.3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Information resources should be clearly assigned to an information system – which directly supports business processing and therefore supports the business functions, activities, and tasks. Doing this creates clear boundaries for all information systems. Methods for grouping resources are provided… (§ 1.5, § 2.1 thru § 2.4, Guide for Developing Security Plans for Federal Information Systems, NIST SP 800-18, Revision 1)
  • The organization's role(s) in the data processing ecosystem are identified and communicated. (ID.BE-P1, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • Systems/products/services that support organizational priorities are identified and key requirements communicated. (ID.BE-P3, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must identify all Personally Identifiable Information that is held by the organization or under the organization's control through a third party. (§ 2.1 ¶ 5, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Assets (e.g., data, hardware, software, systems, facilities, services, people) that enable the organization to achieve business purposes are identified and managed consistent with their relative importance to organizational objectives and the organization's risk strategy (Asset Management (ID.AM), The NIST Cybersecurity Framework, v2.0)
  • Inventory records systems, critical computing systems, and storage media to identify those containing personal information. (Part I ¶ 2, California OPP Recommended Practices on Notification of Security Breach, May 2008)