The organization must review whether or not IT investments have been made properly in accordance with the IT investment plan. (App 2-1 Item Number I.3(6), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
The major role of top management involves implementing the Board approved information security policy, establishing necessary organizational processes for information security and providing necessary resources for successful information security. It is essential that senior management establish an e… (Boards of Directors/Senior Management ¶ 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Organizations understand and monitor costs and charge the costs to the customers of IT services. To do this, organizations must make the effort to identify, allocate, predict and monitor costs involved in delivering IT services. Then organizations must determine how much to charge customers based on… (§ 3.4.5, OGC ITIL: Security Management)
Identify all IT costs, and map them to IT services to support a transparent cost model. IT services should be linked to business processes such that the business can identify associated service billing levels. (DS6.1 Definition of Services, CobiT, Version 4.1)
Implement a decision-making process to prioritise the allocation of IT resources for operations, projects and maintenance to maximise IT's contribution to optimising the return on the enterprise's portfolio of IT-enabled investment programmes and other IT services and assets. (PO5.2 Prioritisation Within IT Budget, CobiT, Version 4.1)
Establish and use an IT costing model based on the service definitions that support the calculation of chargeback rates per service. The IT cost model should ensure that charging for services is identifiable, measurable and predictable by users to encourage proper use of resources. (DS6.3 Cost Modelling and Charging, CobiT, Version 4.1)
Actively manage with the business the portfolio of IT-enabled investment programmes required to achieve specific strategic business objectives by identifying, defining, evaluating, prioritising, selecting, initiating, managing and controlling programmes. This should include clarifying desired busine… (PO1.6 IT Portfolio Management, CobiT, Version 4.1)
ensuring that the resources needed for the compliance management system are available, allocated and assigned; (§ 5.1 ¶ 1 d), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
Documented policies and procedures shall exist for allocating direct costs and apportioning indirect costs. (§ 6.4 ¶ 2(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Agency heads must establish effective and efficient capital planning processes to select, manage, and evaluate the results of all major information system investments. (§ 5113(b)(2)(A), Clinger-Cohen Act (Information Technology Management Reform Act))
Assess the level of oversight and support by evaluating:
⪠The alignment of business and technology objectives;
⪠The frequency and quality of technology-related board reporting;
⪠The commitment of the board and senior management to promote new products;
⪠The level and quality of board-app… (Exam Obj 2.1, FFIEC IT Examination Handbook - Development and Acquisition)
The IT planning process should be used to help the organization balance its spending for technology versus other business needs. (Pg 17, Pg 18, Exam Obj 5.1, FFIEC IT Examination Handbook - Management)
The resources needed to protect the information system must be allocated for during the capital planning and investment control process. (§ 5.6.14, Exhibit 4 SA-2, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
To appropriately manage cybersecurity risks throughout the supply chain, enterprises should dedicate funds toward this effort. Identifying resource needs and taking steps to secure adequate, recurring, and dedicated funding are essential and important activities that need to be built into the C-SCRM… (3.6. ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
Many C-SCRM processes can and should be built into existing program and operational activities and may be adequately performed using available funds. However, there may be a need for an influx of one-time resources to establish an initial C-SCRM program capability. For example, this might include th… (3.6. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
The ISCP Coordinator should ensure that the strategy chosen can be implemented effectively with available personnel and financial resources. The cost of each type of alternate site, equipment replacement, and storage option under consideration should be weighed against budget limitations. The coordi… (§ 3.4.5 ¶ 1, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
Ensure identified security deficiencies have appropriate financial resources allocated in the corporate budgeting and purchasing processes; (2 ¶ 1 Bullet 3, Pipeline Security Guidelines)
