Back

Establish, implement, and maintain cost management procedures.


CONTROL ID
00873
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a cost management program., CC ID: 13638

This Control has the following implementation support Control(s):
  • Update the business cases for cost management procedures, as necessary., CC ID: 13642
  • Perform an impact assessment of any deviations found in the cost management procedures., CC ID: 13641
  • Identify deviations in cost management procedures., CC ID: 13640


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must determine a standard methodology for projecting return on investments. (App 2-1 Item Number I.3(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Implement a cost management process comparing actual costs to budgets. Costs should be monitored and reported. Where there are deviations, these should be identified in a timely manner and the impact of those deviations on programmes should be assessed. Together with the business sponsor of those pr… (PO5.4 Cost Management, CobiT, Version 4.1)
  • Regularly review and benchmark the appropriateness of the cost/recharge model to maintain its relevance and appropriateness to the evolving business and IT activities. (DS6.4 Cost Model Maintenance, CobiT, Version 4.1)
  • Establish and use an IT costing model based on the service definitions that support the calculation of chargeback rates per service. The IT cost model should ensure that charging for services is identifiable, measurable and predictable by users to encourage proper use of resources. (DS6.3 Cost Modelling and Charging, CobiT, Version 4.1)
  • Manage IT-enabled investment programmes and other IT assets and services to ensure that they deliver the greatest possible value in supporting the enterprise's strategy and objectives. Ensure that the expected business outcomes of IT-enabled investments and the full scope of effort required to achie… (ME4.3 Value Delivery, CobiT, Version 4.1)
  • All operational elements of the organization should be examined for cost-effectiveness. (Revised Volume 1 Pg 2-II-7, Protection of Assets Manual, ASIS International)
  • funding and budget requirements; and (§ 9.3 ¶ 4 d) 8), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Costs shall be budgeted to enable effective financial control and decision-making for services. (§ 8.4.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the organization shall monitor and report on actual costs against the budget, review the financial forecasts and manage costs. (§ 8.4.1 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The Director of the Office of Management and Budget must develop a process that analyzes, tracks, and evaluates the risks and results of all major capital investments in information systems. This process must include explicit criteria to be used for analyzing projected and actual costs, benefits, an… (§ 5112(c), Clinger-Cohen Act (Information Technology Management Reform Act))
  • the costs of security measures; (§ 1173(d)(1)(A)(ii), Health Insurance Portability and Accountability Act of 1996 (HIPAA), Public Law 104-191, 104th Congress)
  • The costs of security measures. (§ 164.306(b)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • An initial budget estimate should be made on all projects. Managers should monitor the costs throughout the project. (Pg 21, FFIEC IT Examination Handbook - Development and Acquisition)
  • The organization should budget for technology and should look at the entry costs and post implementation costs for new technologies. (Pg 20, FFIEC IT Examination Handbook - Management)
  • Lead and oversee budget, staffing, and contracting. (T0493, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Performs configuration management, problem management, capacity management, and financial management for databases and data management systems. (T0305, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop mitigation strategies to address cost, schedule, performance, and security risks. (T0466, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Performs configuration management, problem management, capacity management, and financial management for databases and data management systems. (T0305, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop mitigation strategies to address cost, schedule, performance, and security risks. (T0466, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Lead and oversee budget, staffing, and contracting. (T0493, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide advice on project costs, design concepts, or design changes. (T0196, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)