Guidelines for capacity planning should be established, which clearly set out, among others, system utilization threshold and corresponding precautionary measures (e.g. to step up monitoring of system utilization and perform system upgrades when the peak utilization level reaches the predetermined c… (§ 9.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
Guidelines for capacity planning should be established, which clearly set out, among others, system utilization threshold and corresponding precautionary measures (e.g. to step up monitoring of system utilization and perform system upgrades when the peak utilization level reaches the predetermined c… (§ 9.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
O54: The organization shall examine resources for capability and usage of computer systems by identifying capacity and usage of all resources and implement measures to avoid degradation in and failure of computer systems throughput.
O78.1: The system administrators should identify the performance an… (O54, O78.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
The FI should ensure adequate system capacity is in place to handle high volumes of API call requests, and implement measures to mitigate cyber threats such as denial of service (DoS) attacks. (§ 6.4.8, Technology Risk Management Guidelines, January 2021)
capacity and performance management controls to ensure that the current and projected requirements of the business are met; and (¶ 54(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
Activities which might impair the availability of the systems or components and thus result in a violation of the SLA are carried out outside regular business hours and/or not at load peak times. (Section 5.16 COM-02 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
Verify restrictions have been implemented for the use of disk space while on a shared hosting provider to ensure each entity cannot monopolize server resources to exploit vulnerabilities. (App A Testing Procedures § A.1.2.e Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
Verify restrictions have been implemented for the use of bandwidth while on a shared hosting provider to ensure each entity cannot monopolize server resources to exploit vulnerabilities. (App A Testing Procedures § A.1.2.e Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, 3)
To ensure each entity cannot monopolize server resources to exploit vulnerabilities (for example, error, race, and restart conditions, resulting in, for example, buffer overflows), verify restrictions are in place for the use of these system resources:
Disk space
Bandwidth
Memory
CPU (§ A.1.2.e Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
Computer, network, and telecommunications equipment (including network routers and switches, and in-house telephone exchanges) should have sufficient capacity to cope with peak workloads. (CF.07.01.04a, The Standard of Good Practice for Information Security)
Computer, network, and telecommunications equipment (including network routers and switches, and in-house telephone exchanges) should have sufficient capacity to cope with peak workloads. (CF.07.01.04a, The Standard of Good Practice for Information Security, 2013)
The system should control resource use to prevent denial of service due to monopolization of the resources. Quotas should be created to define the minimum and maximum space or time that should be allotted to a resource. The quotas should be set to apply to individual users, a group of users, and/or … (§ 16.3, § K.3, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
The service provider shall create, implement, and maintain a capacity plan. (§ 6.5 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The capacity plan shall include the expected impact of the availability requirements, service continuity requirements, and service level requirements. (§ 6.5 ¶ 3(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
Is there sufficient redundancy capacity in place to ensure services are not impacted in multi-tenancy environments during peak usage and above? (§ V.1.69, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
The using or acquiring organization should define the storage space requirements for the organizational records, metadata, and audit files. (§ C3.1.1, Design Criteria Standard for Electronic Records Management Software Application, DoD 5015.2)
Does the Credit Union policies and procedures establish network infrastructure performance standards for target throughput parameters? (IT - Networks Q 42a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the … (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
The configuration of the system should be examined to ensure sufficient space is allocated for the storage of audit records and to prevent the capacity from being exceeded. Organizational records and documents should be examined to ensure specific responsibilities and actions are defined for the imp… (AU-4, AU-4.2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
