Back

Establish, implement, and maintain a system design project management framework.


CONTROL ID
00990
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle planning phase., CC ID: 06266

This Control has the following implementation support Control(s):
  • Include data governance and management practices in the system design project management framework., CC ID: 15053
  • Conduct a preliminary investigation before new system development projects begin., CC ID: 01025
  • Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems., CC ID: 01028
  • Analyze existing systems during preliminary investigations for system design projects., CC ID: 01043
  • Identify system design strategies., CC ID: 01046
  • Establish, implement, and maintain a system requirements specification., CC ID: 01035
  • Conduct a project feasibility study prior to designing a system., CC ID: 01613
  • Include the threats and risks associated with the system development project in the project feasibility study., CC ID: 11797
  • Establish, implement, and maintain project management standards., CC ID: 00992


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should establish a general framework for management of major technology-related projects. This framework should, among other things, specify the project management methodology to be adopted and applied to these projects. The methodology should cover, at a minimum, allocation of responsibilities,… (4.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The project management approach and structure must be defined based on the project plan. Approval for the approach and structure must be obtained by persons in charge of the user, planning, development, operations development, and maintenance development departments. This is a control item that cons… (App 2-1 Item Number VI.2.1(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • It is necessary to establish efficient development methods, implement project management and designate responsible personnel for project in order to conduct proper management of the system development process. (P75.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should establish management oversight of the project to ensure that milestones are reached and deliverables are realised in a timely manner. The FI should escalate issues or problems which could not be resolved at the project committee level to senior management for attention and intervention… (§ 6.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • (User's Guide 7, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • In case of large projects a Project Security Officer should be appointed to both clarify the security needs within the project and to enable secure inclusion of the project results into the business processes of the organisation. The Project Security Officer can be a member of the project or a membe… (§ 4.6 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The portfolio of IT projects shall be monitored and managed appropriately. Due account shall be taken of the fact that risks can also stem from interdependencies between different projects. (II.6.34, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The validation plan or validation master plan should identify the organization's approach to validation and the overall philosophy about computerized systems. (¶ 7.3, Good Practices For Computerized systems In Regulated GXP Environments)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for developing and maintaining secure systems and applications are documented. (Testing Procedures § 6.7 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for developing and maintaining secure systems and applications are implemented. (Testing Procedures § 6.7 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • IT infrastructure enhancements should be planned, rehearsed, and managed carefully. Clear contingency plans should be in place in case the implementation fails. (§ 5.4 ¶ 5, PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • The development process, for both in-house and outsourced developments, should have project management techniques and controls. This will allow management the ability to track projects to determine if they are on time, within budget, and resources are being used efficiently. Reports should be sent t… (§ 5.3.6 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • A strong relationship must be developed and maintained between the auditor and the project management office (PMO) due to the critical role that the PMO plays in project management. The auditor should understand the roles and functions of the PMO, the project management methodologies, the costs and … (§ 3.2 (Project Management Office (PMO) and the Internal Auditor) ¶ 2, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • The most efficient way to fix large numbers of vulnerabilities is by creating an IT project. The project should include a project manager, process deliverables, and deadlines and must have the authority to integrate with the configuration management process and deploy necessary patches. Implementing… (§ 3.3 (Creating a Vulnerability Mitigation Process) ¶ 1, IIA Global Technology Audit Guide (GTAG) 6: Managing and Auditing IT Vulnerabilities)
  • The organization shall use projects for initially developing new medical Information Technology networks and making changes to existing networks that are not covered by a change request. (§ 4.3.1 ¶ 3, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall use the following controlled conditions to plan and carry out production and service provision: information available to describe the product characteristics; procedures, requirements, work instructions, reference materials, and reference measurement procedures are available; … (§ 7.5.1.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall define and maintain a lifecycle model. (§ 6.3.1.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall develop and communicate a plan to review, manage, and execute the project. (§ 6.3.1.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define its strategy to verify the system entities throughout the lifecycle. (§ 6.4.6.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • (§ 8.4, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • The design, acquisition, implementation, configuration, modification, and management of the infrastructure and software are consistent with the system security policies to enable authorized access and prevent unauthorized access. (Security Prin. and Criteria Table § 3.10, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The design, acquisition, implementation, configuration, modification, and management of the infrastructure and software are consistent with the system availability and related security policies to enable authorized access and prevent unauthorized access. (Availability Prin. and Criteria Table § 3.13, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The design, acquisition, implementation, configuration, modification, and management of the infrastructure and software are consistent with the system processing integrity and related security policies to enable authorized access and prevent unauthorized access. (Processing Integrity Prin. and Criteria Table § 3.14, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The design, acquisition, implementation, configuration, modification, and management of the infrastructure and software are consistent with the confidentiality and related security policies to enable authorized access and prevent unauthorized access. (Confidentiality Prin. and Criteria Table § 3.16, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Systems planning should include vulnerability assessments and threat analyses, resource allocation priorities, and countermeasure requirements. (§ 4-1.b, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • The organization must develop and implement a configuration management plan during system development describing the change control mechanisms, defining the change authorization requirements, and tracking the security flaws. (CSR 6.3.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • DoD application development Zone B instantiated in cloud infrastructure must minimally be implemented in a CSP's CSO that has a Level 2 PA to support pre-production application development with developers accessing the zone via the Internet. Consideration for implementing Zone B in a Level 4/5 CSO f… (Section 5.14 ¶ 8, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • As part of the governance structure, financial institution management should ensure development, implementation, and maintenance of the following: - An effective IT risk management structure. - A comprehensive information security program. - A formal project management process. - An enterprise-wide … (I.B IT Responsibilities and Functions, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Verify that appropriate policies, standards, and processes address business continuity planning issues including: ▪ Security; ▪ Project management; ▪ Change control process; ▪ Data synchronization, back-up, and recovery; ▪ Crises management (responsibility for disaster declaration and deal… (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The project methodology should be approved by the Board or a Board-approved committee. Any deviations from the approved procedures should be approved by management. Project management tools should be used to keep track of the progress of the project. These tools should have access controls and back-… (Pg 3, Pg 4, Pg 11, Exam Obj 1.3, FFIEC IT Examination Handbook - Development and Acquisition)
  • Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as: ▪ Performance management and capacity planning; ▪ User support processes; ▪ Project, change, and patch management; ▪ Conversion management; ▪ Standardization of… (Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Indicates that an organization should have a documented SDLC methodology detailing procedures to follow when applications are designed and developed as well as afterwards when they are modified. An approval process for any changes or designs should also be created. Finally, the methodology selected … (CC-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • These leaders are also responsible and accountable for developing and promulgating a holistic set of policies that span the enterprise's mission and business processes, guiding the establishment and maturation of a C-SCRM capability and the implementation of a cohesive set of C-SCRM activities. Lead… (2.3.2. ¶ 6, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • (§ 3.4.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Determine scope, infrastructure, resources, and data sample size to ensure system requirements are adequately demonstrated. (T0257, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must use a System Development Lifecycle methodology that includes security to manage the smart grid Information System. (SG.SA-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • Determine scope, infrastructure, resources, and data sample size to ensure system requirements are adequately demonstrated. (T0257, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Projects should be coordinated to ensure that they adhere to appropriate policies, standards, and risk management controls.Proper project implementation includes controls, policies and procedures, training, testing, contingency planning, and proper oversight of any outsourcing. Management should pro… (¶ 32, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)