Back

Establish and maintain the overall system development project management roles and responsibilities.


CONTROL ID
00991
CONTROL TYPE
Establish Roles
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase., CC ID: 06267

This Control has the following implementation support Control(s):
  • Assign the role of information security management as a part of developing systems., CC ID: 06823
  • Disseminate and communicate continuously and routinely regarding system development project requirements., CC ID: 06899


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The project life cycle methodology should define clearly the roles and responsibilities for the project team and the deliverables from each phase. It also needs to contain a process to ensure that appropriate security requirements are identified when formulating business requirements, built during p… (4.2.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • AIs should establish a general framework for management of major technology-related projects. This framework should, among other things, specify the project management methodology to be adopted and applied to these projects. The methodology should cover, at a minimum, allocation of responsibilities,… (4.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • In drawing up a project management framework, the FI should ensure that tasks and processes for developing or acquiring new systems include project risk assessment and classification, critical success factors for each project phase, definition of project milestones and deliverables. The FI should cl… (§ 6.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The SDLC should, where relevant, involve the IT security function in each phase of the life cycle. (§ 5.4.4, Technology Risk Management Guidelines, January 2021)
  • Roles to appoint to assure good management include a project sponsor who assumes overall responsibility for the project, a steering committee that reviews the project while it is underway (committee should be chaired by project sponsor) and a project manager who will be responsible for coordinating … (User's Guide 7.1, User's Guide 7.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • roles and responsibilities; (3.6.1 63(b), Final Report EBA Guidelines on ICT and security risk management)
  • the design, implementation, management and monitoring of ICT security controls; (Title 3 3.3.4(b) 55.a(ii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • knowledge of project management – this is helpful when it comes to interviewing users and drawing up plans for the implementation and monitoring of security safeguards. (§ 4.6 Subsection 3 ¶ 4 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. (6.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine documentation to verify that descriptions of roles and responsibilities for performing activities in Requirement 6 are documented and assigned. (6.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel responsible for performing activities in Requirement 6 to verify that roles and responsibilities are assigned as documented and are understood. (6.1.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. (6.1.2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Roles and responsibilities for performing activities in Requirement 6 are documented, assigned, and understood. (6.1.2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • The audit committee's role involves the oversight of financial issues, risk management, ethics, and internal control assessment. Each of these duties involves a strong element of IT control and calls for reviewing issues that are related to new systems acquisition and development. The internal audit… (§ 7.1.1, § 7.3.1, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • A strong relationship must be developed and maintained between the auditor and the project management office (PMO) due to the critical role that the PMO plays in project management. The auditor should understand the roles and functions of the PMO, the project management methodologies, the costs and … (§ 3.2 (Project Management Office (PMO) and the Internal Auditor) ¶ 2, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, to ensure the development and/or acquisition of new data, physical or virtual applications, infrastructure network and systems components, or any corporate, operations and/or datacente… (CCC-01, Cloud Controls Matrix, v3.0)
  • The organization shall define the project, who is accountable for the project, and who has the authority for the project. (§ 6.2.3.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The planning for new or changed services shall include or contain a reference to the authority and responsibilities for design, development, and implementation. (§ 5.2 ¶ 3(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • the responsibilities and authorities involved in the design and development process; (8.3.2 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • Senior management must be able to obtain timely information about the progress of an information system investment, including milestones that can be verified independently. These milestones should measure the costs, timeliness, quality, and capability of the system to meet the specified requirements… (§ 5122(b)(6), Clinger-Cohen Act (Information Technology Management Reform Act))
  • Definition of responsibilities and decision-making. (App A Objective 12:2a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The adequacy of the institutional and management structures to establish accountability and responsibility for IT systems and technology initiatives; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 2, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for systems development and acquisition and related risk management adequately consider ▪ The level and quality of oversight and support of systems development and acquisition activities by senior management and the board of directors; ▪ The adequacy of the ins… (Exam Tier II Obj B.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Corporate management should be responsible for approving all major projects and should ensure that the project supports the organization's business objectives. (Pg 5, Exam Obj 2.1, Exam Obj 5.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • (Obj 2.3, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Project management should oversee all changes to operational and business processes; should initiate, plan, execute, and control all projects; and should monitor costs and assure projects adhere to the appropriate standards and specifications. (Pg 11, FFIEC IT Examination Handbook - Management)
  • Project managers should inform senior management of obstacles as early as possible to ensure that proper controls are in place and corrective action can be taken to manage risk exposure. (¶ 32, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)