Back

Establish, implement, and maintain project management standards.


CONTROL ID
00992
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990

This Control has the following implementation support Control(s):
  • Include participation by each affected user department in the implementation phase of the project plan., CC ID: 00993
  • Establish, implement, and maintain a project program documentation standard., CC ID: 00995
  • Include budgeting for projects in the project management standard., CC ID: 13136
  • Formally approve the initiation of each project phase., CC ID: 00997
  • Establish, implement, and maintain integrated project plans., CC ID: 01056
  • Perform a risk assessment for each system development project., CC ID: 01000
  • Establish, implement, and maintain a project control program., CC ID: 01612
  • Establish, implement, and maintain a project test plan., CC ID: 01001
  • Establish, implement, and maintain a project team plan., CC ID: 06533
  • Include the addition of new hires, part-time employees, or third party assistance in the project team plan., CC ID: 11731
  • Establish, implement, and maintain a project management training plan., CC ID: 01002
  • Conduct a post implementation review when the system design project ends., CC ID: 01003


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should establish a general framework for management of major technology-related projects. This framework should, among other things, specify the project management methodology to be adopted and applied to these projects. The methodology should cover, at a minimum, allocation of responsibilities,… (4.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • O67.2: The organization shall manage the system development process by establishing efficient development methods, designating personnel to be responsible for the project, and implementing project management. O73: The organization shall establish and maintain an operation and management organization… (O67.2, O73, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • With the assistance of its service manager, the financial institution should prepare thorough risk management and project management strategies, especially if the institution is the main decision maker for service operation and renewals. (C26.1. ¶ 4(3) ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • A project management framework should be established to ensure consistency in project management practices, and delivery of outcomes that meets project objectives and requirements. The framework should cover the policies, standards, procedures, processes and activities to manage projects from initia… (§ 5.1.1, Technology Risk Management Guidelines, January 2021)
  • The organization should manage material changes using Project Management techniques during all lifecycle stages. (¶ 52, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should use Project Management techniques to verify that information technology security requirements are adequately addressed. (¶ 52, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • APRA envisages that a regulated institution would ensure that IT security is considered at all stages of an IT asset's life-cycle. This could involve the use of external advisers where expertise is not available internally. Life-cycle stages typically include: planning and design; acquisition and im… (¶ 52, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A financial institution should establish and implement an ICT project management policy that includes as a minimum: (3.6.1 63, Final Report EBA Guidelines on ICT and security risk management)
  • Rules shall be defined for the organisational framework of IT projects (including quality assurance measures) and the criteria for its application. (II.6.32, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • IT projects shall be managed appropriately, particularly taking account of risks in relation to the duration, use of resources, and quality of IT projects. To this end, model procedures shall be defined and compliance with them shall be monitored. (II.6.33, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The purpose of the project management practice Is to ensure that all projects in the organization are successfully delivered. This is achieved by planning, delegating, monitoring, and maintaining control of all aspects of a project, and keeping the motivation of the people involved. (5.1.8 ¶ 1, ITIL Foundation, 4 Edition)
  • Establish and maintain a project management framework that defines the scope and boundaries of managing projects, as well as the method to be adopted and applied to each project undertaken. The framework and supporting method should be integrated with the programme management processes. (PO10.2 Project Management Framework, CobiT, Version 4.1)
  • Maintain the programme of projects, related to the portfolio of IT-enabled investment programmes, by identifying, defining, evaluating, prioritising, selecting, initiating, managing and controlling projects. Ensure that the projects support the programme's objectives. Co-ordinate the activities and … (PO10.1 Programme Management Framework, CobiT, Version 4.1)
  • A basic control issue of systems development and acquisition work is following a formal system design process to ensure user requirements and controls have been designed into the system. If the systems development is outsourced, similar controls should be required in the outsourcer or provider contr… (§ 5.3.6 ¶ 2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • The business case includes the following key components: realistic, measurable, and understood benefits; environmental concerns; organizational considerations; clearly defined scope; project deliverables; resources; and likelihood or measurement of success. Risks can be identified and weaknesses dis… (§ 3.1 (Assessing the Business Case) ¶ 2, § 4.3 (Project Management Methodology Assessment), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • § 7.1(c): The organization shall determine the required verification, validation, inspection, monitoring, and test activities for the product and the product acceptance criteria during the product realization planning. § 7.3.1 ¶ 3: The organization shall determine the design and development stage… (§ 7.1(c), § 7.3.1 ¶ 3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall manage the project's requirements and Requirement changes according to the project plan. (§ 6.3.2.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The medical device manufacturer shall implement a risk management process that complies with ISO 14971. (§ 4.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • Information security should be integrated into project management. (§ 5.8 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • Project management; (TIER I OBJECTIVES AND PROCEDURES Risk Management Objective 4:5 Bullet 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • The following policies, standards, and processes should be integrated into the business continuity planning process: - Security Standards; - Project Management; - Change Control Policies; - Data Synchronization Procedures; - Crises Management; - Incident Response; - Remote Access; - Employee Trainin… (Other Policies, Standards and Processes, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Oversight of data management and data analysis and management of data-related projects. (App A Objective 2:9b Bullet 4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • IT project management. (App A Objective 2:9c Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Develops improvement strategies for operations and prioritizes projects. (App A Objective 17:4a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the institution has a project management function appropriate for the complexity of the institution, and verify that this function contains the appropriate elements. (App A Objective 3:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Project management. (App A Objective 12:12 f., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The quality of project management programs and practices that are followed by developers, operators, executive management/owners, independent vendors or affiliated servicers, and end-users; (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Auditors should help determine and recommend appropriate controls to project management for system development. The auditors should not have direct involvement in the decision process in order to maintain their independence. (Pg 18, Exam Tier II Obj B.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Continuity plans should be included in the project planning stages to ensure compliance with continuity requirements and to make changes to development plans. (Pg 29, Pg 30, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Project management standards should be established and should address general activities and specific requirements. (Pg 8, Pg 20, Exam Obj 5.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Project management standards should include the need for experienced and skilled managers, senior management support, standard project management practices, collaboration with all stakeholders, tracking and measuring project performance, and transition procedures. (Pg 11, FFIEC IT Examination Handbook - Management)
  • (§ 3.4.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Research and evaluate available technologies and standards to meet customer requirements. (T0547, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should perform risk management and integrate it into the system development lifecycle (SDLC). There should be a specific schedule to assess and mitigate mission risks, but it should be flexible enough to be changed when necessary. (§ 5.1, Risk Management Guide for Information Technology Systems, NIST SP 800-30, July 2002)