Conduct a preliminary investigation before new system development projects begin.
CONTROL ID 01025
CONTROL TYPE Systems Design, Build, and Implementation
CLASSIFICATION Detective
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a system design project management framework., CC ID: 00990
This Control has the following implementation support Control(s):
Define and document the nature and scope of all new system development projects., CC ID: 01026
Collect information from documentary sources prior to developing systems., CC ID: 01027
Update infrastructure resources when system development project requirements change., CC ID: 06900
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization shall check for compliance with medium- and long-term plans when planning system development and obtain approval for the plan from the appropriate development manager. (T7, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
An extensive preliminary investigation is required before any initiation of a recordkeeping project within an organization.
When conducting a preliminary investigation it is important to identify boundaries of the organization, the legal framework, the internal and external stakeholders whose inter… (§ A.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
The organization shall assess the supporting infrastructure of the project for adequacy and availability. (§ 6.3.2.3(a)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
Part of the preliminary investigation for a project should include locating documents pertaining to the work and interviewing staff that may be knowledgeable about the project. If necessary legal aspects of the project such as maintaining compliance, should be examined as well. (§ 8.4(a), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
Talks about conducting an investigation to determine how the organization functions prior to determining what is necessary for a system that creates and maintains records. (§ 3.2.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
The organization must assess the potential privacy impact of new processes and changes to the processes that involve personal information. (Table Ref 1.2.6, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
Agency heads must determine if functions supported by a new information system should be performed by the private sector or the executive agency before investing in a new information system. (§ 5113(b)(2)(B), Clinger-Cohen Act (Information Technology Management Reform Act))
The initiation phase should start with a business case. The business case should describe the proposal's purpose, identify any expected benefits, explain how it supports the business objectives, identify alternatives, and identify as many requirements as possible. (Pg 17, Pg 18, FFIEC IT Examination Handbook - Development and Acquisition)
Management should consider carefully whether the necessary resources, time, and project management expertise is available to complete successfully any new technology proposal. (¶ 29, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
