Back

Analyze existing systems during preliminary investigations for system design projects.


CONTROL ID
01043
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990

This Control has the following implementation support Control(s):
  • Identify existing systems during preliminary investigations for system design projects., CC ID: 01044
  • Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects., CC ID: 01045
  • Assess the continuity requirements during the planning and development stage for new products and services., CC ID: 12779


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization must consider consistency of the overall optimization plan when developing the development plan. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Itenm Number II.1(2), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should check system development plans for internal and external information technologies to assess its application of information technologies. (T7.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The FI should verify that system requirements are met by the current system design and implementation. Any changes to, or deviations from, the defined requirements should be endorsed by relevant stakeholders. (§ 5.6.2, Technology Risk Management Guidelines, January 2021)
  • An assessment of existing information and recordkeeping systems is called for as a measure against requirements for development of a new system. A formal gap analysis report to determine any weaknesses and needed improvements in recordkeeping systems is also recommended. (§ D.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • A vulnerability analysis should be included in the system design planning process. All assets that are important to the organization need to be identified; the possible threats to each asset must be determined; and the likelihood that a threat will occur to the assets must be quantitatively measured… (Pg 6-II-3, Pg 6-II-4, Revised Volume 2 Pg 1-III-6 thru Revised Volume 2 Pg 1-III-8, Protection of Assets Manual, ASIS International)
  • ¶ 7 Basic Assessments. An organization should perform a safeguard assessment and selection. The process of safeguard selection always requires identifying the type and characteristic of the IT system considered (for example, a standalone workstation, or a workstation connected to a network), since … (¶ 7, ¶ 7.1, ¶ 7.2, ¶ 7.3, ¶ 8.1.7, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • (§ 8.4(d), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • An AI system can replace an existing system and, in such a case, an assessment of the risk benefits and risk transfers of an AI system versus the existing system can be undertaken, considering safety, environmental, social, technical and financial issues associated with the implementation of the AI … (§ 5.4.1 Table 2 Column 2 Row 7 Bullet 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • Document the characteristics of the system. (TASK C-1, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Network segmentation and the level of protection it provides will vary greatly depending on the overall network architecture used by an asset owner in their facility and even system integrators within their control systems. Logically segmenting networks based on their functionality provides some mea… (9.3.2 ¶ 3, Security for Industrial Automation and Control Systems, Part 4-2: Technical Security Requirements for IACS components)
  • The business owner and the system developer/maintainer shall assess the information processed by the system during the system security plan initiation. (§ 3.1.5 Task 1, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • The adequacy of the institution's systems development methodology and programming standards (TIER II OBJECTIVES AND PROCEDURES B.1 Bullet 4, FFIEC IT Examination Handbook - Audit, April 2012)
  • Research and evaluate available technologies and standards to meet customer requirements. (T0547, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Describe the characteristics of a system. (T0944, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify components or elements, allocate comprehensive functional components to include security functions, and describe the relationships between the elements. (T0480, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify components or elements, allocate comprehensive functional components to include security functions, and describe the relationships between the elements. (T0480, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Describe the characteristics of a system. (T0944, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Research and evaluate available technologies and standards to meet customer requirements. (T0547, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Inventory existing systems and operations. Review existing systems to determine whether they satisfy current and projected needs. Evaluate how new technologies will fit into existing systems and whether additional changes to those systems will be necessary to accommodate the new technologies. (¶ 28, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)