Back

Identify system design strategies.


CONTROL ID
01046
CONTROL TYPE
Systems Design, Build, and Implementation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990

This Control has the following implementation support Control(s):
  • Investigate the range of alternative system design strategies available., CC ID: 01047
  • Identify appropriate tactics for the selected system design strategies., CC ID: 01048
  • Analyze the cultural factors of the system design strategies., CC ID: 01049
  • Analyze current technology investment factors that could affect implementing the system design project., CC ID: 01050
  • Analyze current funding factors that could affect implementing the system design project., CC ID: 11795
  • Balance the strengths and weaknesses of the organization with the system design strategies and implementation strategies., CC ID: 01051
  • Reassess staffing needs while identifying the system design strategies., CC ID: 01053
  • Adopt a system design strategy after examining the strategic options and tactical options., CC ID: 01054
  • Disseminate and communicate the implementation strategy to interested personnel and affected parties., CC ID: 11796
  • Disseminate and communicate the adopted system design strategy to interested personnel and affected parties., CC ID: 01055


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • design — considerations when designing secure software could include software modularisation; where on the network the software is located; what privileges the software executes under; inclusion of information security features as part of the technical specifications; and the information security … (Attachment D 2(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The identification of strategies to satisfy recordkeeping requirements and encourage the adoption of an overall strategy for meeting those requirements prior to design or redesign of recordkeeping systems is called for. (§ E.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • The Information Technology Service Continuity (ITSC) culture should be built and embedded into a new project from its inception. Consideration should be given to how the deliverables will support or enhance the ITSC strategy. (§ 5.2 ¶ 3(d), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
  • An assessment should be made of the organization's capacity to undertake the project, the project's priority level, and if the staff has the right skill set to execute the project. (3.1 (Assessing the Business Case) ¶ 4, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
  • Organizations should take steps to reduce their exposure to fraudulent or counterfeit parts when the risk assessment shows there are availability risks. (App A § A.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
  • After a vulnerability assessment is conducted, countermeasures needed to mitigate the findings should be developed in the requirements definition. (Pg 6-II-4, Pg 6-II-5, Revised Volume 2 Pg 1-III-9, Protection of Assets Manual, ASIS International)
  • The organization shall analyze the complete set of stakeholder requirements. (§ 6.4.1.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define the implementation constraints that are necessary due to stakeholder requirements or are unavoidable. (§ 6.4.2.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall identify the constraints of the design due to the integration strategy. (§ 6.4.5.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall define the system requirement constraints that are an unavoidable result of the maintenance. (§ 6.4.10.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • (§ 8.4(e), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • Collaborate with stakeholders to identify and/or develop appropriate solutions technology. (T0283, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Implement new system design procedures, test procedures, and quality standards. (T0121, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must use diverse information technologies to implement the Information System. (App F § SC-29, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Implement new system design procedures, test procedures, and quality standards. (T0121, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization employs a diverse set of information technologies for {organizationally documented information system components} in the implementation of the information system. (SC-29 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)