CONTROL TYPE Systems Design, Build, and Implementation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Establish, implement, and maintain a system design project management framework., CC ID: 00990
This Control has the following implementation support Control(s):
Investigate the range of alternative system design strategies available., CC ID: 01047
Identify appropriate tactics for the selected system design strategies., CC ID: 01048
Analyze the cultural factors of the system design strategies., CC ID: 01049
Analyze current technology investment factors that could affect implementing the system design project., CC ID: 01050
Analyze current funding factors that could affect implementing the system design project., CC ID: 11795
Balance the strengths and weaknesses of the organization with the system design strategies and implementation strategies., CC ID: 01051
Reassess staffing needs while identifying the system design strategies., CC ID: 01053
Adopt a system design strategy after examining the strategic options and tactical options., CC ID: 01054
Disseminate and communicate the implementation strategy to interested personnel and affected parties., CC ID: 11796
Disseminate and communicate the adopted system design strategy to interested personnel and affected parties., CC ID: 01055
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
design â considerations when designing secure software could include software modularisation; where on the network the software is located; what privileges the software executes under; inclusion of information security features as part of the technical specifications; and the information security … (Attachment D 2(b)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
The identification of strategies to satisfy recordkeeping requirements and encourage the adoption of an overall strategy for meeting those requirements prior to design or redesign of recordkeeping systems is called for. (§ E.4, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
The Information Technology Service Continuity (ITSC) culture should be built and embedded into a new project from its inception. Consideration should be given to how the deliverables will support or enhance the ITSC strategy. (§ 5.2 ¶ 3(d), PAS 77 IT Service Continuity Management. Code of Practice, 2006)
An assessment should be made of the organization's capacity to undertake the project, the project's priority level, and if the staff has the right skill set to execute the project. (3.1 (Assessing the Business Case) ¶ 4, IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
Organizations should take steps to reduce their exposure to fraudulent or counterfeit parts when the risk assessment shows there are availability risks. (App A § A.1, SAE AS 5553: Fraudulent/Counterfeit Electronic Parts; Avoidance, Detection, Mitigation, and Disposition, Revision A)
After a vulnerability assessment is conducted, countermeasures needed to mitigate the findings should be developed in the requirements definition. (Pg 6-II-4, Pg 6-II-5, Revised Volume 2 Pg 1-III-9, Protection of Assets Manual, ASIS International)
The organization shall analyze the complete set of stakeholder requirements. (§ 6.4.1.3(c)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall define the implementation constraints that are necessary due to stakeholder requirements or are unavoidable. (§ 6.4.2.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall identify the constraints of the design due to the integration strategy. (§ 6.4.5.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall define the system requirement constraints that are an unavoidable result of the maintenance. (§ 6.4.10.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
(§ 8.4(e), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
Collaborate with stakeholders to identify and/or develop appropriate solutions technology. (T0283, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Implement new system design procedures, test procedures, and quality standards. (T0121, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
The organization must use diverse information technologies to implement the Information System. (App F § SC-29, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Implement new system design procedures, test procedures, and quality standards. (T0121, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization employs a diverse set of information technologies for {organizationally documented information system components} in the implementation of the information system. (SC-29 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)