Establish, implement, and maintain a system implementation standard.
CONTROL ID 01111
CONTROL TYPE Establish/Maintain Documentation
CLASSIFICATION Preventive
SUPPORTING AND SUPPORTED CONTROLS
This Control directly supports the implied Control(s):
Initiate the System Development Life Cycle implementation phase., CC ID: 06268
This Control has the following implementation support Control(s):
Deploy applications based on best practices., CC ID: 12738
Select implementation strategies based on the system design requirements., CC ID: 01113
Establish, implement, and maintain system implementation procedures to ensure product conformity., CC ID: 06617
Establish, implement, and maintain an implementation plan., CC ID: 01114
Plan and document the Certification and Accreditation process., CC ID: 11767
Install and integrate the system components according to the system implementation standard., CC ID: 06930
Document the system implementation integration process., CC ID: 06931
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
AIs should adopt and implement a full project life cycle methodology governing the process of developing, implementing and maintaining major computer systems. In general, this should involve phases of project initiation, feasibility study, requirement definition, system design, program development, … (4.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
App 2-1 Item Number III.6(1): The organization must develop a promotion plan to promote the system from the system development and testing stages to the operational stage. Persons in charge of the user, system development, operations, and application maintenance departments must approve the plan. Th… (App 2-1 Item Number III.6(1), App 2-1 Item Number V.5(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
Ongoing support and maintenance controls would be needed to ensure that IT assets continue to meet business objectives. Major controls in this regard include change management controls to ensure that the business objectives continue to be met following change; configuration management controls to en… (Critical components of information security 6) (iii), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
(§ F.4.9, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
Financial entities shall identify alternative solutions and develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-hous… (Art. 28.8. ¶ 4, Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
At this point, it should be emphasised that information security is only ever achieved by interaction between technical and organisational safeguards. The investments in technology can be read off the budget directly. In order to justify these costs, the security products must be deployed in such a … (§ 4.1(5) ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
Appropriate processes shall be defined for application development which contain specifications for identifying requirements, for the development objective, for (technical) implementation (including coding guidelines), for quality assurance, and for testing, approval and release. (II.6.36, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
When system integration services are being reviewed, auditors need to determine if internal assessments by the client certify that the proposed system meets interoperability, scalability, security, and reliability requirements; if integration tools are tested separately for effectiveness and applica… (§ 3 (System Integration), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
Standards and procedures for system installation should require designs to take account of security architecture principles, business requirements, and security requirements. (CF.07.01.01a, The Standard of Good Practice for Information Security)
Standards and procedures for system installation should require compatibility to be maintained with other Information Systems, networks, and telecommunication installations used by the organization. (CF.07.01.01b, The Standard of Good Practice for Information Security)
Standards and procedures for system installation should require Information Systems, networks, and telecommunication installations to be designed to cope with foreseeable developments in the organization's use of Information Technology (e.g., growth projections or adoption of open / proprietary stan… (CF.07.01.01c, The Standard of Good Practice for Information Security)
Information System, network, and telecommunication installations should minimise the need for manual intervention (e.g., by incorporating high-reliability or fault-tolerant computers and automating common operations such as patch management and back-up). (CF.07.01.02b, The Standard of Good Practice for Information Security)
The promotion of new systems to the live environment should be governed by a documented installation process (or deployment plan). (CF.18.07.01, The Standard of Good Practice for Information Security)
Standards and procedures for system installation should require designs to take account of security architecture principles, business requirements, and security requirements. (CF.07.01.01a, The Standard of Good Practice for Information Security, 2013)
Standards and procedures for system installation should require compatibility to be maintained with other Information Systems, networks, and telecommunication installations used by the organization. (CF.07.01.01b, The Standard of Good Practice for Information Security, 2013)
Standards and procedures for system installation should require Information Systems, networks, and telecommunication installations to be designed to cope with foreseeable developments in the organization's use of Information Technology (e.g., growth projections or adoption of open / proprietary stan… (CF.07.01.01c, The Standard of Good Practice for Information Security, 2013)
Information System, network, and telecommunication installations should minimise the need for manual intervention (e.g., by incorporating high-reliability or fault-tolerant computers and automating common operations such as patch management and back-up). (CF.07.01.02b, The Standard of Good Practice for Information Security, 2013)
The promotion of new systems to the live environment should be governed by a documented installation process (or deployment plan). (CF.18.07.01, The Standard of Good Practice for Information Security, 2013)
Establish and implement strategies and capabilities for secure, standardized, and compliant application deployment. Automate where possible. (AIS-06, Cloud Controls Matrix, v4.0)
Follow a defined quality change control, approval and testing process with established baselines, testing, and release standards. (CCC-02, Cloud Controls Matrix, v4.0)
The organization shall develop an implementation strategy. (§ 6.4.4.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall implement system elements using named materials and the implementation enabling system in accordance with the implementation procedures for creating software, fabricating hardware, and/or training operators. (§ 6.4.4.3(b)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall develop a transition strategy. (§ 6.4.7.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
A release and deployment management process shall be used for deployment into the live environment. (§ 5.4 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
A medical device manufacturer shall establish and maintain procedures for ensuring the device design is translated correctly into the production specifications. (§ 820.30(h), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
Pg 30, Pg 31 As part of the implementation plan, the implementation phase should include an implementation schedule, training for the application users, and implementation of the product. (Exam Obj 5.1, Pg 30, Pg 31, FFIEC IT Examination Handbook - Development and Acquisition)
The organization should prepare deployment and operational plans to address security issues of cell phones and PDAs. The plans should include methods for issuing handheld devices; protecting data; authenticating users; handling lost or stolen devices; accessing the organization's networks; backing u… (§ 4.2.2, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and (SC-43a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and (SC-43a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Establish usage restrictions and implementation guidelines for the following system components: [Assignment: organization-defined system components]; and (SC-43a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
