This Control directly supports the implied Control(s):
Initiate the System Development Life Cycle implementation phase., CC ID: 06268
This Control has the following implementation support Control(s):
Implement systems to allow for maintenance, cleaning, adjustment, and use., CC ID: 06213
Establish, implement, and maintain system conversion procedures., CC ID: 01117
Establish, implement, and maintain a data conversion plan., CC ID: 01118
Establish, implement, and maintain promoting the system to a production environment procedures., CC ID: 01119
Evaluate and determine whether or not the newly developed system meets users' system design requirements., CC ID: 01120
Evaluate and determine whether or not the newly developed system meets security requirements., CC ID: 06273
Determine if the project is complete after all implementation tasks are finished., CC ID: 06912
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
App 2-1 Item Number III.6(4): Based on the promotion plan, the organization must ensure the necessary staff, budgets, and equipment are secured. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control.
App 2-1 Item Number III.6(8): Stak… (App 2-1 Item Number III.6(4), App 2-1 Item Number III.6(8), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
The organization should create a transition team and system and implement transition operations for programs and data files in accordance with the transition procedural instructions. The organization shall define the cutoff points for determining whether or not to cancel the transition and restore i… (O69.2(4), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
An implementation process that requires installation, conversion and review of recordkeeping systems is called for. Allocating recordkeeping responsibilities, training in the managing of records and the inception of a program for disposal of records is also called for. (§ G.4.3, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
Check adherence to implementation plan (§ 10.3 Subsection 1 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Auditors must ensure a post go-live support plan has been defined for functional and technical issues for the support team organization. An analysis should be conducted on the support team to determine if it is the right size for the go-live and postlaunch workload. Also, contingency plans should be… (§ 3.4 (Postlaunch Support), IIA Global Technology Audit Guide (GTAG) 12: Auditing IT Projects)
The organization shall establish acceptance criteria requirements for installing and verifying the installation of medical devices. The organization shall provide these requirements to another organization when the agreed upon customer requirements allow the product to be installed by someone else. … (§ 7.5.1.2.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
(§ 8.4(g), ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
§ 5.6.1: For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall use the integration plan to integrate the software units.
§ 5.6.2: For software systems assigned to Class B and Class C software safety classes, the medical device manufactu… (§ 5.6.1, § 5.6.2, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
The entity's security policies include testing, evaluating, and authorizing system components before implementation. (Security Prin. and Criteria Table § 1.2 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's system availability and related security policies include testing, evaluating, and authorizing system components before implementation. (Availability Prin. and Criteria Table § 1.2 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's system processing integrity and related security policies include testing, evaluating, and authorizing system components before implementation. (Processing Integrity Prin. and Criteria Table § 1.2 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The entity's policies related to the system's protection of confidential information and security include testing, evaluating, and authorizing system components before implementation. (Confidentiality Prin. and Criteria Table § 1.2 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
The organization schedules system software installation to minimize data processing impacts and must give advance notice to system users. (CSR 3.4.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Execution. (App A Objective 12:3e Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. (SC-29 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. (SC-29 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
The organization has 3 options to consider when integrating the authentication system into the existing operating system: use an authentication system that the vendor has already integrated into the operating system the organization is using; the organization may purchase the operating system that t… (§ 8.3, FIPS Pub 190, Guideline for the use of Advanced Authentication Technology Alternatives)
NIST 800-14 reiterates testing with respect to security and requires review of the system. (§ 3.4.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
Integrate new systems into existing network architecture. (T0129, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies. (T0254, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Integrate new systems into existing network architecture. (T0129, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Oversee policy standards and implementation strategies to ensure procedures and guidelines comply with cybersecurity policies. (T0254, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Manage system/server resources including performance, capacity, availability, serviceability, and recoverability. (T0498, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system. (SC-29 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. (SC-29 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Employ a diverse set of information technologies for the following system components in the implementation of the system: [Assignment: organization-defined system components]. (SC-29 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
The organization employs a diverse set of information technologies for [Assignment: organization-defined information system components] in the implementation of the information system. (SC-29 Control:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
