Back

Conduct a project feasibility study prior to designing a system.


CONTROL ID
01613
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a system design project management framework., CC ID: 00990

This Control has the following implementation support Control(s):
  • Update the system requirements specification after the feasibility study has been completed., CC ID: 06607
  • Include the software requirements in the system requirements specification., CC ID: 06608


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should adopt and implement a full project life cycle methodology governing the process of developing, implementing and maintaining major computer systems. In general, this should involve phases of project initiation, feasibility study, requirement definition, system design, program development, … (4.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • When designing a development plan, the organization must conduct a feasibility study of all alternatives to develop an information system with the highest efficiency. This is a control item that constitutes a relatively small risk to financial information. This is an IT general control. (App 2-1 Item Number II.1(9), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Systems and applications are designed, deployed, maintained and decommissioned according to their value and their confidentiality, integrity and availability requirements. (P1:, Australian Government Information Security Manual, March 2021)
  • The organization shall evaluate alternative designs, including conducting risk analyses, trade-off analyses, and effectiveness assessments. (§ 6.4.3.3(b)(4)(iii), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization should conduct a feasibility study to verify any assumptions and identify the resource requirements in more detail. The feasibility study documentation should include business considerations; functional requirements; project factors; and a cost/benefit analysis. The study should be … (Pg 17, Pg 18, Exam Obj 5.1, FFIEC IT Examination Handbook - Development and Acquisition)
  • Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates. (T0428, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Determine the potential applicability of cyber resiliency design principles. This involves considering organizational and programmatic risk management strategies to determine which strategic design principles may apply. It also involves considering the architecture, operational context, and threat e… (3.2.1.5 ¶ 1 Bullet 2, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Analyze security needs and software requirements to determine feasibility of design within time and cost constraints and security mandates. (T0428, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)