Back

Establish, implement, and maintain a performance management standard.


CONTROL ID
01615
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain future system performance forecasting methods., CC ID: 11775
  • Use proactive performance management., CC ID: 00937
  • Utilize resource availability management controls., CC ID: 00940
  • Follow the maintenance schedule., CC ID: 11791
  • Establish, implement, and maintain rate limiting filters., CC ID: 06883


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization shall define the following planning, implementation, and verification and reporting procedures for resource management: • Resource management plan development, including setting resources subject to management and usage checking methods and the checking frequency. • Collecting… (O54.2, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should implement capacity and Performance Management controls to ensure the current and projected business requirements are met. (¶ 54(f), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • capacity and performance management controls to ensure that the current and projected requirements of the business are met; and (¶ 54(f), The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The purpose of the capacity and performance management practice is to ensure that services achieve agreed and expected performance, satisfying current and future demand in a cost-effective way. (5.2.3 ¶ 1, ITIL Foundation, 4 Edition)
  • How does the cyber threat intelligence provider measure performance? (Table Row III.4, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Continuously monitor the performance and capacity of IT resources. Data gathered should serve two purposes: - To maintain and tune current performance within IT and address such issues as resilience, contingency, current and projected workloads, storage plans, and resource acquisition - To report de… (DS3.5 Monitoring and Reporting, CobiT, Version 4.1)
  • Assess the current capability and performance of solution and service delivery to establish a baseline against which future requirements can be compared. Define performance in terms of IT's contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses. (PO1.3 Assessment of Current Capability and Performance, CobiT, Version 4.1)
  • Deploy a performance monitoring method (e.g., balanced scorecard) that records targets; captures measurements; provides a succinct, all-around view of IT performance; and fits within the enterprise monitoring system. (ME1.3 Monitoring Method, CobiT, Version 4.1)
  • Establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and performance are available to process the agreed-upon workloads as determined by the SLAs. Capacity and performance plans should leverage appropriate modelling techniqu… (DS3.1 Performance and Capacity Planning, CobiT, Version 4.1)
  • Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
  • The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the ris… (IVS-04, Cloud Controls Matrix, v3.0)
  • The system data that should have limits placed on them should be specified. Some examples are number of users logged on the system and the size of the audit trail. The system should also state what actions are to be taken if the limit is reached or exceeded. Security attributes should have expiratio… (§ 13.3, § 13.5, § H.3, § H.5, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • These evaluations shall be undertaken through periodic reviews, exercising, testing, post-incident reporting and performance evaluations. Significant changes arising shall be reflected in the procedure(s) in a timely manner; (§ 9.1.2 b), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • establishing performance criteria for the processes based on requirements; (§ 8.1 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Management measures performance and risks against defined baseline metrics. (App A Objective 2:13d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management of the capacity, performance, and availability of the components used in an entity's infrastructure. (App A Objective 2:9c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • To meet scheduling needs, determine whether management implements policies, standards, and procedures for creating and changing job schedules and analyzing and maximizing the entity's resources. (App A Objective 15:5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has implemented and effectively utilizes operational control programs, processes, and tools such as: ▪ Performance management and capacity planning; ▪ User support processes; ▪ Project, change, and patch management; ▪ Conversion management; ▪ Standardization of… (Exam Tier I Obj 5.1, FFIEC IT Examination Handbook - Operations, July 2004)
  • Establish policies and procedures related to proper workstations use and performance. (§ 4.11.2 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Develop supply chain, system, network, performance, and cybersecurity requirements. (T0414, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide information and assessments for the purposes of informing leadership and customers; developing and refining objectives; supporting operation planning and execution; and assessing the effects of operations. (T0786, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide expertise to the development of measures of effectiveness and measures of performance. (T0588, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop supply chain, system, network, performance, and cybersecurity requirements. (T0414, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)