Back

Establish, implement, and maintain future system capacity forecasting methods.


CONTROL ID
01617
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a capacity management plan., CC ID: 11751

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should implement a process to ensure that the performance of application systems is continuously monitored and exceptions are reported in a timely and comprehensive manner. The performance monitoring process should include forecasting capability to enable problems to be identified and corrected … (5.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced; (Art. 7 ¶ 1(c), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The forecasts are taken into account in coordination with the service level agreement for the planning and preparation of the provisioning. (Section 5.6 RB-01 Description of additional requirements (availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization is called upon to conduct performance and capacity forecasting of IT resources at regular intervals to minimize the risk of service disruptions due to insufficient capacity or performance degradation. Also identify excess capacity for possible redeployment. Identify workload trends … (DS3.3, CobiT, Version 4.1)
  • Conduct performance and capacity forecasting of IT resources at regular intervals to minimise the risk of service disruptions due to insufficient capacity or performance degradation, and identify excess capacity for possible redeployment. Identify workload trends and determine forecasts to be input … (DS3.3 Future Performance and Capacity, CobiT, Version 4.1)
  • Adopt and maintain standards for all development and acquisition that follow the life cycle of the ultimate deliverable, and include sign-off at key milestones based on agreed-upon sign-off criteria. Consider software coding standards; naming conventions; file formats; schema and data dictionary des… (PO8.3 Development and Acquisition Standards, CobiT, Version 4.1)
  • The availability, quality, and adequate capacity and resources shall be planned, prepared, and measured to deliver the required system performance in accordance with legal, statutory, and regulatory compliance obligations. Projections of future capacity requirements shall be made to mitigate the ris… (IVS-04, Cloud Controls Matrix, v3.0)
  • ¶ 8.1.5(2) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(2), ¶ 8.2.4(2), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The use of resources shall be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. (A.12.1.3 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Managers should project the future capacity requirements to ensure the system will perform as required. When projecting the future capacity, managers should look at any new business the company may have, current and future trends in information processing, and the system requirements. (§ 10.3.1, ISO 27002 Code of practice for information security management, 2005)
  • The use of resources should be monitored, tuned and projections made of future capacity requirements to ensure the required system performance. (§ 12.1.3 Control, ISO/IEC 27002:2013(E), Information technology — Security techniques — Code of practice for information security controls, Second Edition)
  • The cloud service customer should ensure that the agreed capacity provided by the cloud service meets the cloud service customer's requirements. The cloud service customer should monitor the use of cloud services, and forecast their capacity needs, to ensure performance of the cloud services over ti… (§ 12.1.3 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers system resilience and capacity in the event of the failure of system components that constrain capacity. (A1.1 ¶ 2 Bullet 2 Forecasts Capacity, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. (A1.1 Forecasts Capacity, Trust Services Criteria)
  • The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers capacity in the event of the failure of system components that constrain capacity. (A1.1 ¶ 2 Bullet 2 Forecasts Capacity, Trust Services Criteria, (includes March 2020 updates))
  • Meeting between IT management and business line management to determine future projects that may impact capacity needs. (App A Objective 15:6h, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Analysis of capacity trends (e.g., increasing capacity usage) to understand capacity usage. (App A Objective 15:6d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • There is adequate capacity for current and planned transaction volumes. (App A Tier 1 Objectives and Procedures Objective 1:4 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)