Back

Align critical Information Technology resource availability planning with capacity planning.


CONTROL ID
01618
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a capacity management plan., CC ID: 11751

This Control has the following implementation support Control(s):
  • Limit any effects of a Denial of Service attack., CC ID: 06754


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is important that e-banking services are delivered on a continuous basis with reasonably fast response time, taking into account customers' general expectations. In this connection, AIs should ensure that resilience capability, capacity planning and performance monitoring process of their e-banki… (§ 9.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should ensure that their controls relating to system resilience and their capacity planning for e-banking cover all systems (e.g. their Internet banking system and any connected core banking systems) and infrastructure components (e.g. Internet infrastructure, associated hardware, equipment and … (§ 9.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • It is important that e-banking services are delivered on a continuous basis with reasonably fast response time, taking into account customers' general expectations. In this connection, AIs should ensure that resilience capability, capacity planning and performance monitoring process of their e-banki… (§ 9.1.1, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • AIs should implement sufficient and effective alternative service delivery channels to ensure e-banking services can be provided continuously to customers as far as appropriate. In particular, if an Internet banking system is temporarily not accessible, AIs should ensure that their other service cha… (§ 9.5.4, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Capacity planning should be extended to cover back-up systems and related facilities in addition to the production environment. (5.2.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Especially in the computer center and the divisions responsible for the management of computer equipment and other system resources, the establishment of the disaster prevention organization should place emphasis on the significance of the resources. (C10.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • It should be investigated whether the additional equipment exceeds current capacity limits of each facility and whether the capacities of each facility need to be increased. (P55.1. ¶ 1(1) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The FI should establish monitoring processes and implement appropriate thresholds to provide sufficient time for the FI to plan and determine additional resources to meet operational and business requirements effectively. (§ 7.5.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Denial-of-service attack prevention and mitigation strategies are discussed with cloud service providers, specifically: (Security Control: 1431; Revision: 2, Australian Government Information Security Manual, March 2021)
  • Where a requirement for high availability exists, a denial of service mitigation service is used. (Security Control: 1441; Revision: 2, Australian Government Information Security Manual, March 2021)
  • any costs likely to be incurred as a result of denial-of-service attacks (Security Control: 1431; Revision: 2; Bullet 2, Australian Government Information Security Manual, March 2021)
  • The organization should agree with the Internet security provider on a Denial of Service mitigation plan that outlines the pre-approved actions to take for a Distributed Denial of Service attack. (Control: 1189, Australian Government Information Security Manual: Controls)
  • Implementers should find synergies between the information security process and other management processes. (6.2 Bullet 7, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Provide the required capacity and performance, taking into account aspects such as normal workloads, contingencies, storage requirements and IT resource life cycles. Provisions such as prioritising tasks, fault-tolerance mechanisms and resource allocation practices should be made. Management should … (DS3.4 IT Resources Availability, CobiT, Version 4.1)
  • Create a portfolio of tactical IT plans that are derived from the IT strategic plan. The tactical plans should address IT-enabled programme investments, IT services and IT assets. The tactical plans should describe required IT initiatives, resource requirements, and how the use of resources and achi… (PO1.5 IT Tactical Plans, CobiT, Version 4.1)
  • Capacity planning activities should be undertaken to allow extra capacity to be commissioned before projected bottlenecks / overloads materialise. (CF.10.05.03, The Standard of Good Practice for Information Security)
  • Business applications should incorporate security controls to help ensure availability of information by performing load-balancing. (CF.04.01.05b-1, The Standard of Good Practice for Information Security)
  • Critical business processes should be protected against disruption from incompatible business applications by running critical business applications on a dedicated computer, Mainframe partition, or Virtual Server (i.e., a partition on a server running virtualisation software). (CF.20.03.05a, The Standard of Good Practice for Information Security)
  • Critical business processes should be protected against disruption from incompatible business applications by supporting critical business applications through a dedicated network or sub-network. (CF.20.03.05b, The Standard of Good Practice for Information Security)
  • Capacity planning activities should be undertaken to allow extra capacity to be commissioned before projected bottlenecks / overloads materialise. (CF.10.05.03, The Standard of Good Practice for Information Security, 2013)
  • Business applications should incorporate security controls to help ensure availability of information by performing load-balancing. (CF.04.01.05b-1, The Standard of Good Practice for Information Security, 2013)
  • Critical business processes should be protected against disruption from incompatible business applications by running critical business applications on a dedicated computer, Mainframe partition, or Virtual Server (i.e., a partition on a server running virtualisation software). (CF.20.03.05a, The Standard of Good Practice for Information Security, 2013)
  • Critical business processes should be protected against disruption from incompatible business applications by supporting critical business applications through a dedicated network or sub-network. (CF.20.03.05b, The Standard of Good Practice for Information Security, 2013)
  • The service provider shall provide sufficient capacity to meet the capacity requirements and performance requirements. (§ 6.5 ¶ 4, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • expected impact on capacity of agreed service level targets, requirements for service availability and service continuity; (§ 8.4.3 ¶ 2(b), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The expected average and peak use of system components is forecasted and compared to system capacity and associated tolerances. Forecasting considers system resilience and capacity in the event of the failure of system components that constrain capacity. (A1.1 ¶ 2 Bullet 2 Forecasts Capacity, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Integration with the budgeting and strategic planning processes. (App A Objective 15:6a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Remote access is a service provided by servers and devices on the LAN. Remote access provides a convenience for users working offsite or allows for a means for servers and devices to communicate between sites. Remote access can be conducted through various methods, primarily through a virtual privat… (§ 5.3.2 ¶ 4, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))