Review each system's operational readiness.

Back

CONTROL ID
06275

CONTROL TYPE
Systems Design, Build, and Implementation

CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an Asset Management program., CC ID: 06630

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

Overall responsibility for network management should be clearly assigned to individuals who are equipped with the know-how, skills and resources to fulfill their duties. Network standards, design, diagrams and operating procedures should be formally documented, kept up-to date, communicated to all r… (6.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
The network should be monitored on a continuous basis. This would reduce the likelihood of network traffic overload and detect network intrusions. Monitoring activities include: - monitoring network services and performance against pre-defined targets; - reviewing volumes of network traffic, utiliza… (6.1.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 â 24.06.03)
The FI should ensure that full regression testing is performed before system rectification or enhancement is implemented. Users whose systems and operations are affected by the system changes should review and sign off on the outcome of the tests (Refer to Appendix A for details on Systems Security … (§ 6.2.3, Monetary Authority of Singapore: Technology Risk Management Guidelines)
Top management shall review the organization's information security management system at planned intervals to ensure its continuing suitability, adequacy and effectiveness. (§ 9.3 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
The organization shall ensure the operation of any other processes as determined in 6.2.2 IT asset management objectives for operation processes, and any additional processes which the organization has defined. (Section 8.6 ¶ 1, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
information on the IT asset management performance, including trends in: (Section 9.3 ¶ 2(c), ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
The organization must initiate a management review or audit of all Medicare systems security controls, including interconnected systems, and applications that process sensitive information at least every 3 years and whenever a significant change occurs. (CSR 1.9.8, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
Audits, assessments, and operational performance reports are obtained and reviewed regularly validating security controls for critical third parties. (Domain 4: Assessment Factor: Relationship Management, ONGOING MONITORING Baseline 3 ¶ 2, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
Does the Credit Union have an ongoing review process for the authentication technology and to ensure changes are implemented? (IT - Authentication Q 32, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
Review Operational Readiness: Many times when a system transitions to a production environment, unplanned modifications to the system occur. If changes are significant, a modified test of security controls, such as configurations, may be needed to ensure the integrity of the security controls. (§ 3.4.3.1, Security Considerations in the Information System Development Life Cycle, NIST SP 800-64, Revision 2)
The integrity of restored assets is verified, systems and services are restored, and normal operating status is confirmed (RC.RP-05, The NIST Cybersecurity Framework, v2.0)