Back

Include business continuity objectives in the Strategic Information Technology Plan.


CONTROL ID
06496
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

This Control has the following implementation support Control(s):
  • Align business continuity objectives with the business continuity policy., CC ID: 12408


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Any findings to be reflected in the contingency plans should be properly reflected in other relevant plans. (C17.3. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • explaining how the ICT risk management framework supports the financial entity's business strategy and objectives; (Art. 6.8.(a), Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • statements on contingency management giving due consideration to IT issues; (II.1.2(e), Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • The CIP objective shall always be taken into account, from when the protection requirements are determined, during the definition of appropriate measures and through to the effective implementation of these measures, including the implementation and regular testing of relevant emergency preparedness… (II.9.60, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Establish an IT architecture board to provide architecture guidelines and advice on their application, and to verify compliance. This entity should direct IT architecture design, ensuring that it enables the business strategy and considers regulatory compliance and continuity requirements. This is r… (PO3.5 IT Architecture Board, CobiT, Version 4.1)
  • Plan the actions to be taken for the period when IT is recovering and resuming services. This may include activation of backup sites, initiation of alternative processing, customer and stakeholder communication, and resumption procedures. Ensure that the business understands IT recovery times and th… (DS4.8 IT Services Recovery and Resumption, CobiT, Version 4.1)
  • The information security strategy should support the organization's overall objectives by outlining how Information Security activity will help ensure Business Continuity. (SG.02.01.02e, The Standard of Good Practice for Information Security)
  • A Business Continuity strategy covering the whole organization should be developed and maintained, which is aligned with the organization's business strategy and information security strategy. (CF.20.01.01, The Standard of Good Practice for Information Security)
  • The information security strategy should support the organization's overall objectives by outlining how Information Security activity will help ensure Business Continuity. (SG.02.01.02e, The Standard of Good Practice for Information Security, 2013)
  • A Business Continuity strategy covering the whole organization should be developed and maintained, which is aligned with the organization's business strategy and information security strategy. (CF.20.01.01, The Standard of Good Practice for Information Security, 2013)
  • {activation procedures} {communication procedures} {internal interdependencies} {internal interactions} {external interactions} {information flow processes} Each plan shall define - purpose and scope, - objectives, - activation criteria and procedures, - implementation procedures, - roles, responsib… (§ 8.4.4 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Review the membership list of board, steering committee, and/or relevant management committees established to review IT activities. Determine whether board, senior management, lines of business, audit, and IT personnel are represented appropriately, and whether regular meetings are held and minutes … (App A Objective 2:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Business needs are realistic. (App A Objective 4:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Reviews and approves an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to safeguard against ongoing and emerging threats, including cybersecurity threats. (App A Objective 2:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The plan incorporates clearly defined goals and metrics. (App A Objective 4:2 h., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the strategic plan for IT activities. Determine whether the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the previous examination that affect (or any planned changes that may affect) the institution's organizatio… (App A Objective 4:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Assess whether IT management maintains an active role in the institution's strategic planning to align IT with established business goals and strategies. Assess whether effective IT controls exist throughout the institution, either through direct oversight or by holding lines of business accountable… (App A Objective 8:3, FFIEC Information Technology Examination Handbook - Management, November 2015)