Back

Develop and maintain an operating strategy for newly implemented systems.


CONTROL ID
06932
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Initiate the System Development Life Cycle implementation phase., CC ID: 06268

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • AIs should adopt and implement a full project life cycle methodology governing the process of developing, implementing and maintaining major computer systems. In general, this should involve phases of project initiation, feasibility study, requirement definition, system design, program development, … (4.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Prospective product available years (scheduled date of termination of sales, etc.) (P48.1. ¶ 1(1), FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • If the IT system of the service is being renewed, the financial institution itself should thoroughly evaluate and confirm as necessary that proper system support is implemented. (C26.1. ¶ 4(2) ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • The organization should install, configure, operate, and administer the evaluated products in accordance with the evaluation documentation. (Control: 0289, Australian Government Information Security Manual: Controls)
  • The organization must ensure High Grade Cryptographic Equipment and high assurance products are installed, configured, operated, and administered in accordance with the specific guidance from Defence Signals Directorate. (Control: 0290, Australian Government Information Security Manual: Controls)
  • Before new systems are promoted into the live environment, operating procedures should be documented and tested. (CF.18.06.04c, The Standard of Good Practice for Information Security)
  • Before new systems are promoted into the live environment, checks should be carried out to ensure that the security of new systems can be supported on a continuing basis (e.g., through a predefined Point Of Contact, such as a helpdesk). (CF.18.06.03f, The Standard of Good Practice for Information Security)
  • Before new systems are promoted into the live environment, operating procedures should be documented and tested. (CF.18.06.04c, The Standard of Good Practice for Information Security, 2013)
  • Before new systems are promoted into the live environment, checks should be carried out to ensure that the security of new systems can be supported on a continuing basis (e.g., through a predefined Point Of Contact, such as a helpdesk). (CF.18.06.03f, The Standard of Good Practice for Information Security, 2013)
  • The organization shall develop an operation strategy that defines which services are available, operator schedules, the staffing strategy, and modification schedules. (§ 6.4.9.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization requires the developer of the information system, system component, or information system service to produce a plan for the continuous monitoring of security control effectiveness that contains {organizationally documented level of detail}. (SA-4(8), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)