Back

Establish, implement, and maintain a capacity management plan.


CONTROL ID
11751
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a capacity planning baseline., CC ID: 13492
  • Establish, implement, and maintain future system capacity forecasting methods., CC ID: 01617
  • Align critical Information Technology resource availability planning with capacity planning., CC ID: 01618
  • Forecast system workloads., CC ID: 00938
  • Utilize resource capacity management controls., CC ID: 00939
  • Follow the resource workload schedule., CC ID: 00941


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Guidelines for capacity planning should be established, which clearly set out, among others, system utilization threshold and corresponding precautionary measures (e.g. to step up monitoring of system utilization and perform system upgrades when the peak utilization level reaches the predetermined c… (§ 9.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • AIs should ensure that their controls relating to system resilience and their capacity planning for e-banking cover all related systems and infrastructure components within their institutions as well as those of any relevant service providers to ensure stability, performance and continued system ava… (§ 9.1.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Guidelines for capacity planning should be established, which clearly set out, among others, system utilization threshold and corresponding precautionary measures (e.g. to step up monitoring of system utilization and perform system upgrades when the peak utilization level reaches the predetermined c… (§ 9.2.2, Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • Capacity Management (Critical components of information security 1) 2) q. xiv., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The other relevant controls include service level management, vendor management, capacity management and configuration management which are described in later chapters. Decommissioning and destruction controls need to be used to ensure that information security is not compromised as IT assets reach … (Critical components of information security 6) (iv), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The framework should comprise the governance structure, processes and procedures for change management, software release management, incident and problem management as well as capacity management. (§ 7.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should ensure adequate system capacity is in place to handle high volumes of API call requests, and implement measures to mitigate cyber threats such as denial of service (DoS) attacks. (§ 6.4.8, Technology Risk Management Guidelines, January 2021)
  • Ensuring proper regular operations including appropriate safeguards for planning and monitoring the capacity, protection against malware, logging and monitoring events as well as handling vulnerabilities, malfunctions and errors. (Section 5.6 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • The planning of capacities and resources (personnel and IT resources) follows an established procedure in order to avoid capacity bottlenecks. The procedures include forecasts of future capacity requirements in order to identify use trends and master system overload risks. (Section 5.6 RB-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Establish a planning process for the review of performance and capacity of IT resources to ensure that cost-justifiable capacity and performance are available to process the agreed-upon workloads as determined by the SLAs. Capacity and performance plans should leverage appropriate modelling techniqu… (DS3.1 Performance and Capacity Planning, CobiT, Version 4.1)
  • Conduct performance and capacity forecasting of IT resources at regular intervals to minimise the risk of service disruptions due to insufficient capacity or performance degradation, and identify excess capacity for possible redeployment. Identify workload trends and determine forecasts to be input … (DS3.3 Future Performance and Capacity, CobiT, Version 4.1)
  • During the outsourced data services review, auditors should determine if the service provider has the capacity to host the outsourced services. (§ 3 (Data Center Management), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • Plan and monitor the availability, quality, and adequate capacity of resources in order to deliver the required system performance as determined by the business. (IVS-02, Cloud Controls Matrix, v4.0)
  • The service provider shall identify and agree with the customer and interested parties on the capacity requirements and performance requirements. (§ 6.5 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The capacity plan shall include the costs, thresholds, and timescales for service capacity upgrades. (§ 6.5 ¶ 3(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The capacity plan shall include the potential impact of organizational changes, contractual changes, statutory changes, or regulatory changes. (§ 6.5 ¶ 3(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The capacity plan shall include the potential impact of new techniques and new technologies. (§ 6.5 ¶ 3(e), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Outsourced service providers should ensure several organizations can be provided recovery services at the recovery facilities simultaneously and each organization can operate its subscribed services in a manner independent of each other. Services and supporting resources that are offered during simu… (§ 7.7, § 7.14.5, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • timescales and thresholds for changes to service capacity. (§ 8.4.3 ¶ 2(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • determine current demand and forecast future demand for services; (§ 8.4.2 ¶ 1(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Service availability requirements and targets shall be documented and maintained. (§ 8.7.1 ¶ 2, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • current and forecast capacity based on demand for services; (§ 8.4.3 ¶ 2(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Develop a national plan to manage PPE supply (stockpile, distribution) and to identify IPC surge capacity (numbers and competence) (Pillar 6 Step 1 Action 5, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Countries should prepare laboratory capacity to manage large-scale testing for COVID-19 — either domestically, or through arrangements with international reference laboratories. If COVID-19 testing capacity does not exist at national level, samples should be sent to a regional or international ref… (Pillar 5: National laboratories, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Develop and implement surge plans to manage increased demand for testing; consider conservation of lab resources in anticipation of potential widespread COVID-19 transmission (Pillar 5 Step 2 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Prepare staff surge capacity and deployment mechanisms; health advisories (guidelines and SOPs); pre- and post-deployment package (briefings, recommended/mandatory vaccinations, enhanced medical travel kits, psychosocial and psychological support, including peer support groups) to ensure staff well-… (Pillar 8 Step 2 Action 4, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Capacity management processes that support the entity's current and future strategic objectives. (VI.B Action Summary ¶ 2 Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Storage, backup, and capacity needs to accommodate the entity's strategic plans. (App A Objective 12:4b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Demand management, which balances customer demand for services with the capacity to meet that demand. (App A Objective 2:7d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management of the capacity, performance, and availability of the components used in an entity's infrastructure. (App A Objective 2:9c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Selects core processing software with adequate capacity. (App A Objective 13:6b Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ensures databases are appropriately located and structured, have sufficient capacity, and are resilient. (App A Objective 3:6d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. (App A Objective 12:5d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: (App A Objective 15:6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Performs configuration management, problem management, capacity management, and financial management for databases and data management systems. (T0305, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop strategy and processes for partner planning, operations, and capability development. (T0669, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Performs configuration management, problem management, capacity management, and financial management for databases and data management systems. (T0305, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop strategy and processes for partner planning, operations, and capability development. (T0669, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)