This Control has the following implementation support Control(s):
Correlate business processes and applications., CC ID: 16300
Disseminate and communicate the business process documentation to interested personnel and affected parties., CC ID: 13038
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
Financial institutions should manage their ICT operations based on documented and implemented processes and procedures (which, for PSPs, include the security policy document in accordance with Article 5(1)(j) of PSD2) that are approved by the management body. This set of documents should define how … (3.5 50, Final Report EBA Guidelines on ICT and security risk management)
One of the most difficult tasks is to ponder the costs for information security against the benefits and risks. It is very important to initially invest in safeguards that are particularly effective or provide protection against especially high risks. Experience shows that the most effective safegua… (§ 4.1(5) ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
All relevant framework conditions must be identified to define an appropriate IS strategy. Thus, every organisation should determine its most important business processes and specialised tasks as well as its need for information security. This also includes analysis of stakeholders (i.e. the relevan… (§ 3.2.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Based on the essential business processes and specialised procedures, first acquisition must include identification of the applications, IT systems, network components, rooms and similar objects that are essential for performance of the business processes. Here, not only the primary dependences shou… (§ 3.2.4 ¶ 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
The structures that are suitable for a security organisation in the field of ICS highly depend on the present structures and the attuned processes within an organisation. Basically, communication between all parties involved must be ensured. All parties must have a basic understanding of the corresp… (§ 4.7 ¶ 7, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
For this, the business processes as well as the business-critical information and applications must be determined, and the affected IT, ICS or IoT systems, rooms and networks must be acquired. The classical approach is to first determine the applications and, based on this, the further affected obje… (§ 8.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Draw up a summary on the business processes (§ 8.1.2 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In a first step, the business processes or specialised tasks included in the defined information domain are to be acquired and documented on the basis of such defined information domain. Here it should be ensured that reasonable granularity is selected. This means that not only an individual main pr… (§ 8.1.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
It is recommended that the results are documented in tables or by using corresponding software products. (§ 8.1.3 ¶ 11, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In many organisations, existing process maps can be used to identify the essential business processes. If the business processes have not been acquired, have not been acquired completely or have not been acquired in the current state, business distribution plans, task descriptions or other organisat… (§ 8.1.2 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Name (§ 8.1.2 ¶ 4 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Short descriptions of the processes or of the specialised task and the correspondingly processed information (§ 8.1.2 ¶ 4 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Important application(s) required for the processes (§ 8.1.2 ¶ 4 Bullet 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
In this step, the organization creates an initial high-level overview of its activities and business relationships, the sustainability context in which these occur, and an overview of its stakeholders. this provides the organization with critical information for identifying its actual and potential … (§ 1. Step 1. ¶ 1, GRI 3: Material Topics 2021)
Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
An organization's business processes and activities, including its information governance program, shall be documented in an open and verifiable manner, and that documentation shall be available to all personnel and appropriate, interested parties. (Principle of Transparency:, Generally Accepted Recordkeeping Principles®, For the Web)
promoting the use of the process approach and risk-based thinking; (5.1.1 ¶ 1(d), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, the IT asset management plan(s) determined in 6.2, and the corrective and preventive actions determined in 10.1 and 10.2 by: (Section 8.1 ¶ 1, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
The organization establishes operating structures in the pursuit of strategy and business objectives. (Principle 2: Establishes Operating Structures, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
The organization establishes an operating structure and designs reporting lines to carry out the strategy and business objectives. It is important for the organization to clearly define responsibilities when designing reporting lines. The organization may also enter into relationships with external … (Operating Structure and Reporting Lines ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Due care requires a member to plan and supervise adequately any professional activity for which he or she is responsible. (0.300.060.06, AICPA Code of Professional Conduct, August 31, 2016)
Determine whether management documents and maintains accurate representations (e.g., network diagrams, data flow diagrams, business process flow diagrams, and business process narratives) of the current IT and business environments and employs processes to update the representations. (App A Objective 5:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
People and processes supporting the entity's missions and business functions. (App A Objective 14:2e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Services offered and SLA, OLA, or contractual provisions. (App A Objective 16:1a Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Management understands the documentation maintained to represent the entity's IT and business environment. (III.C, "IT and Business Environment Representations") (App A Objective 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. (VI.C Action Summary ¶ 2 Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Directs management to maintain an institution-wide view of technology and the business processes supported by technology. (App A Objective 2:3 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
