Back

Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors.


CONTROL ID
13094
CONTROL TYPE
Human Resources Management
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Strategic Information Technology Plan., CC ID: 00628

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • In general, the IT planning or steering committee should also be responsible for developing an IT strategy to cover longer and short-term technology-related initiatives, taking into account new business initiatives, organisational changes, technological evolution, regulatory requirements, staffing a… (2.2.4, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Minutes of the Steering Committee meetings should be maintained to document the committee's activities and decisions and a review on information security needs to be escalated to the Board on a quarterly basis. (Information Security Committee ¶ 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Approving and monitoring major information security projects and the status of information security plans and budgets, establishing priorities, approving standards and procedures (Information Security Committee ¶ 3 Bullet 2, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Under this section competent authorities should assess whether the institution has an ICT strategy in place: that is subject to adequate oversight from the institution's management body; that is consistent with the business strategy, particularly for keeping its ICT up-to-date and planning or implem… (Title 2 2.2 25., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the institution's management body approves the ICT strategy, implementation plans and monitors its implementation. (Title 2 2.2.1 26.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • the senior management of the business line(s) is adequately involved in the definition of the institution's strategic ICT priorities and that, in turn, senior management of the ICT function is aware of the development, design and initiation of major business strategies and initiatives to ensure the … (Title 2 2.2.1 26.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • has defined and allocated the roles and responsibilities for the implementation of ICT strategic programmes, paying particular attention to the experience of key stakeholders in organising, steering and monitoring important and complex ICT changes and the management of the wider organisational and h… (Title 2 2.2.2 27.b, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Major IT projects and IT project risks shall be reported to the management board regularly and on an ad hoc basis. Material project risks shall be taken account of in the risk management. (II.6.35, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Establish an IT strategy committee at the board level. This committee should ensure that IT governance, as part of enterprise governance, is adequately addressed; advise on strategic direction; and review major investments on behalf of the full board. (PO4.2 IT Strategy Committee, CobiT, Version 4.1)
  • Develop senior management reports on IT's contribution to the business, specifically in terms of the performance of the enterprise's portfolio, IT-enabled investment programmes, and the solution and service deliverable performance of individual programmes. Include in status reports the extent to whi… (ME1.5 Board and Executive Reporting, CobiT, Version 4.1)
  • Create a strategic plan that defines, in co-operation with relevant stakeholders, how IT goals will contribute to the enterprise's strategic objectives and related costs and risks. It should include how IT will support IT-enabled investment programmes, IT services and IT assets. IT should define how… (PO1.4 IT Strategic Plan, CobiT, Version 4.1)
  • Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for an information governance program, which is sponsored by the leadership of the organization. Review and update the policies and procedures at least annually. (GRC-01, Cloud Controls Matrix, v4.0)
  • Review strategy: Should the performance of the entity result in a substantial deviation from the expected risk profile, the organization may choose to revise its strategy. In this case, it may choose to reconsider alternative strategies that were previously evaluated, or identify new strategies. (Integrating Reviews into Business Practices ¶ 2 Bullet 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • Participation of senior management by supporting AIO activities, confirming that those activities are in the IT strategic plan, reviewing the strategic planning process, and incorporating changes. (App A Objective 2:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. (App A Objective 12:3c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Reviews and approves an IT strategic plan that aligns with the overall business strategy and includes an information security strategy to safeguard against ongoing and emerging threats, including cybersecurity threats. (App A Objective 2:2 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • There is review of and credible challenge to the plan. (App A Objective 4:2 k., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the strategic plan for IT activities. Determine whether the goals and objectives are consistent with the institution's overall business strategy. Document significant changes made since the previous examination that affect (or any planned changes that may affect) the institution's organizatio… (App A Objective 4:2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • IT Management participates in the development of the IT strategic plan. (App A Objective 4:2 j., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Short- and long-term IT tactical, operational, and strategic plans. (App A Objective 4:4 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Supervisory strategy documents, including risk assessments. (App A Tier 1 Objectives and Procedures Objective 2:1 Bullet 7, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • regularly receiving and reviewing management reports about cybersecurity matters; and (§ 500.4 Cybersecurity Governance (d)(3), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)