Back

Operational management


CONTROL ID
00805
CONTROL TYPE
IT Impact Zone
CLASSIFICATION
IT Impact Zone

SUPPORTING AND SUPPORTED CONTROLS




This is a top level control.

This Control has the following implementation support Control(s):
  • Establish and implement a capacity management plan., CC ID: 11751
  • Plan for business process conversions, as necessary., CC ID: 13678
  • Implement all approved programs., CC ID: 13677
  • Manage cloud services., CC ID: 13144
  • Document the organization's business processes., CC ID: 13035
  • Establish and maintain a Governance, Risk, and Compliance framework., CC ID: 01406
  • Establish and maintain a Service Management System, as necessary., CC ID: 13889
  • Include continuity plans in the Service Management program., CC ID: 13919
  • Establish and maintain a network management program., CC ID: 13123
  • Establish and maintain an Asset Management program., CC ID: 06630
  • Establish and maintain a customer service program., CC ID: 00846
  • Establish and maintain an Incident Response program., CC ID: 00579
  • Establish and maintain a performance management standard., CC ID: 01615
  • Establish and maintain a collection management program., CC ID: 14013
  • Perform automated processes according to business requirements., CC ID: 14325
  • Establish and maintain an accounting system., CC ID: 08950
  • Provide language analysis support, as necessary., CC ID: 14084
  • Establish and maintain a Service Level Agreement framework., CC ID: 00839
  • Establish and maintain a cost management program, as necessary., CC ID: 13638
  • Establish and maintain a change control program., CC ID: 00886
  • Establish and maintain a disability accessibility program., CC ID: 06191
  • Establish and maintain production process control procedures., CC ID: 06209
  • Document the organization's local environments., CC ID: 06726
  • Manage the creation of products and services, as necessary., CC ID: 13497
  • Establish and maintain a service catalog., CC ID: 13634
  • Introduce randomness into organizational operations and assets., CC ID: 10650
  • Conduct official proceedings, as necessary., CC ID: 13836


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • App 2-1 Item Number IV.1(2): The operational management rules must be based on the operation management design. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App 2-1 Item Number IV.2(3): The organization must ensure operations are sta… (App 2-1 Item Number IV.1(2), App 2-1 Item Number IV.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § I.1 ¶ 2: Management is required to design and effectively operate processes and ensure all internal controls are in place. Practice Standard § I.5(1): Management should ensure it properly understands the IT environment and uses IT effectively and efficiently. Practice Standard § III.… (Standard § I.1 ¶ 2, Practice Standard § I.5(1), Practice Standard § III.4(2)[2].B.b, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O45: For head and branch offices and affiliated channels in retail stores and distribution outlets, the organization shall establish operational management methods for smooth operations and take precautions against illicit withdrawals to ensure the security of CDs/ATMs and unmanned branches. O45.2: … (O45, O45.2, T16, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The organization should develop a framework for managing risk that should cover the organization's appetite and tolerance for risk. (¶ 737, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • A data management review should be performed and should, at a minimum, consider the management of data. (App A.4 (Recommendations for Data Management), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must ensure that all operations associated with the identified significant risks and consistent with the organizational resilience management policy, impact analysis, risk assessment, targets, and objectives are identified and planned to ensure they are being executed under specific… (§ 4.4.6, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Successful ICT. An organization should include the following activities within security management; Planning, Implementation, and Operations and maintenance. (§ 6.1, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Organizational personnel should review the implementation, configuration, and management of the system, infrastructure, and procedures to ensure they are consistent with the organization's privacy policies. If any inconsistencies are identified, they should be corrected in a timely manner. (ID 1.2.4, AICPA/CICA Privacy Framework)
  • Interview management and review the operations information request to identify: ▪ Any significant changes in business strategy or activities that could affect the operations environment; ▪ Any material changes in the audit program, scope, or schedule related to operations; ▪ Changes to interna… (Exam Tier I Obj 1.3, FFIEC IT Examination Handbook - Operations, July 2004)