Communications and Operations Management:

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

Operational Procedures and Responsibilities

The objective of this category is to ensure the correct and secure operation of information processing facilities.

Documented operating procedures

Operating procedures should be documented, maintained and made available to all users who need them.

Controls include:

  • Documentation of/for all significant system activities including start-up, close-down, back-up and maintenance
  • Treatment of such documentation as a formal organizational record, subject to appropriate change authorization, change tracking and archiving
  • Provision of appropriate security for such documentation, including distribution control (see also "security of system documentation" control)


Communications and Operations Management

Planning involves preparing for future activities by defining goals and the strategies used to achieve them. Information technology is an integral part of financial institution operations. Therefore, financial institutions should integrate IT resources and investments into the overall business planning process. Major investments in IT resources have long-term implications on both the delivery and performance of the institution’s products and services. Independent data centers also should plan effectively, so they can provide quality and cost effective service to client financial institutions. Institution management should monitor any changes in the current strategies and plans of independent data centers that provide services.

Plans may vary significantly depending on the size and structure of the organization. Every organization should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes the value of IT to the organization. Management should always document plans, however a written plan does not guarantee an effective planning process. Management should measure specific plans by whether they meet the organization's business needs. For all plans, the examiner should evaluate the process as well as the written product. A sound plan requires the board of directors, senior management, and user involvement in the planning process. The board of directors should review and approve the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plans.

ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations.

Strategic IT Planning

Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.

Strategic planning should address long-term goals and the allocation of IT resources to achieve them. Tactical plans outline specific steps and timetables to achieve the strategic goals. These should include hardware and software architecture, end-user computing resources, and any processing done by outside vendors. The strategic plan should address the budget, periodic board reporting, and the status of risk management controls.

The board of directors and management should consider a number of factors when planning the institution’s use of technology, including:

  • Marketplace conditions
  • Customer demographics
  • Organizational growth targets
  • Technology standards
  • Regulatory requirements (e.g., privacy, security, consumer disclosures)
  • Cost containment
  • Process improvement and efficiency gains
  • Customer service and technology performance quality
  • Outsourcing vs. in-house expertise
  • Optimal infrastructure for the future
  • Ability to adopt and integrate new technology


All of these factors should also align with the organization’s business plans. Well-implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization. The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives. In fact, effective steering committees will constantly work to align the organization’s information technology, both strategically and operationally with its business units. Typically, institutions that are better at keeping IT aligned with changing business goals and objectives are positioned to compete more effectively.

Some institutions will spend too aggressively on technology that business lines cannot fully utilize. Also, IT departments or business units can over invest in specific technology that provides inadequate enterprise-wide value, introduces new incompatibilities, or produces unnecessary excess capacity.

On the other hand, institutions can spend too conservatively and delay investments in infrastructure or new products that business lines need to compete and maintain market share and profits. In addition, business units without a full understanding of the available technology can fail to update processes and products or to achieve productivity gains or increased revenues. The lack of knowledge may also result in increased security risks. To create the appropriate balance, institutions should link strategic and operational plans between IT and the business units.

The four key factors of IT planning that management should address are:

  • Strong senior management participation - Executive management should understand and support the IT strategic plan and established priorities.
  • Role of IT - The institution needs to clarify IT’s role and whether the current IT planning process enables personnel to work towards achieving enterprise-wide goals and objectives.
  • Impact of IT - The steering committee should understand the relationship between the IT infrastructure and applications and the business strategic and operating plans. The IT infrastructure should directly support the goals and objectives of these plans.
  • Accurate scorecard on past performance - The steering committee should monitor past IT projects and initiatives after implementation to determine if the institution realized the anticipated costs and benefits. The scorecard should be based upon a set of objective measures.


The board should oversee management’s efforts to create and maintain an alignment between IT and corporate-wide strategies by:

  • Confirming IT strategic plans are aligned with the business strategy
  • Determining that IT performance supports the planned strategy
  • Ensuring the IT department is delivering on time, within budget, and to specification
  • Directing IT strategy to balance investments between systems that support current operations, and systems that transform operations and enable business lines to grow and compete in new areas
  • Focusing IT resource decisions on specific objectives such as entry into new markets, enhanced competitive position, revenue growth, improved customer satisfaction, or customer retention


This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.

1. Sample Technical Protection Standards
These technical standards are required to comply with ISO Communications and Operations Management objectives and provide detailed best practices for configuring and hardening various technologies in accordance with the Asset Protection Policy.


2. Sample ISO Availability Protection Standard
The Availability Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the availability of information assets.


3. Sample ISO Integrity Protection Standard
The Integrity Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the integrity of sensitive information.


4. Sample ISO Encryption Standard
The Encryption Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for encrypting sensitive information.


5. Sample ISO Information Handling Standard
This Information Handling Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored and electronically transmitted information.


6. Sample ISO Configuration Management Standard
The Configuration Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.


7. Sample ISO Change Control Standard
The Change Control Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for following approved processes and procedures that ensure only authorized updates and changes are implemented in the production environment.


8. Sample ISO Vulnerability Assessment Standard
The Vulnerability Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for assessing and prioritizing vulnerabilities.


9. Sample ISO Vulnerability Management Standard
The Vulnerability Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for "closed-loop" vulnerability management activities including vulnerability mitigation, information review and analysis, as well as metrics tracking and reporting.


10. Sample ISO Threat Assessment Standard
The Threat Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for periodically identifying, analyzing and prioritizing threats to information assets.


11. Sample ISO Incident Response Standard
The Incident Response Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.

Operational IT Planning

Operational plans should flow logically from the strategic plan. Management should review and revise them at least annually. Operational planning focuses on short-term actions and incorporates the annual budget process. Management should reference the strategic plans and adjust operational plans based on changes in the underlying business needs.

Operational planning addresses the near-term support for business operations. Specifically, operational planning focuses on immediate concerns such as adequate IT resources, sufficient budget, and appropriate risk identification.

IT Resources

Management should ensure that IT resources are adequate to meet the current operational needs of the organization. Operational planning should consider the adequacy of IT resources and the impact of any changes on critical business processes. Business processes are the integration of people, technology, and procedures used to accomplish a task or complete a transaction. Changes in business processes require coordination or alignment with the available IT resources.

IT resources that require management coordination include:

  • Infrastructure - power, telecommunications capacity, network architecture, and facilities.
  • Applications software - includes changes in software used to provide financial services and products, because of competition, market forces, and changing regulations. These changes may require enhancements to, or replacements of, application software for mainframe, midrange, servers and end-user computing systems.
  • Operating software - operating systems, compilers, and utilities designed to enable the equipment and applications software to function effectively. Changes in this area can have a major impact on hardware and software specifications.
  • Hardware - includes mainframes, network servers, personal computers, communications networks, storage devices, and peripherals. Planning should ensure the mainframe, midrange servers and end-user computing equipment have sufficient capacity to meet current needs and future growth. For example, planning may indicate that economically it is impractical to add new mainframe equipment. Rather, it may be appropriate to allow a department to purchase a midrange system to operate independently of the main data center.
  • Personnel - includes issues associated with staff changes, scheduling requirements, training, and compensation. For example, management should consider whether inadequate salaries could cause high employee turnover and create a lack of adequate expertise or, if excessive, salaries could suppress earnings.

Budgeting

Budgeting is another step in the operational planning process. The board should assess management's plans and its success in defining and meeting budgetary goals as one means of evaluating the performance of the data processing and operations management. The budget is a coordinated financial plan used to estimate and control the organization's activities. By assessing future economic developments and conditions, management creates an action plan and records changes in the balance sheet accounts and profitability (predicated on implementation of the plan). The budget not only projects expected results, but also serves as an important check on management.

Management, when considering new technology projects, should look at the entry costs of the technology and the post implementation support costs. Increasingly institutions are demanding, and vendors are providing, information regarding the total cost of ownership (TCO) beyond the initial entry costs. Technology projects often have undocumented costs including the resources required to configure, maintain, repair, support, upgrade, and manage the technology over its lifetime. Readily available TCO models, as well as historical data, provide management with tools to incorporate these hidden costs into the selection and budgeting process.

Some institutions budget IT as a separate department of the institution. A financial analysis of an IT department should include a comparison of the cost-effectiveness of the in-house operation versus contracting with an outside servicer. It may also include a peer group comparison of operating costs and ratios with a peer group of institutions. Depending upon its size and complexity, the institution may or may not allocate costs to the user departments. Where cost allocation exists, management should ensure equitable assignment of the costs to each user department. This is often accomplished by use of a chargeback system that records usage of resources based upon a performance metric such as Central Processing Unit (CPU) cycles. In some instances, a separate subsidiary of the holding company manages the IT function. Ideally, an IT subsidiary of a holding company should have a positive affect on consolidated earnings performance. It can provide essential services at costs below external providers or individual financial institutions. However, some relationships may not result in a cost savings. To avoid a preferential arrangement with an affiliate, the contracts between the holding company or its subsidiary and the serviced financial institutions should ensure "arms-length" transactions. Institution management should assess these relationships to ensure they are fair and equitable to all parties.

References

ISO-27002:2005 10.1.1
ISO-27002:2005 10.1.2
ISO-27002:2005 10.1.3
ISO-27002:2005 10.1.4
ISO-27002:2005 10.2.1
ISO-27002:2005 10.2.2
ISO-27002:2005 10.2.3
ISO-27002:2005 10.3.1
ISO-27002:2005 10.3.2
ISO-27002:2005 10.4.1
HIPAA 164.308(a)(5)
ISO-27002:2005 10.4.2
ISO-27002:2005 10.5.1
HIPAA 164.308(a)(7)(ii)(A-B)
HIPAA 164.310(d)(1)
ISO-27002:2005 10.6.1
HIPAA 164.312(e)(2)(ii)
ISO-27002:2005 10.6.2
HIPAA 164.312(e)(2)(ii)
ISO-27002:2005 10.7.1
HIPAA 164.310(d)(1)
ISO-27002:2005 9.2.6
ISO-27002:2005 10.7.2
HIPAA 164.310(d)(1)
ISO-27002:2005 10.7.3
ISO-27002:2005 10.7.4
ISO-27002:2005 10.8.1
ISO-27002:2005 10.8.2
ISO-27002:2005 10.8.3
ISO-27002:2005 10.8.4
ISO-27002:2005 10.8.5
ISO-27002:2005 10.9.1
ISO-27002:2005 10.9.2
ISO-27002:2005 10.9.3
ISO-27002:2005 10.10.1
HIPAA 164.312(b)
ISO-27002:2005 10.10.2
HIPAA 164.308(a)(1)(ii)(D)
ISO-27002:2005 10.10.3
ISO-27002:2005 10.10.4
ISO-27002:2005 10.10.5
ISO-27002:2005 10.10.6

See Also

  • ISO 17799/27002 - Code of Practice for Information Security Management.