From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search

PO 1.1 IT Value Management

Control Objective:

Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programs that have solid business cases. Recognize that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programs and early warning of any deviations from plan, including cost, schedule or functionality that might impact the expected outcomes of the programs. IT services should be executed against equitable and enforceable service level agreements. Accountability for achieving the benefits and controlling the costs is clearly assigned and monitored. Establish fair, transparent, repeatable and comparable evaluation of business cases including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.


NIST SP 800-66
Control Exception
User Defined

Risk Association Control Activities:


1. Risk: Information security and business requirements may be compromised. Inaccurate results are produced.
a. SOX.1.1 A formal, documented systems development methodology should be established and implemented by management. This systems development life cycle (SDLC) describes the stages involved in information system development projects, from an initial feasibility study through maintenance of the completed application. Verify that security, availability, and process integrity requirements are included.

Implementation Guide:

Obtain a copy of the organizations SDLC methodology. Review the methodology to determine if it addresses security, availability, and processing integrity requirements.

Consider whether there are appropriate steps to determine if these requirements are considered throughout the development or acquisition life cycle, e.g., security and availability and processing integrity should be considered during the requirements phase.

Process Narrative

The concept of Value relies on the relationship between the satisfaction of many differing needs and the resources used in doing so. The fewer the resources used or the greater the satisfaction of needs, the greater the value. Stakeholders, internal and external customers may all hold differing views of what represents value. The aim of Value Management is to reconcile these differences and enable an organization to achieve the greatest progress toward its stated goals with the use of minimum resources.

Process Illustration

Vm whatis2.gif

Control Commentary

Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary

Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.

Evidence Archive Location

Insert Evidence Description Here.

Control Status and Auditors Commentary

Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.


Remediation Plan

Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:

ITIL 2.2 Information security from the business perspective.

An organization has formulated objectives. Business processes take place in an organization in order to achieve these objectives. In executing these processes, the organization becomes increasingly dependent on a well-functioning information supply. In other words organizations are increasingly dependent on IT services to meet their business needs. In this context, information security is not a goal in itself but a means of achieving the business objectives.

The way the information supply is organized depends on the type of organization and the nature of the products or services it delivers in support of its business processes. The organization collects data in order to make products or supply a service. The data is stored, processed and made available at the moment it is needed. Those people concerned have to be able to count on its integrity. And it is equally important to ensure that only those who are authorized to do so can gain access to this information. By the time it is needed, confidentiality, integrity, and availability should no longer be open to discussion. An organization must therefore organize the collection, storage, handling, processing and provision of data in such a way that these conditions are satisfied.

Information security exists to serve the interests of the business or organization. Not all information and not all information services are equally important to the organization. The level of information security has to be appropriate to the importance of the information. This ‘tailored security’ is achieved by finding a balance between the security measures and their associated costs on the one hand and, on the other, the value of the information and the risks in the processing environment. Security forms an important added value for an information system. Having the right security for an information system means that more tasks can be performed in an accountable and responsible manner.

Implementation guidance

Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.