Communications and Operations Management:: Difference between revisions
Line 4: | Line 4: | ||
Plans may vary significantly depending on the size and structure of the organization. Every organization should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes the value of IT to the organization. Management should always document plans, however a written plan does not guarantee an effective planning process. Management should measure specific plans by whether they meet the organization's business needs. For all plans, the examiner should evaluate the process as well as the written product. A sound plan requires the board of directors, senior management, and user involvement in the planning process. The board of directors should review and approve the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plans.<br> | Plans may vary significantly depending on the size and structure of the organization. Every organization should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes the value of IT to the organization. Management should always document plans, however a written plan does not guarantee an effective planning process. Management should measure specific plans by whether they meet the organization's business needs. For all plans, the examiner should evaluate the process as well as the written product. A sound plan requires the board of directors, senior management, and user involvement in the planning process. The board of directors should review and approve the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plans.<br> | ||
<br> | <br> | ||
ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations. This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.<br> | ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations. | ||
==Strategic IT Planning== | |||
Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.<br> | |||
<br> | |||
Strategic planning should address long-term goals and the allocation of IT resources to achieve them. Tactical plans outline specific steps and timetables to achieve the strategic goals. These should include hardware and software architecture, end-user computing resources, and any processing done by outside vendors. The strategic plan should address the budget, periodic board reporting, and the status of risk management controls.<br> | |||
<br> | |||
'''The board of directors and management should consider a number of factors when planning the institution’s use of technology, including:'''<br> | |||
<br> | |||
:* Marketplace conditions | |||
:* Customer demographics | |||
:* Organizational growth targets | |||
:* Technology standards | |||
:* Regulatory requirements (e.g., privacy, security, consumer disclosures) | |||
:* Cost containment | |||
:* Process improvement and efficiency gains | |||
:* Customer service and technology performance quality | |||
:* Outsourcing vs. in-house expertise | |||
:* Optimal infrastructure for the future | |||
:* Ability to adopt and integrate new technology<br> | |||
<br> | |||
All of these factors should also align with the organization’s business plans. Well-implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization. The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives. In fact, effective steering committees will constantly work to align the organization’s information technology, both strategically and operationally with its business units. Typically, institutions that are better at keeping IT aligned with changing business goals and objectives are positioned to compete more effectively.<br> | |||
<br> | |||
Some institutions will spend too aggressively on technology that business lines cannot fully utilize. Also, IT departments or business units can over invest in specific technology that provides inadequate enterprise-wide value, introduces new incompatibilities, or produces unnecessary excess capacity.<br> | |||
<br> | |||
On the other hand, institutions can spend too conservatively and delay investments in infrastructure or new products that business lines need to compete and maintain market share and profits. In addition, business units without a full understanding of the available technology can fail to update processes and products or to achieve productivity gains or increased revenues. The lack of knowledge may also result in increased security risks. To create the appropriate balance, institutions should link strategic and operational plans between IT and the business units.<br> | |||
<br> | |||
'''The four key factors of IT planning that management should address are:'''<br> | |||
<br> | |||
:* Strong senior management participation - Executive management should understand and support the IT strategic plan and established priorities. | |||
:* Role of IT - The institution needs to clarify IT’s role and whether the current IT planning process enables personnel to work towards achieving enterprise-wide goals and objectives. | |||
:* Impact of IT - The steering committee should understand the relationship between the IT infrastructure and applications and the business strategic and operating plans. The IT infrastructure should directly support the goals and objectives of these plans. | |||
:* Accurate scorecard on past performance - The steering committee should monitor past IT projects and initiatives after implementation to determine if the institution realized the anticipated costs and benefits. The scorecard should be based upon a set of objective measures.<br> | |||
<br> | |||
'''The board should oversee management’s efforts to create and maintain an alignment between IT and corporate-wide strategies by:'''<br> | |||
<br> | |||
:* Confirming IT strategic plans are aligned with the business strategy | |||
:* Determining that IT performance supports the planned strategy | |||
:* Ensuring the IT department is delivering on time, within budget, and to specification | |||
:* Directing IT strategy to balance investments between systems that support current operations, and systems that transform operations and enable business lines to grow and compete in new areas | |||
:* Focusing IT resource decisions on specific objectives such as entry into new markets, enhanced competitive position, revenue growth, improved customer satisfaction, or customer retention<br> | |||
<br> | |||
This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.<br> | |||
<br> | <br> | ||
:1. [[Sample_Asset_Protection_Standards:|'''Sample Technical Protection Standards''']]<br> | :1. [[Sample_Asset_Protection_Standards:|'''Sample Technical Protection Standards''']]<br> |
Revision as of 18:03, 16 April 2007
Communications and Operations Management
Planning involves preparing for future activities by defining goals and the strategies used to achieve them. Information technology is an integral part of financial institution operations. Therefore, financial institutions should integrate IT resources and investments into the overall business planning process. Major investments in IT resources have long-term implications on both the delivery and performance of the institution’s products and services. Independent data centers also should plan effectively, so they can provide quality and cost effective service to client financial institutions. Institution management should monitor any changes in the current strategies and plans of independent data centers that provide services.
Plans may vary significantly depending on the size and structure of the organization. Every organization should strive to achieve a planning process that constantly adjusts for new risks or opportunities and maximizes the value of IT to the organization. Management should always document plans, however a written plan does not guarantee an effective planning process. Management should measure specific plans by whether they meet the organization's business needs. For all plans, the examiner should evaluate the process as well as the written product. A sound plan requires the board of directors, senior management, and user involvement in the planning process. The board of directors should review and approve the plan. Senior management participates in formulating and implementing the plan. The individual departments and functional areas identify specific business needs and, ultimately, implement the plans.
ISO 17799 defines Communications and Operations Management objectives to ensure the correct and secure operation of information processing facilities; minimize the risk of systems failures; protect the integrity of software and information; maintain the integrity and availability of information processing and communication; ensure the safeguarding of information in networks and the protection of the supporting infrastructure; prevent damage to assets and interruptions to business activities; and prevent loss, modification or misuse of information exchanged between organizations.
Strategic IT Planning
Strategic IT planning focuses on a three to five year horizon and helps ensure the institution’s technology plans are consistent or aligned with its business plans. If effective, strategic IT planning can ensure delivery of IT services that balance cost and efficiency while enabling the business units to meet the competitive demands of the marketplace.
Strategic planning should address long-term goals and the allocation of IT resources to achieve them. Tactical plans outline specific steps and timetables to achieve the strategic goals. These should include hardware and software architecture, end-user computing resources, and any processing done by outside vendors. The strategic plan should address the budget, periodic board reporting, and the status of risk management controls.
The board of directors and management should consider a number of factors when planning the institution’s use of technology, including:
- Marketplace conditions
- Customer demographics
- Organizational growth targets
- Technology standards
- Regulatory requirements (e.g., privacy, security, consumer disclosures)
- Cost containment
- Process improvement and efficiency gains
- Customer service and technology performance quality
- Outsourcing vs. in-house expertise
- Optimal infrastructure for the future
- Ability to adopt and integrate new technology
All of these factors should also align with the organization’s business plans. Well-implemented technology plans provide the capability to deliver business value in terms of market share, earnings, and capital growth to the organization. The information technology steering committee’s cross-functional membership makes it well suited for balancing or aligning the organization’s IT investment with its strategic and operational objectives. In fact, effective steering committees will constantly work to align the organization’s information technology, both strategically and operationally with its business units. Typically, institutions that are better at keeping IT aligned with changing business goals and objectives are positioned to compete more effectively.
Some institutions will spend too aggressively on technology that business lines cannot fully utilize. Also, IT departments or business units can over invest in specific technology that provides inadequate enterprise-wide value, introduces new incompatibilities, or produces unnecessary excess capacity.
On the other hand, institutions can spend too conservatively and delay investments in infrastructure or new products that business lines need to compete and maintain market share and profits. In addition, business units without a full understanding of the available technology can fail to update processes and products or to achieve productivity gains or increased revenues. The lack of knowledge may also result in increased security risks. To create the appropriate balance, institutions should link strategic and operational plans between IT and the business units.
The four key factors of IT planning that management should address are:
- Strong senior management participation - Executive management should understand and support the IT strategic plan and established priorities.
- Role of IT - The institution needs to clarify IT’s role and whether the current IT planning process enables personnel to work towards achieving enterprise-wide goals and objectives.
- Impact of IT - The steering committee should understand the relationship between the IT infrastructure and applications and the business strategic and operating plans. The IT infrastructure should directly support the goals and objectives of these plans.
- Accurate scorecard on past performance - The steering committee should monitor past IT projects and initiatives after implementation to determine if the institution realized the anticipated costs and benefits. The scorecard should be based upon a set of objective measures.
The board should oversee management’s efforts to create and maintain an alignment between IT and corporate-wide strategies by:
- Confirming IT strategic plans are aligned with the business strategy
- Determining that IT performance supports the planned strategy
- Ensuring the IT department is delivering on time, within budget, and to specification
- Directing IT strategy to balance investments between systems that support current operations, and systems that transform operations and enable business lines to grow and compete in new areas
- Focusing IT resource decisions on specific objectives such as entry into new markets, enhanced competitive position, revenue growth, improved customer satisfaction, or customer retention
This section provides templates for Information Security standards that are required to comply with ISO Communications and Operations Management objectives and support the objectives established in the Asset Protection Policy, Asset Management Policy, Vulnerability Assessment and Management Policy, and Threat Assessment and Monitoring Policy.
- 1. Sample Technical Protection Standards
- These technical standards are required to comply with ISO Communications and Operations Management objectives and provide detailed best practices for configuring and hardening various technologies in accordance with the Asset Protection Policy.
- 2. Sample ISO Availability Protection Standard
- The Availability Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the availability of information assets.
- 3. Sample ISO Integrity Protection Standard
- The Integrity Protection Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for protecting the integrity of sensitive information.
- 4. Sample ISO Encryption Standard
- The Encryption Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific requirements for encrypting sensitive information.
- 5. Sample ISO Information Handling Standard
- This Information Handling Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Protection Policy by providing specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored and electronically transmitted information.
- 6. Sample ISO Configuration Management Standard
- The Configuration Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for establishing and maintaining baseline protection standards for Company network devices, servers, and desktops.
- 7. Sample ISO Change Control Standard
- The Change Control Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Asset Management Policy by providing specific instructions and requirements for following approved processes and procedures that ensure only authorized updates and changes are implemented in the production environment.
- 8. Sample ISO Vulnerability Assessment Standard
- The Vulnerability Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for assessing and prioritizing vulnerabilities.
- 9. Sample ISO Vulnerability Management Standard
- The Vulnerability Management Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Vulnerability Assessment and Management Policy by providing specific instructions and requirements for "closed-loop" vulnerability management activities including vulnerability mitigation, information review and analysis, as well as metrics tracking and reporting.
- 10. Sample ISO Threat Assessment Standard
- The Threat Assessment Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for periodically identifying, analyzing and prioritizing threats to information assets.
- 11. Sample ISO Incident Response Standard
- The Incident Response Standard is required to comply with ISO Communications and Operations Management objectives and builds on the objectives established in the Threat Assessment and Monitoring Policy by providing specific requirements for developing and exercising formal plans, and associated metrics, for responding to security incidents and intrusions.