Search results

...t considers changes in the competitive environment, economies of scale for information systems staffing and investments, and improved interoperability of platform '''Risk Association Control Activities:'''<br> ...

'''PO 5.4 Cost Management'''<br> Implement a cost management process comparing actual costs to budgets. Costs should be monitored and re ...

'''DS 5.4 User Account Management'''<br> ...rmation are contractually arranged for all types of users. Perform regular management review of all accounts and related privileges.<br> ...

...ools for operating, accessing and using the systems and services. Relevant information to consider is naming, version numbers and licensing details. A baseline of '''Rationale —''' Configuration management includes procedures such that security, availability and processing integri ...

...nge standards that require a post-implementation review of the operational information system to assess and report on whether the change met customer requirements '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: In-House and or Package applications may not meet all business and applica ...

==Security requirements of information systems== ...egory is to ensure that security is an integral part of the organization's information systems, and of the business processes associated with those systems.<br> ...

...capacity forecasting of IT resources at regular intervals to minimize the risk of service disruptions due to insufficient capacity or performance degradat '''Risk Association Control Activities:'''<br> ...

...deviations from expected performance should be identified, and appropriate management action should be initiated and reported.<br> '''Risk Association Control Activities:'''<br> ...

'''PO 10.1 Program Management Framework'''<br> '''Risk Association Control Activities:'''<br> ...

...izing tasks, error tolerance mechanisms and resource allocation practices. Management should ensure that contingency plans properly address availability, capacit '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...

'''DS 5.8 Cryptographic Key Management '''<br> '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

==PO 1.1 IT Value Management== ...including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.<br> ...

...urable and predictable by users to encourage proper use of resources. User management should be able to verify actual usage and charging of services. '''Risk Association Control Activities:'''<br> ...

...es and procedures (e.g., hiring, positive work environment and orienting). Management implements processes to ensure that the organization has an appropriately d '''Risk Association Control Activities:'''<br> ...

...to create, implement, and maintain a best practice, risk management-based information security program.<br> ...to create, implement, and maintain a best practice, risk management-based Information Security Program.<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Third party processors create unacceptable control risks to the Company.'' ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Business requirements are not met or inadequately tested. Systems produce ...

::'''1. Risk: Up-to-date backups of programs and data may not be available when needed.' Determine if the management of third-party services has been assigned to appropriate individuals.<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

The objective of this category is to manage information security within the organization's overall administrative structure.<br> ===Management commitment to information security=== ...

...systems and processes used for those purposes. While focused dominantly on information in digital form, the full range of IA encompasses not only digital but also Information assurance as a field has grown from the practice of [[information security]] which in turn grew out of practices and procedures of [[computer ...

'''PO 2.1 Enterprise Information Architecture Model'''<br> ...bed in PO1. The model facilitates the optimal creation, use and sharing of information by the business and in a way that maintains integrity and is flexible, func ...

[[PO1.1:| 1.1 IT Value Management]]<br> [[PO1.6:| 1.6 IT Portfolio Management]]<br> ...

...consider include validation against contractual terms, the organization’s information architecture, existing applications, interoperability with existing applica '''Rationale —''' Configuration management includes procedures such that security, availability and processing integri ...

'''ME 4.4 Resource Management'''<br> ...current and future strategic objectives and keep up with business demands. Management should put clear, consistent and enforced human resources policies and proc ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Controls provide reasonable assurance that policies and procedures that de ...

'''Risk Association Control Activities:'''<br> ...ot meet business, compliance and regulatory needs of the business inducing risk.'''<br> ...

'''PO 6.3 IT Policies Management'''<br> '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Conflicting access credential may violate confidentiality, privacy, or pos ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Security and business continuity risks are introduced by technical designs ...

...ication]] and [[accreditation]] (C&A) of a DoD IS that will maintain the [[information assurance]] (IA) posture throughout the [[Systems Development Life Cycle|sy ...DoDI 8500.2) as the primary set of security requirements for all automated information systems (AISs). The IA Controls are determined based on the system's [[mis ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Development and maintenance of system with potential impact to financial r ...

...ces the possibility for a single individual to subvert a critical process. Management also makes sure that personnel are performing only authorized duties releva ==Risk Association Control Activities:== ...

...iew, basis for payment, warranties, arbitration procedures, human resource management and compliance with the organization’s policies.<br> '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: The transfer of programs into the live environment is not appropriately co ...

...nce framework including leadership, processes, roles and responsibilities, information requirements, and organizational structures to ensure that the enterprise’s '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...

Assess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, sta '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''DS 11.1 Business Requirements for Data Management '''<br> '''Risk Association Control Activities:'''<br> ...

...d conditions of employment should stress the employee’s responsibility for information security, internal control and regulatory compliance. The level of supervis '''Risk Association Control Activities:'''<br> ...

...aced the former process, known as '''DITSCAP''' ('''Department of Defense Information Technology Security Certification and Accreditation Process'''), in 2006. ...at will maintain the [[Information Assurance]] (IA) posture of the Defense Information Infrastructure (DII) throughout the [[Systems Development Life Cycle|system ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Design and implementation of new applications may not be appropriately con ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Business requirements are not met or inadequately tested. Systems produce ...

...ate security patches and virus control) across the organization to protect information systems and technology from malware (viruses, worms, spy-ware, spam, intern '''Risk Association Control Activities:'''<br> ...

...sider include impact analysis, cost/benefit justification and requirements management.<br> '''Risk Association Control Activities:'''<br> ...

'''Federal Information Security Management Act (FISMA)''' ...the implementation of and compliance with the Federal Information Security Management Act including: ...

::'''1. Risk: Without an adequate infrastructure, there is an increased risk that financial reporting applications will not be able to pass data between ...es in the business. When policies and procedures are changed, determine if management approves such changes. Select a sample of projects and determine that user ...

...ess. Risk assessment is [[measurement|measuring]] two quantities of the [[risk]] ''R'', the magnitude of the potential loss ''L'', and the probability ''p :[[image:risk.jpg|thumb|400px|Risk]] ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''DS 11.3 Media Library Management System '''<br> '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''DS 5.3 Identity Management'''<br> ...iness needs and job requirements. User access rights are requested by user management, approved by system owner and implemented by the security-responsible perso ...

'''PO 5.5 Benefit Management'''<br> ...ibution, appropriate actions should be defined and taken. Where changes in Information Technologies contribution impact the program, or where changes to other rel ...

Ensure that quality management focuses on customers by determining their requirements and aligning them to '''Risk Association Control Activities:'''<br> ...

...s granted to some users increases the risk of accidental damage or loss of information and systems.<br> '''Risk exposures from internal users include:''' ...

=='''Vulnerability Management Standard'''== ...jectives for establishing specific standards on the assessment and ongoing management of vulnerabilities.<br> ...

...demands. Enforce a disciplined approach to portfolio, program and project management, insisting that the business takes ownership of all IT-enabled investments '''Risk Association Control Activities:'''<br> ...

'''EVALUATION OF CONTROLS IN INFORMATION SYSTEMS (IS) QUESTIONNAIRE'''<br> ...estion. This can generally be achieved if the company involves an internal information systems auditor in the question answering process. Specific “Guidance Point ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...ssful resumption of the IT function after a disaster, determine whether IT management has established procedures for assessing the adequacy of the plan and updat '''Risk Association Control Activities:'''<br> ...

..., so all stakeholders can take timely responsibility for the production of management, user and operational procedures, as a result of the introduction or upgrad '''Risk Association Control Activities:'''<br> ...

...outsource the majority of their data processing, core processing, or other information technology systems or services are still expected to implement an appropria ...critical activities by the end of the business day could present systemic risk. The agencies believe that many, if not most, of the 15-20 major banks and ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...chnology - Security techniques - Code of practice for information security management''. ...ng or maintaining [[ISMS|Information Security Management Systems]] (ISMS). Information security is defined within the standard in the context of the [[CIA triad|C ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

* Review, negotiation and establishment of management responses.<br> '''Risk Association Control Activities:'''<br> ...

Prepare a quality management plan that describes the project quality system and how it will be implement '''Risk Association Control Activities:'''<br> ...

'''AI 5.2 Supplier Contract Management'''<br> '''Risk Association Control Activities:'''<br> ...

Set up formal change management procedures to handle in a standardized manner all requests (including maint ...ay provide invalid information, which could result in unreliable financial information and reports.<br> ...

...development to testing to operations in line with the implementation plan. Management should require that system owner authorization be obtained before a new sys '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''Risk Association Control Activities:'''<br> * PCI.9.8: Ensure management approves all media that is moved from a secured area (especially when media ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

::'''1. Risk: Incidents or problems affecting financial processes are not identified res ...T management has established procedures across the organization to protect information systems and technology from computer viruses. ...

...itable for the roles for which they are considered, in order to reduce the risk of theft, fraud or misuse of facilities. ...ers should be defined and documented in accordance with the organization's information security policy.<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...his systems development life cycle (SDLC) describes the stages involved in information system development projects, from an initial feasibility study through main ...

::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...his systems development life cycle (SDLC) describes the stages involved in information system development projects, from an initial feasibility study through main ...

...ntation, and intrusion detection) are used to authorize access and control information flows from and to networks. '''Risk Association Control Activities:'''<br> ...

'''Risk Association Control Activities:'''<br> ::'''1. Risk: Information security and business requirements may be compromised. Inaccurate results a ...

::'''(A)''' providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosu :::'''(i)''' information collected or maintained by or on behalf of the agency; and<br> ...

...tect the confidentiality, integrity, and availability of the institution’s information assets. All of the controls discussed so far, whether at the perimeters, n ...an be used. Data classification is the identification and organization of information according to its criticality and sensitivity. The classification is linked ...

::'''3. Risk: lapses in the continuity of application systems may prevent an organizatio 1.Inquire as to the type of information that is used by management to determine the completeness and timeliness of system and data processing. ...

...igence Directives.''' Protecting Special Access Program Information Within Information Systems policy excerpt: [[Media:JAFAN_6_3.pdf]]<br> :'''Avoid Session Management Pitfalls:''' [[Media:session-management-security.pdf]]<br> ...

::'''(A)''' providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosu :::'''(i)''' information collected or maintained by or on behalf of the agency; and<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

...ly managed or system functionality is not delivered as required, financial information may not be processed as intended. '''Risk Association Control Activities:''' ...

'''(a)''' The Director shall oversee agency information security policies and practices, by—<br> :'''(1)''' promulgating information security standards under section 11331 of title 40;<br> ...

'''Risk Association Control Activities:'''<br> Insert remediation plan, applicability, or any information that indicates what needs to be done.<br> ...

==FFIEC Information Technology Examination Handbook Executive Summary== ...ve effort of the FFIEC’s five member agencies, has replaced the 1996 FFIEC Information Systems Examination Handbook (1996 Handbook). ...

==Transaction or Operations Risk== ...risk exists in each product and service offered. The level of transaction risk is affected by the structure of the institution’s processing environment, i ...

...hanges to business processes, technology and skills are assessed. Business management, supported by the IT function, should assess the feasibility and alternativ '''Risk Association Control Activities:'''<br> ...

== Requirement 12: Maintain a policy that addresses information security. == ...cess that identifies threats, and vulnerabilities, and results in a formal risk assessment.]]<br> ...