PO1.3:
PO 1.3 Assessment of Current Performance
Control Objective:
Assess the performance of the existing plans and information systems in terms of contribution to business objectives, functionality, stability, complexity, costs, strengths and weaknesses.
Applicability:
- Sarbanes-Oxley
- HIPAA
- GLBA
- PCI
- FISMA
- NIST SP 800-66
- Ditscap
- Control Exception
- User Defined
Risk Association Control Activities:
Implementation Guide:
Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.
Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.
File:Someimage.jpg
Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.
Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.
Evidence Archive Location
Insert Evidence Description Here.
Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.
File:Redlock.jpg
Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.
Supplemental Information:
ISO 17799 10.3.1: The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance.
- Implementation guidance:
- Implementation guidance:
- For each new and ongoing activity, capacity requirements should be identified. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems.
- For each new and ongoing activity, capacity requirements should be identified. System tuning and monitoring should be applied to ensure and, where necessary, improve the availability and efficiency of systems.
- Detective controls should be put in place to indicate problems in due time.
- Detective controls should be put in place to indicate problems in due time.
- Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization's information processing capabilities.
- Projections of future capacity requirements should take account of new business and system requirements and current and projected trends in the organization's information processing capabilities.
- Particular attention needs to be paid to any resources with long procurement lead times or high costs; therefore managers should monitor the utilization of key system resources. They should identify trends in usage, particularly in relation to business applications or management information system tools. Managers should use this information to identify and avoid potential bottlenecks and dependence on key personnel that might present a threat to system security or services, and plan appropriate action.
- Particular attention needs to be paid to any resources with long procurement lead times or high costs; therefore managers should monitor the utilization of key system resources. They should identify trends in usage, particularly in relation to business applications or management information system tools. Managers should use this information to identify and avoid potential bottlenecks and dependence on key personnel that might present a threat to system security or services, and plan appropriate action.
ISO 17799 10.10.5 Errors should be logged, analyzed, and appropriate action taken.
- Errors reported by users or by system programs related to problems with information processing or communications systems should be logged. There should be clear rules for handling reported errors including.
- Errors reported by users or by system programs related to problems with information processing or communications systems should be logged. There should be clear rules for handling reported errors including.
- Review of error logs to ensure that errors have been satisfactorily resolved.
- Review of error logs to ensure that errors have been satisfactorily resolved.
- Review of corrective measures to ensure that controls have not been compromised, and that the action taken is fully authorized.
- Review of corrective measures to ensure that controls have not been compromised, and that the action taken is fully authorized.
- Logging of errors and errors can impact the performance of a system. Such logging should be enabled by competent personnel, and the level of logging required for individual systems should be determined by a risk assessment, taking performance degradation into account.
- Logging of errors and errors can impact the performance of a system. Such logging should be enabled by competent personnel, and the level of logging required for individual systems should be determined by a risk assessment, taking performance degradation into account.
ITIL The Business Perspective.
ITIL Business/IS Alignment.
ITIL 4.5 Establishing the IS direction ICT Infrastructure Management, Design and Planning.
ITIL 2.5 The process and deliverables of strategic planning.
Implementation guidance
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.