PO1.1:

From HORSE - Holistic Operational Readiness Security Evaluation.
Revision as of 12:38, 21 June 2006 by Mdpeters (talk | contribs)
Jump to navigation Jump to search

PO 1.1 IT Value Management

Control Objective:

Work with the business to ensure that the enterprise portfolio of IT-enabled investments contains programs that have solid business cases. Recognize that there are mandatory, sustaining and discretionary investments that differ in complexity and degree of freedom in allocating funds. IT processes should provide effective and efficient delivery of the IT components of programs and early warning of any deviations from plan, including cost, schedule or functionality that might impact the expected outcomes of the programs. IT services should be executed against equitable and enforceable service level agreements. Accountability for achieving the benefits and controlling the costs is clearly assigned and monitored. Establish fair, transparent, repeatable and comparable evaluation of business cases including financial worth, the risk of not delivering a capability and the risk of not realizing the expected benefits.

Applicability:

Sarbanes-Oxley
HIPAA
GLBA
PCI
FISMA
NIST SP 800-66
Ditscap
Control Exception
User Defined


Risk Association Control Activities:


1. Risk: Information security and business requirements may be compromised. Inaccurate results are produced.
a. SOX.1.1.1: A formal, documented systems development methodology should be established and implemented by management. This systems development life cycle (SDLC) describes the stages involved in information system development projects, from an initial feasibility study through maintenance of the completed application. Verify that security, availability, and process integrity requirements are included.


Implementation Guide:
Confirm that the organization has policies and procedures that are reviewed and updated regularly for changes in the business. When policies and procedures are changed, determine if management approves such changes. Select a sample of projects and determine that user reference and support manuals, systems documentation and operations documentation were prepared.

Consider whether drafts of these manuals were incorporated in user acceptance testing. Determine whether any changes to proposed controls resulted in documentation updates.

Process Narrative
Insert a description of the process narration that is applicable to the existing control statement this narrative refers to.

Process Illustration
Insert a process diagram, flowchart or other visual representation here to illustrate the process narrative.

File:Someimage.jpg

Control Commentary
Insert a description of the control that is applicable to the existing control statement this commentary refers to.

Control Exception Commentary
Insert a description of the control exception that is applicable to the existing control statement this commentary refers to.

Evidence Archive Location
Insert Evidence Description Here.

Control Status and Auditors Commentary
Describe the condition of the applicable control and its effectiveness. Set the color icon to a redlock.jpg, yellowlock.jpg or greenlock.jpg.

File:Redlock.jpg

Remediation Plan
Insert remediation plan, applicability, or any information that indicates what needs to be done.

Supplemental Information:
ITIL 2.2 Information security from the business perspective.

An organization has formulated objectives. Business processes take place in an organization in order to achieve these objectives. In executing these processes, the organization becomes increasingly dependent on a well-functioning information supply. In other words organizations are increasingly dependent on IT services to meet their business needs. In this context, information security is not a goal in itself but a means of achieving the business objectives.

The way the information supply is organized depends on the type of organization and the nature of the products or services it delivers in support of its business processes. The organization collects data in order to make products or supply a service. The data is stored, processed and made available at the moment it is needed. Those people concerned have to be able to count on its integrity. And it is equally important to ensure that only those who are authorized to do so can gain access to this information. By the time it is needed, confidentiality, integrity, and availability should no longer be open to discussion. An organization must therefore organize the collection, storage, handling, processing and provision of data in such a way that these conditions are satisfied.

Information security exists to serve the interests of the business or organization. Not all information and not all information services are equally important to the organization. The level of information security has to be appropriate to the importance of the information. This ‘tailored security’ is achieved by finding a balance between the security measures and their associated costs on the one hand and, on the other, the value of the information and the risks in the processing environment. Security forms an important added value for an information system. Having the right security for an information system means that more tasks can be performed in an accountable and responsible manner.

Implementation guidance
Insert guidance in this section if it helps to elaborate upon the subject matter. Examples of evidence that would help guide the end user is desirable.

Retrieved from "http://horseproject.wiki/index.php?title=PO1.1:&oldid=1893"