| | DisplayName | Description | ID | Type |
|---|
 | Log Access Limitation |
Objective: Configure log files so that they can be accessed only by authorized personnel.
Example: Failure to control access to system, application, and other logs might result in unauthorized access to sensitive information and unauthorized discovery of process. The Windows operating system allows the configuration of log files to control who can access the files.
| ID_01fe6d3d_33cc_4625_893a_0a8665b52a30 | System.Compliance.ControlObjectiveProjection |
| Controls Management | Controls Management | ID_04472e7a_ea43_4028_a81c_e251d3e3d532 | System.Compliance.CategoryProjection |
| System Defaults |
Objective: Configure software systems to change default vendor authentication values, remove unnecessary features, and remove vendor-provided documentation.
Example: Failure to properly configure vendor software might result in unauthorized access through default vendor accounts and passwords, exposure to attack through unnecessary features, and unauthorized discovery of software functionality or configuration through exposed documentation.
| ID_05348b6e_62c3_4930_af35_b8999fc0000a | System.Compliance.ControlObjectiveProjection |
| Nonrepudiation | Nonrepudiation | ID_0685b08d_cd88_45fc_aef4_4ea2b4ebbbb9 | System.Compliance.CategoryProjection |
| Change and Configuration Management | Change and Configuration Management | ID_06f53b1c_74ea_4784_8708_e8780a05350e | System.Compliance.CategoryProjection |
| Record Request |
Objective: Manage the customer service request initial contact by recording the user’s contact information and the details of the user’s situation.
Example: Failure to properly manage the customer's service request could affect the quality, completeness, and efficiency for arriving at a successful resolution.
| ID_088babac_6ae2_4fa3_a978_0d4a2941fe61 | System.Compliance.ControlObjectiveProjection |
| Validate and Review |
Objective: Manage the validation and review of a change by validating the technical and business success or failure of the change, auditing the configuration database, communicating and recording the change, updating, and closing the request for change (RFC).
Example: Failure to properly manage the validation and review of a change may result in inaccurate metrics, unrecognized problems, inaccurate configuration data, lack of awareness, and incorrect RFC information.
| ID_08b5983b_9945_4c14_81b9_333922030be6 | System.Compliance.ControlObjectiveProjection |
| Service Maps |
Objective: Manage the IT service portfolio so that business functions are mapped to corresponding IT services.
Example: Failure to properly manage the IT service portfolio can result in redundant and wasteful consumption of resources and unneeded technological complexity.
| ID_0cdc4060_b323_4033_90a2_ecddbf49a86f | System.Compliance.ControlObjectiveProjection |
| Account Lock |
Objective: Configure accounts to lock if repeated unauthorized actions occur.
Example: Failure to lock accounts that engage in repeated unauthorized actions might result in password discovery and unauthorized access to assets and sensitive data. The Windows operating system allows for centralized configuration and enforcement of account lock conditions within Group Policy.
| ID_0e6081d3_2a14_48d9_ab7c_e0446f14993b | System.Compliance.ControlObjectiveProjection |
| Software Development Lifecycle Metrics | Objective: Regularly produce metrics from the software development lifecycle to correct and improve associated processes. | ID_0f78a1c7_3263_4970_9013_46edaed4555a | System.Compliance.ControlObjectiveProjection |
| Filter Problem |
Objective: Filter problems by evaluating if a problem record has already been created and determining the business justification for researching the problem..
Example: Failure to filter problems may result in unnecessary or undesired effort being expended in researching and reproducing a problem.
| ID_0fd6dd40_2d29_46bb_ade3_bd7bf91bd649 | System.Compliance.ControlObjectiveProjection |
| Security Architecture | The organization will maintain a process to partition environments for separate business purposes. For example, sensitive information will be separate from non-sensitive information, and hosted information for clients will be separated from both other clients and internal environments. | ID_10176eaf_1e00_4e71_b2ad_059b0d5be9bf | System.Compliance.ControlObjectiveProjection |
| Manage Demand and Business Requests |
Objective: Manage demand to ensure that services address appropriate business needs by evaluating new requests, capturing current service usage and demand, identifying and validating future trends, and analyzing demand and requests.
Example: Failure to properly manage the demand for an IT organization’s services could affect ability to provide appropriate services in a reliable fashion.
| ID_10f28788_add3_410b_9ebd_6c89a782d29a | System.Compliance.ControlObjectiveProjection |
| Protocol Configuration |
Objective: Configure assets that are connected to networks so that only authorized communications protocols are enabled.
Example: Failure to manage communications protocols might result in unauthorized discovery of data that traverses the network, including but not limited to authorization values (for example, passwords and keys) and sensitive data (for example, personal information and credit card numbers). The Windows operating system allows protocols to be enabled and disabled through Group Policy.
| ID_10fd0925_e966_4753_9a20_aba79e65a276 | System.Compliance.ControlObjectiveProjection |
| Risk and Vulnerability Assessment Process |
Objective: Develop and maintain the organization's risk and vulnerability assessment process.
Example: Failure to maintain a risk and vulnerability assessment process affects the ability of the organization to analyze the environment, workflows, software, hardware, and other assets for risks.
| ID_11851614_476f_4f36_994c_fd6a71682b93 | System.Compliance.ControlObjectiveProjection |
| Continually Monitor |
Objective: Continuously monitor by receiving notifications, analyzing the event, solve or escalate the event.
Example: Failure to continuously monitor the service could affect the project by being unaware of significant events or trends in events, and failure to solve or escalate the event.
| ID_12a2b15a_21b8_4785_b698_012573892b8e | System.Compliance.ControlObjectiveProjection |
| Implementation Phase | Objective: Develop and perform static analysis against software using only defined functions, APIs, and tools. | ID_14085b00_593a_4e32_b163_bce7b230a0ed | System.Compliance.ControlObjectiveProjection |
| Financial Management | Financial Management | ID_1676091f_c55b_4d83_8e07_1fb0dac797b9 | System.Compliance.CategoryProjection |
| Third Party Risk Management |
Objective: Develop and maintain the organization's third-party risk management process.
Example: Failure to maintain a third-party risk scoring process affects the ability of the organization to hold third parties accountable to applicable GRC requirements.
| ID_16e25ea7_c4d8_4ffa_9ba4_2e3549ea5cd1 | System.Compliance.ControlObjectiveProjection |
| Log Management | Log Management | ID_181eb5ff_93be_42cd_8e08_9f00aa8d8c03 | System.Compliance.CategoryProjection |
| Session Configuration |
Objective: Configure user sessions to enforce uniqueness and duration requirements and to ensure that such sessions originate only from authorized locations.
Example: Failure to control user sessions could result in session hijacking, duplicate sessions on the same asset, duplicate sessions within assets involved in sensitive transactions, unauthorized use of multiple sessions, or sessions that are instantiated from unauthorized locations.
| ID_19297144_436e_4873_b70e_13a3f7433cea | System.Compliance.ControlObjectiveProjection |
| HR Awareness and Training | HR Awareness and Training | ID_1a60119a_4601_4a4c_bb49_4e65fe7bded9 | System.Compliance.CategoryProjection |
| Encryption Configuration |
Objective: Manage encryption algorithms in a secure manner.
Example: Failure to manage encryption algorithms might result in the use of "broken" or otherwise compromised algorithms within critical services (for example, authentication, remote connectivity, and encrypted data storage) and transactions (for example, financial transactions).
| ID_1c279b2b_c0b8_4b87_a09b_3583b4f9d006 | System.Compliance.ControlObjectiveProjection |
| IT Security Management | IT Security Management | ID_1ce05ca8_d834_4965_8b04_d42a5999c74c | System.Compliance.CategoryProjection |
| Comply with Contractual Obligations |
Objective: Comply with all contractual obligations that, directly or indirectly, impact the organization's information assets, including but not limited to those obligations imposed by non-disclosure, confidentiality, and third party agreements.
Example: Failure to comply with all contractual obligations could lead to sanctions for breach of contact, loss of revenue, and brand damage.
| ID_1ce8a3d9_d238_4c65_910e_656710a9095f | System.Compliance.ControlObjectiveProjection |
| Stabilization Management Process |
Objective: Manage the stabilization of developed services. Stabilization involves incorporating feedback and resolving bugs against developed solutions prior to deployment.
Example: Failure to properly manage stabilization processes may result in improperly tested solutions, resulting in bugs or other undesired behavior within released solutions.
| ID_1e46cac0_7f1c_45d0_bd26_32012ea3003d | System.Compliance.ControlObjectiveProjection |
| Release Readiness Milestone Review |
Objective: Approve milestone by customers and users, operations and support personnel, and key project stakeholders evaluating the solution and identify any remaining issues that must addressed before deployment
Example: Failure to review and approve the developed solution for deployment could impact the solution by allowing into production an inadequate solution that does not fully meet expected user, operations, and support requirements.
| ID_1ec15259_4f3b_4c10_ac88_fa0495de1d35 | System.Compliance.ControlObjectiveProjection |
| Virus and Malware Protection |
Objective: Configure assets to be resistant against attack by virus, malware, and other forms of scripted or coded attack.
Example: Failure to prevent virus and malware code from entering the environment might result in system instability, system compromise, and loss of sensitive information. Organizations typically maintain robust antivirus and anti-malware solutions that interact with operating systems to prevent execution of unauthorized code.
| ID_20a6f4c6_3547_4c8a_bc5f_0bc9b09b3f48 | System.Compliance.ControlObjectiveProjection |
| Establish IT Governance |
Objective: Establish IT governance by setting vision, aligning IT to the business, and creating policy.
Example: Failure to establsh IT governance could affect the value and agility of IT and the business by inhibiting decision making, acting in ignorance of regulatory requirements, and having no or inappropriate policy.
| ID_20d6ea01_28b0_4d35_a3cd_41f61aa15a5e | System.Compliance.ControlObjectiveProjection |
| Policy Resourcing |
Objective: Ensure resources are available to implement organizational policies, standards, and procedures.
Example: Failure to provide adequate resources to implement organizational policies, standards, and procedures increases the chances that the unfunded policies, standards, or procedures will not be implemented.
| ID_213c9286_307c_445b_bcd1_e66320d9674f | System.Compliance.ControlObjectiveProjection |
| Service Level Management |
Objective: Manage IT service levels so that ongoing requirements, communications, and expectations between business and IT are proactively addressed and that internal IT dependencies and expectations are being addressed.
Example: Failure to properly manage IT service levels could affect business performance, compliance, and application of IT resources and investments.
| ID_229bb4aa_24f5_44cc_b5ec_9a2a9503b7f1 | System.Compliance.ControlObjectiveProjection |
| Encryption and Key Management | Encryption and Key Management | ID_230ac5f8_6319_4c3e_85c2_d5edda7f93bd | System.Compliance.CategoryProjection |
| Align Responsibilities |
Objective: Align responsibilities by mapping responsibilities in terms of who is responsible for each piece of work to be done and who is accountable for that work.
Example: Failure to align responsibilities may affect the ability of the organization to accomplish work and maintain accountability.
| ID_2486bf3c_b3c1_4c33_bc42_b7b58ac2ba3b | System.Compliance.ControlObjectiveProjection |
| Review the Deployment |
Objective: Approve deployment milestone by reviewing and agreeing that the project team has fully disengaged and transferred the solution to permanent personnel, and that the post-project analysis documentation and the project close-out reporting is complete and documents lessons learned and best practices.
Example: Failure to review and approve the state of the solution in production and the final documentation could impact the organization by creating role and responsibility conflicts, slowing the redeployment of resources, or not capturing lessons learned for continuous improvement.
| ID_2496405c_5c8a_41cc_b8df_419f28c7dbae | System.Compliance.ControlObjectiveProjection |
| Reporting and Evidenciary Output | Reporting and Evidenciary Output | ID_253edd13_56c1_42fb_a077_6497c8994059 | System.Compliance.CategoryProjection |
| System Security |
Objective: Enable only authorized functions, features, services and settings within all IT systems.
Example: Failure to control what functions, features, services, and settings are enabled might result in myriad control failures, such as unmanaged configuration and change control, unauthorized access, unauthorized transfer of sensitive data through unauthorized protocols and features, system compromise through unauthorized features and protocols, and unauthorized use of assets for inappropriate purposes.
| ID_25d7af62_4c83_4507_9266_39ee3db7f12a | System.Compliance.ControlObjectiveProjection |
| Information Management | Information Management | ID_295367c8_fde8_425a_9ff5_dc18875cbc86 | System.Compliance.CategoryProjection |
| Information Systems Acquisition, Development & Maintenance | Information Systems Acquisition, Development & Maintenance | ID_29fc755b_b342_49f6_a626_770cbdf6ea99 | System.Compliance.CategoryProjection |
| Development Management Process |
Objective: Manage the build management service management function. Build management is the process of developing solution components, including the code for any in-house application or infrastructure solution, documentation that developers create, as well as the infrastructure that supports the solution.
Example: Failure to manage the build process may result in uncoordinated infrastructure solutions, missing documentation to guide developers in the creation of software, and improperly configured infrastructure to support the development of quality solutions.
| ID_2b09b10f_eb8a_4a2b_8595_e28a5f8ffc62 | System.Compliance.ControlObjectiveProjection |
| Certificate Management |
Objective: Configure the organization's deployed assets to require certificate validation of software prior to execution.
Example: Failure to validate software certificates might cause unauthorized, pirated, compromised, or improperly licensed software to execute within the environment.
| ID_2d97ec10_6f0b_413b_af98_414068de7216 | System.Compliance.ControlObjectiveProjection |
| Assign Roles |
Objective: Manage the assignment of roles by deciding the nature of the responsibilities, determining the roles needed, determining the type of structure needed, applying teaming principles, making and communicating assignments, creating a training plan, creating a staffing plan, and fine tuning assignments.
Example: Failure to manage the assignment of roles may affect the organization by introducing segregation of duty issues, conflicting responsibilities, opportunities for fraud and crime, or poorly trained workers and under-staffing.
| ID_2f20a086_4309_4904_a113_c7557ad0292c | System.Compliance.ControlObjectiveProjection |
| Initiate Change |
Objective: Manage the initiation of a change by opening a request for change, checking the technical configuration, checking the business process and application configuration, identifying the business impact, assessing the risk, and updating the request for change (RFC).
Example: Failure to manage the initiation of a change could affect the infrastructure, processes, or solution by introducing unintended consequences.
| ID_2f7b8a59_1da2_4841_a9ec_11fc101638d9 | System.Compliance.ControlObjectiveProjection |
| Risk Management | Risk Management | ID_2f7e0c59_102d_43d7_9fa0_a1daed1521e7 | System.Compliance.CategoryProjection |
| Change Request Management Process |
Objective: Manage changes to the organization's IT services and associated assets.
Example: To deliver reliable and effective IT services, organizations need to ensure that change is planned and purposeful. The business relies on IT to embrace change management processes that take into consideration the needs for prompt action, reliable services, and compliance with policies and regulations.
| ID_2fb5c95c_26fd_4b55_8522_66c0fb233c05 | System.Compliance.ControlObjectiveProjection |
| Data Backup |
Objective: Back up (copy) data in a manner that allows recovery if the primary data system is corrupted or destroyed.
Example: Failure to back up data to a secondary repository could result in irrevocable data loss or corruption. Failure to appropriately safeguard the secondary repository from the same circumstances that might affect the original system could result in both the primary and secondary system failing simultaneously. Organizations typically maintain enterprise-level backup and recovery solutions. The Microsoft Windows operating system also contains a basic backup feature, Windows Backup, that can be used to back up server configurations and file system data.
| ID_309033fd_0f6a_4598_b43c_fa805ed3c63a | System.Compliance.ControlObjectiveProjection |
| Education of the Software Development Lifecycle | Objective: All members of a software development team must receive appropriate training to stay informed about security basics and recent trends in security and privacy. Individuals in technical roles (developers, testers, and program managers) that are directly involved with the development of software programs must attend at least one unique security training class each year. | ID_345e6fab_4438_499b_a3a6_a504f4ed132f | System.Compliance.ControlObjectiveProjection |
| Plan Work |
Objective: Plan operational work by categorizing operational work, assigning resources, estimating duration, identifying dependencies, and building the operations schedule.
Example: Failure to manage planning operational work could affect operations by not scheduling resources to work efficiently, missing dependencies, and poorly assigned resources.
| ID_3496a5ea_e12f_4b76_af51_983c34d1597c | System.Compliance.ControlObjectiveProjection |
| Project Planning Management Process |
Objective: Manage the organization's project planning by creating a customer technology baseline and evaluating products and technologies.
Example: Failure to manage project planning for baselines and evaluations may lead to waste from redundancy or making incorrect build/buy decisions.
| ID_34efba12_663e_4849_af20_e3ebd6c2ff7d | System.Compliance.ControlObjectiveProjection |
| Define Requirements |
Objective: Define operational work requirements by Identifying the operational requirements imposed by SLAs and operating level agreements (OLAs), categorizing typical operational activities and tasks, and building an operations plan that details those items, as well as their requirements and dependencies.
Example: Failure to identify and document operational work activities could affect operations by not meeting contractual agreements, creating conflicting or redundant work, or not managing requirements or dependencies.
| ID_36f970e4_1df7_4656_8a68_c3f8715f31d2 | System.Compliance.ControlObjectiveProjection |
| Resolve Request |
Objective: Manage customer service request resolution by determining how to best resolve the request as determined by the category of the request - information, service fulfillment, new service, or incident resolution.
Example: Failure to determine the method for resolving a customer request could affect final outcome, appropriateness and timeliness of the resolution, and customer satisfaction.
| ID_372aa771_2bcd_48b8_8669_9dece0b81b44 | System.Compliance.ControlObjectiveProjection |
| Power Management | Power Management | ID_3784a03f_7f14_484a_8f16_561fc83d53a6 | System.Compliance.CategoryProjection |
| Approve and Schedule Change |
Objective: Manage change approval by routing the change to the correct approving body, processing standard changes to release, analyzing the impact of the change and identifying reviewers, approving or rejecting the change (or seeking additional information), and updating the request for change (RFC).
Example: Failure to manage the approval and scheduling of a change could lead to inappropriate changes being made, high-priority changes being delayed, changes that fail to take into account all affected elements, excessive risk, and failure to appropriately update the RFC.
| ID_37da50ef_3143_493c_9317_79bcaab9caeb | System.Compliance.ControlObjectiveProjection |
| Audit Program |
Objective: Develop and maintain the organization's audit management program.
Example: Failure to maintain an audit management program may affect the organization's ability to determine what must be audited, who must carry out audit duties, the timeline of internal and external audits for maximum efficiency, and how audit findings may be managed in a timely manner.
| ID_383c3581_fc6c_4edb_9c6b_7497c72f0958 | System.Compliance.ControlObjectiveProjection |
| Personnel Identification |
Objective: Require that all personnel in the facility are identified. Retain records of individuals with access to the facility based on policy requirements. Perform regular inventories of physical access devices, including electronic and physical keys. Regularly change keyed locks and cypher lock combinations.
Example: Failure to restrict access to authorized personnel may result in unauthorized access to facilities and equipment residing at those facilities.
| ID_38eefa9f_38b8_4bff_914b_d65d2247d477 | System.Compliance.ControlObjectiveProjection |
| Power Configuration |
Objective: Manage the environment's power.
Example: Failure to manage the environment's power may result in power loss, interruption, or other degradataion of reliant services.
| ID_3b1e62b1_019d_45c6_a56b_0f3afb0564a0 | System.Compliance.ControlObjectiveProjection |
| File System |
Objective: Configure file systems to prevent unauthorized access.
Example: Failure to configure file systems with the proper rights management attributes may result in unauthorized access to data.
| ID_3b833b02_f302_40f3_9ebd_68565cae3dc4 | System.Compliance.ControlObjectiveProjection |
| Identify Team Changes |
Objective: Identify the role and responsibility changes needed by reviewing the IT portfolio, determining work to be done, and listing responsibilities.
Example: Failure to identify role and responsibility changes affects the ability of the organization to reduce confusion and conflict while organizing, resourcing, and executing work.
| ID_3d74e77b_6abc_43cc_b39d_1f566c02990b | System.Compliance.ControlObjectiveProjection |
| IT Infrastructure Management | IT Infrastructure Management | ID_40b02fba_4a65_43a9_b196_7453dd075061 | System.Compliance.CategoryProjection |
| Nonrepudiation Configuration |
Objective: Configure technologies to enforce nonrepudiation of information delivered through reports or transmitted through communications.
Example: Nonrepudiation prevents a receiving party from refuting the receipt of an item or data. Configuring technologies to enforce nonrepudiation allows these technologies to log transactional receipts for all relevant transactions. Failure to configure nonrepudation might allow a party to deny receipt of information that is essential to transactional integrity in financial services, incident management integrity in security and availability-related services, as well as in other critical services.
| ID_41816fd2_65b9_4574_af24_31c749cdbd05 | System.Compliance.ControlObjectiveProjection |
| Disaster Recovery and Continuity Site Management |
Objective: Create and maintain an alternate site for IT services.
Example: Failure to properly manage the organization’s alternate IT services site could result in unavailability of IT services if the main site is rendered unavailable. This may occur through natural disaster, catastrophic systems failure, or other interruptive event.
| ID_41f2967a_8779_4b64_8a02_68497bfea418 | System.Compliance.ControlObjectiveProjection |
| System Security | System Security | ID_43678272_f871_4cf0_aeed_ed033882bd27 | System.Compliance.CategoryProjection |
| Define Requirements |
Objective: Define the IT service to be monitored, prepare the service component health model, and review the reliability requirements.
Example: Failure to define monitoring, health, and reliability requirements could affect the ability to deliver services that meet performance and contractual obligations.
| ID_456044f4_ddfd_430e_a6a4_12f928372749 | System.Compliance.ControlObjectiveProjection |
| Report Management |
Objective: Manage IT services and associated products to ensure required reports and other evidentiary output is created and maintained.
Example: Failure to create and maintain evidentiary output might result in adverse court findings, fines, and other legal proceedings against the organization. Evidentiary output may be produced from services (collections of assets, data, processes, and applications) or an indivual service component. Output might include log files, configuration reports, status reports, process and procedure status reports, or financial transaction logs.
| ID_45d77b2b_9e0f_4fdd_a82a_2b17b00d3c08 | System.Compliance.ControlObjectiveProjection |
| Develop and Test Change |
Objective: Manage change development and testing activities by designing the change, identifying configuration dependencies, building and testing the change, reviewing the readiness of the change for release, and updating the request for change (RFC).
Example: Failure to manage the development and testing of a change could lead to inadequate or low-quality changes being made, changes that fail to take into account all affected elements, unreliable changes, excessive risk, and failure to appropriately update the RFC.
| ID_469cd167_1094_4cfb_9f62_57b56228941a | System.Compliance.ControlObjectiveProjection |
| Risk Scoring Process |
Objective: Develop and maintain the organization's risk scoring process.
Example: Failure to maintain a risk scoring process affects the ability of the organization to compare and prioritize risks for remediation.
| ID_46bb8efc_e40f_4fb0_8175_f1857b306a84 | System.Compliance.ControlObjectiveProjection |
| Risk Management Process |
Objective: Develop and maintain the organization's risk management process.
Example: Failure to maintain a risk management process affects the ability of the organization to identify and assign resources for remediation.
| ID_4705f5da_a2a6_49aa_8b70_634f943f9e4b | System.Compliance.ControlObjectiveProjection |
| Data Retention | Data Retention | ID_4a61e30f_bb74_446f_a041_343b700d52a1 | System.Compliance.CategoryProjection |
| Verification Phase | Objective: Perform run-time verification, fuzz testing, threat modeling, and attack surface reviews of developed software. | ID_4a6fe32b_dba7_4c69_8c98_4ae628adad37 | System.Compliance.ControlObjectiveProjection |
| Application Security Settings |
Objective: Manage the configuration, patching, and licensing of all deployed applications.
Example: Failure to properly manage the organization’s software applications could affect security and be detrimental to the operational integrity of the organization. Lax software management could cause unrealized and unbudgeted licensing costs, problems with application licensing, security certificates, application configuration, security updates, and could allow the introduction of malicious software (malware) into the organization.
| ID_4aa947ab_0018_4ba8_b89f_8012ebe5aee5 | System.Compliance.ControlObjectiveProjection |
| Authorized Hardware |
Objective: Require that all hardware in use by the organization is authorized.
Example: Failure to control the use of hardware may result in unauthorized data storage, data transit, network, and other solutions. Also, unauthorized hardware may not be able to be configured to control requirements.
| ID_4b573b55_5864_414f_a9bf_b684cd4df551 | System.Compliance.ControlObjectiveProjection |
| Identity Management |
Objective: Provide all users and system entities with unique identities, and establish that access to the organization’s assets requires a unique identity and authentication value pair.
Example: Failure to manage unique identities for users and system entities might complicate investigations that involve access to the organization's assets and data. The Windows operating system enforces unique identities within Active Directory Domain Services.
| ID_4c084e42_e558_4073_81c3_55ff5cb7db1e | System.Compliance.ControlObjectiveProjection |
| User Access Reviews |
Objective: Review user access at planned intervals in order to validate that the level of access is still appropriate; remediate user access as needed.
Example: Failing to review user access at regularly planned intervals may result in a user who has changed jobs keeping elevated access privileges that are no longer needed to perform the new job function.
| ID_4c7fef9c_52e0_4a8c_892c_407330adc471 | System.Compliance.ControlObjectiveProjection |
| Stablilize | Stablilize | ID_4d3417cf_33ab_4e70_a93d_9a571ed67c58 | System.Compliance.CategoryProjection |
| User Notification | User Notification | ID_4d993112_af21_47ce_8cf4_e49fb0d1cd1c | System.Compliance.CategoryProjection |
| Policy Maintenance and Review |
Objective: Review the efficacy, reasonableness, and applicability of the organization's policies.
Example: Failure to evaluate the efficacy, reasonableness, and applicability of the organization's policies may result in inefficient (time consuming, laborious), unreasonable (expensive), and unnecessary (no longer applicable) requirements within the organization's practices and technologies.
| ID_4fac9819_d4a4_4c06_8a69_67a7542501c5 | System.Compliance.ControlObjectiveProjection |
| Data Integrity |
Objective: Manage the integrity of data that is used and generated by IT systems and services.
Example: Failure to manage the integrity of data in the organization might affect the accuracy, calculations, transactions, values, measures, and other essential components of IT services. For example, the organization might generate unreliable conclusions or statements that affect its reputation or its ability to continue doing business.
| ID_508f5a82_f132_47df_bb97_79050fb5cca6 | System.Compliance.ControlObjectiveProjection |
| Data Discovery |
Objective: Manage the ways that the organization discovers data that is used for business purposes to ensure that the discovery methods comply with relevant laws and regulations and that any required disclosures are made about how it will be used and managed as well as to whom it will be disclosed.
Example: Failure to properly manage data discovery processes and procedures might result in unauthorized use or disclosure of such data and make the organization liable for sanctions, fines, or other penalties.
| ID_543b2435_af7d_401b_95b1_da221e63d242 | System.Compliance.ControlObjectiveProjection |
| Design Phase | Objective: Reduce the attack surface of software through documentation of threat models for proposed software designs. | ID_557df68f_05fe_4995_8240_a7d1c8049f0f | System.Compliance.ControlObjectiveProjection |
| Maintain an Information Security Management Program |
Objective: Maintain an information security management program to procect assets and data from harm.
Example: Failure to manage risk, security policies, information security practices, assets, environments, and human interaction with data may result in data loss or corruption.
| ID_55fbbcb7_b7e1_4c20_ba40_66bf100f5d3a | System.Compliance.ControlObjectiveProjection |
| Reliability Planning |
Objective: Manage the planning of reliability capabilities so that there is clear understanding and documentation of the business requirements for the service, and how the target IT environment and the specifications for the service align with each other, how the service affects the current environment, and where there are significant technical or resource capability gaps.
Example: Failure to properly manage the planning of reliability capabilites could affect the predictability, usefullness, efficiency, and cost of IT services.
| ID_567f83c4_031b_468a_8684_a8261ea2465e | System.Compliance.ControlObjectiveProjection |
| Data Storage |
Objective: Manage the systems and devices that the organization uses to store data to ensure that the data is appropriately protected in accordance with its classification and sensitivity.
Example: Failure to properly manage data storage might affect the organization’s ability to conduct its business and lead to unauthorized access or disclosure that might violate custodial agreements for protecting and using such data.
| ID_57241122_0de8_4b34_ac9a_bfcd2c0182f1 | System.Compliance.ControlObjectiveProjection |
| Service Monitoring and Control Management Process |
Objective: Manage the monitoring and control of IT services.
Example: Service monitoring and control (SMC) is the real-time observation of and alerting about health conditions (characteristics that indicate success or failure) in an IT environment. It helps to ensure that deployed services are operated, maintained, and supported in line with the service level agreement (SLA) targets agreed to between the business and IT. Failure to monitor services can result in unrealized and unresolved service failures.
| ID_5885d98d_caef_48d9_ba35_7ef7607f2b4c | System.Compliance.ControlObjectiveProjection |
| Patch Management Process |
Objective: Develop and maintain the organization's patch management process.
Example: Failure to maintain a patch management process may result in the organization failing to patch its technologies for vulnerabilities, bugs, and other undesirable programmatic behavior.
| ID_591af25b_b2e0_4ea0_b654_0acf2a7de637 | System.Compliance.ControlObjectiveProjection |
| Change Detection Process for File Integrity |
Objective: Manage a file integrity detection process within the organization's IT environment and services.
Example: Failure to detect file integrity issues may result in incorrect data being referenced in critical services, resulting in erroneous reports and engagement of potentially incorrect courses of action.
| ID_5920cb07_3ace_4b24_afd5_b26d8ab074c6 | System.Compliance.ControlObjectiveProjection |
| Availability Management |
Objective: Manage growth of IT infrastructure based upon the organization's needs.
Example: Failure to properly manage the organization’s IT infrastructure needs may result in overloaded services, resulting in poor performance.
| ID_59328db0_2a7b_4bfc_b40e_fcfc17ddb42c | System.Compliance.ControlObjectiveProjection |
| Password Attributes |
Objective: Manage passwords to help ensure resistance to discovery through brute force attack.
Example: Failure to enforce password complexity, change protocol, and other password parameters might result in passwords that could be easily compromised. For example, passwords that are simplistic or that consist of words that can be found in a dictionary could be discovered through automated brute-force methods. The Windows operating system, Group Policy, and Active Directory Domain Services (AD DS) allow password creation parameters to be easily configured, enforced, and managed. In this control objective, password creation parameters must be configured to significantly delay or prevent discovery of password values. Typically, this objective is achieved through password complexity requirements that include length, usage of different types of characters, and the amount of time that passwords are valid before they expire. Governance, risk, and compliance (GRC) authority documents provide a range of prescriptive guidance regarding specific parameters and settings. Microsoft ships configuration baselines and best practice guidance that balance GRC requirements with its customers' real-world requirements.
| ID_5a0de3f5_a7bc_4ae7_8f5a_97718121ae6c | System.Compliance.ControlObjectiveProjection |
| Information Privacy | Information Privacy | ID_5c223a9a_ca21_4507_b66d_a97bc089260b | System.Compliance.CategoryProjection |
| Classify Request |
Objective: Classify the customer service request by categorizing the user’s request, helping determine which solution will best benefit the user, determine if the request is supportable, and then prioritizing the request.
Example: Failure to properly classify and prioritize the customers' service request could affect timeliness of resolution, appropriateness of the solution, and effective use of support resources.
| ID_5e1b14c9_b487_41a7_a788_3e828474d478 | System.Compliance.ControlObjectiveProjection |
| Support and Servicing Phase | Objective: Respond to software vulnerabilities through the release of security advisories and updates, when appropriate. | ID_5f05820d_36af_45d2_856b_5f0dc940ba2b | System.Compliance.ControlObjectiveProjection |
| Service Monitoring and Control | Service Monitoring and Control | ID_5f30a581_1ea6_42a4_a0eb_f5507e049e04 | System.Compliance.CategoryProjection |
| Data Collection |
Objective: Manage the ways that the organization collects data to ensure that only authorized data is collected.
Example: Failure to properly manage the collection of data might result in unauthorized use of confidential information, inappropriate use of information, or inadvertent disclosure of sensitive information.
| ID_623400b0_c24f_4a1c_9d0c_dccfd5c07d82 | System.Compliance.ControlObjectiveProjection |
| Reliability Plan Implementation |
Objective: Manage the development of various plans, including availability, capacity, data security, disaster recovery, monitoring, and review, and adjust the plans for suitability before approving them.
Example: Failure to properly manage the development of plans could affect the degree of reliability that is achieved for the organization's resources.
| ID_641f4603_6236_467d_9807_16b36dfc9c8c | System.Compliance.ControlObjectiveProjection |
| Architectural Change Management |
Objective: Manage architectural changes to the organization's networks and firewalls, including voice and wireless networks.
Example: Failure to properly manage the organization’s networks may result in network map inaccuracies, including but not limited to undocumented network vulnerabilities.
| ID_662cfa95_9eac_4d41_924a_513783c113f5 | System.Compliance.ControlObjectiveProjection |
| Change Management Process |
Objective: Manage change that affects the organization's services and assets.
Example: Failure to manage the configuration of the organization's assets may result in unknown, noncompliant configurations that could affect the confidentiality, integrity, and availability of associated services.
| ID_66848e32_d764_43c4_b2de_ec6996af573e | System.Compliance.ControlObjectiveProjection |
| Ensure Service Quality |
Objective: Ensure that the Service Desk has provided good service to the user by verifying the resolution of the Help request and sending a user satisfaction survey.
Example: Failure to ensure good service could affect user satisfaction with Service Desk and lack of compliance with contracts\agreements.
| ID_66c51cf0_11c3_4652_8c7d_0e7b8eea1fb0 | System.Compliance.ControlObjectiveProjection |
| Data Classification | Data Classification | ID_66d42636_27d3_4092_b245_de8611dc4072 | System.Compliance.CategoryProjection |
| Build Management | Build Management | ID_6747704f_d6fc_4e2e_bea6_fa91715e500c | System.Compliance.CategoryProjection |
| Least Functionality |
Objective: Enable only authorized functions, features, services and settings within all IT systems.
Example: Failure to control what functions, features, services, and settings are enabled might result in myriad control failures, such as unmanaged configuration and change control, unauthorized access, unauthorized transfer of sensitive data through unauthorized protocols and features, system compromise through unauthorized features and protocols, and unauthorized use of assets for inappropriate purposes.
| ID_67aade00_b133_4d48_8dfd_8b5c00394b93 | System.Compliance.ControlObjectiveProjection |
| Maintenance Management |
Objective: Manage the maintenance of IT infrastructure through a maintenance plan.
Example: Failure to properly maintain the organization’s IT infrastructure may result in undocumented changes, unauthorized changes, failure to conduct preventive maintenance in a timely manner, unknown availability of replacement parts, and the inability to prove when maintenance was conducted.
| ID_68acaa10_f1cd_4319_9f55_db1ea7841448 | System.Compliance.ControlObjectiveProjection |
| Maintain Work Instructions |
Objective: Maintain operational work instructions by changing or retiring existing work instructions when a better way of completing the work has been identified by performing maintenance and updating the operations guide.
Example: Failure to manage the maintenance of operational work instructions could impact operations by performing tasks in less than optimal ways or failing to adapt work to new requirements.
| ID_6a3d0220_1829_48f9_aecc_8c510f85f04f | System.Compliance.ControlObjectiveProjection |
| Stabilize the Deployment |
Objective: Manage the solution deployment stabilizing and monitoring the solution during the quiet period prior to project team disengagement.
Example: Failure to properly manage stabilizing and monitoring the solution deployment could affect the project by disengaging the project resources prior to final customer approval and sign off.
| ID_6a41ae0c_d77c_4d78_b8a4_86cfc7d1e26e | System.Compliance.ControlObjectiveProjection |
| Name Resolution |
Objective: Configure name resolution services to provide robust functionality and to limit name resolution data to authorized assets.
Example: Failure to provide a robust, redundant name resolution service might affect service availability across a range of assets that require data direction and other connectivity services.
| ID_6ad3da9d_5f44_421b_9c21_6a5ef0c27bc4 | System.Compliance.ControlObjectiveProjection |
| Asset Management Process |
Objective: Develop and maintain the organization's asset management process.
Example: Failure to maintain an asset management process may result in inclusion of assets within IT services that do not meet compliance requirements such as warranty, configuration, and high availability.
| ID_6b6a9d4b_51f4_4020_a277_87768d4c8711 | System.Compliance.ControlObjectiveProjection |
| Problem Management Process |
Objective: Manage problems within the organization's incident and problem management solution.
Example: Failure to manage problems may result in inefficient management of incidents, which could leave the underlying problem unidentified.
| ID_6cacb378_98aa_4529_a117_2d0501275246 | System.Compliance.ControlObjectiveProjection |
| Execute Work |
Objective: Manage the execution of operational work by evaluating the execution of work instructions, updating the operations log, and supplying input for Operational Health Management Review.
Example: Failure to execute the operational work could impact the organization by performing work ineffectively, inefficiently, and with unpredictable results
| ID_6e8a2f02_2994_4984_87c3_5383584a4b8e | System.Compliance.ControlObjectiveProjection |
| Key Management |
Objective: Manage encryption algorithm keys in a secure manner.
Example: Failure to manage keys associated with deployed algorithms might result in unauthorized access to sensitive assets and data while in transit or storage.
| ID_6ff8c9f6_8508_43de_bb17_3044352b2654 | System.Compliance.ControlObjectiveProjection |
| Review Plans and Milestones |
Objective: Approve milestone by reviewing and then agreeing that the interim milestones have been met, that planned due dates are realistic, and that the projects, roles, and responsibilities are well defined and mechanisms are in place to address project risks
Example: Failure to review and approve the project plans could impact the project by creating uncoordinated work and conflicting roles and responsibilities, resulting in delays, overruns, and potential project failure.
| ID_70a6b0b5_8a4d_4992_a1a3_7c4877352809 | System.Compliance.ControlObjectiveProjection |
| Security Policy Acceptance by Management |
Objective: Publish and communicate to all employees a formal information security policy that has management approval.
Example: Failure to publish and communicate an approved information security policy could lead to non-compliance with policy, which in turn could lead to loss of information confidentiality, availability, or integrity.
| ID_72ba5eef_8168_4b33_b5cd_eb8b2bff61a6 | System.Compliance.ControlObjectiveProjection |
| Deploy Sites |
Objective: Manage the deployment of the solution to all targeted users and computers at each site.
Example: Failure to properly manage solution site deployment could affect meeting site specific requirements and inhibit overall project completion.
| ID_739daa32_6c46_4147_bc44_9cab3de2eb46 | System.Compliance.ControlObjectiveProjection |
| Physical Environment Management |
Objective: Manage the physical environment's physical security to ensure only authorized access is permitted, and that unauthorized access is detectable.
Example: Failure to mange the environment's physical security may result in system and data compromise, loss of assets, and loss of inventory control.
| ID_744475e4_3f49_4343_91ef_044732f67548 | System.Compliance.ControlObjectiveProjection |
| Data Retention |
Objective: Retain and destroy data as required by applicable data retention policies, investigations, and court orders.
Example: Although seemingly contradictory, destruction is an integral component of a properly functioning data retention protocol. Failure to retain data could impair the organization's ability to conduct or comply with an investigation, which might lead to court-issued, e-discovery related fines and adverse court findings. Failure to destroy data might violate regulations or laws that govern how long information may be retained by the organization.
| ID_74db08af_8e32_4883_964b_e88bde2adbee | System.Compliance.ControlObjectiveProjection |
| Event Logging |
Objective: Log events that affect the health, security, availability, configuration status, and operational status of assets.
Example: Failure to record meaningful events will result in unknown states and conditions of critical assets and services, and will hamper incident management and investigation efforts. Events that occur within software applications are typically logged by the operating system. For this control objective, one or more processes should exist that monitor log files for meaningful events and alert administrative users to states, conditions, or trends that could affect the confidentiality, availability, or integrity of data, processes, and assets.
| ID_7788615d_734b_4584_bdc6_7c3a7f049223 | System.Compliance.ControlObjectiveProjection |
| Assess, Monitor, and Control Risk |
Objective: Manage the assessment, monitoring, and control of risk by considering the potential consequences of activities, evaluating their impact, and then taking a very explicit approach to address related risks.
Example: Failure to manage the assessment, monitoring, and control of risk may result in unknown, noncompliant configurations and operational activities that could affect the confidentiality, integrity, and availability of associated services.
| ID_7b7ef3a6_902e_464b_aff6_96c75df05b62 | System.Compliance.ControlObjectiveProjection |
| Software Development Lifecycle Security Team | Objective: Establish and maintain a team of personnel to review the software development lifecycle and respond to security issues as they are discovered. | ID_7c714a84_22d5_46af_8a18_53b85964e477 | System.Compliance.ControlObjectiveProjection |
| Perform IT Accounting and Reporting |
Objective: Manage IT accounting, reporting, and cost recovery functions by determining costs to use in budget comparisons, evaluating service usage reports as a basis for cost recovery, and assessing the actual derived benefits to the business for the services that are delivered.
Example: Failure to properly manage the organization’s accounting, reporting, and cost recovery functions could affect financial reporting for the business, cost effectiveness, and the business value derived from IT services.
| ID_7f1df02d_c489_4eda_897b_6c930a67febf | System.Compliance.ControlObjectiveProjection |
| Non-Production Environments |
Objective: Production data shall not be replicated or used in non-production environments.
Example: Replication of production data could lead to unauthorized disclosure of confidential data.
| ID_7f32411e_7656_4d45_99ae_cf189e9d32eb | System.Compliance.ControlObjectiveProjection |
| Acquisition Management | Acquisition Management | ID_80275a69_b8af_4cc4_9441_573001eb0f98 | System.Compliance.CategoryProjection |
| Build Work Instructions |
Objective: Build operational work instructions that enable identifying resources, identifying operational guidance, developing operational work instructions, and testing operational work instructions.
Example: Failure to manage building operational work instructions could affect the full development of guidance and specific, tested instructions for the operational work identified in the operations plan.
| ID_81798243_db7b_443c_b530_2d0eccc8f9bd | System.Compliance.ControlObjectiveProjection |
| Maintenance Management | Maintenance Management | ID_823a3aca_caa5_4b02_91c9_080bda429cc9 | System.Compliance.CategoryProjection |
| Personal Information Handling |
Objective: Manage the ways that the organization handles data that is classified as 'personal information' to ensure that only authorized personnel are granted access, and that the information is only used for authorized purposes.
Example: Failure to properly manage personal information might result in unauthorized access, distribution, and/or uses that might violate custodial agreements for its protection and use.
| ID_823d83c9_4378_471a_8817_7ae2199b9d94 | System.Compliance.ControlObjectiveProjection |
| Problem Management | Problem Management | ID_83080ec1_d027_4c58_9a36_cc7f46af5289 | System.Compliance.CategoryProjection |
| Document Problem |
Objective: Document a problem by creating a problem record, classifying the problem, and prioritizing the problem.
Example: Failure to document the problem may result in negative impacts to the reliability or availability of a service or system.
| ID_86b4bb11_4c5a_4f5e_9304_b3bb4509c3db | System.Compliance.ControlObjectiveProjection |
| Control and Report |
Objective: Control and report service management activities by producing reports and statistics, conducting Operational Health management review, and planning and executing service improvements.
Example: Failure to manage the control and reporting of service management activities could impact services by not effectively performing the management and monitoring of operations and services.
| ID_88c6b10e_2489_4bd8_9ec8_16cd307b44d7 | System.Compliance.ControlObjectiveProjection |
| Incident Management Process |
Objective: Manage incidents that affect IT services.
Example: Failure to properly manage incidents within IT services may result in service degregation, improper or unreliable operation, and service failure.
| ID_89d694d9_d318_434d_87de_1b037244bbfd | System.Compliance.ControlObjectiveProjection |
| Deploy Core Components |
Objective: Prepare for solution deployment by deploying solution infrastructure in production.
Example: Failure to deploy solution infrastructure could affect the project by introducing delays and missing release dates.
| ID_8ab5d2a7_d5a0_4b8b_8288_e15a8d10e21a | System.Compliance.ControlObjectiveProjection |
| IT Process Management | IT Process Management | ID_8da5c0f3_3143_431d_814e_f644c709f7ee | System.Compliance.CategoryProjection |
| Application of the Software Development Lifecycle | Objective: Apply the software security development lifecycle to software associated with personal/sensitive information, when the software will be used in a networked environment, or used within an enterprise or government environment. | ID_8dccb928_3430_4890_b2b1_82778a97cf14 | System.Compliance.ControlObjectiveProjection |
| Classify Change |
Objective: Classify the change by identifying the priority of the change, identifying the category of the change, checking and validating the configuration, assessing the risk, and updating the request for change (RFC).
Example: Failure to classify the change could lead to high-priority changes being delayed, changes that fail to take into account all affected elements, excessive risk, and failure to appropriately update the RFC.
| ID_94d2017e_016f_4131_bfd9_1a73c467fd62 | System.Compliance.ControlObjectiveProjection |
| Network Protection |
Objective: Maintain computer system connectivity with other systems only through authorized pathways and connections.
Example: Failure to control connections and pathways could result in unauthorized discovery and access. For example, failure to segregate database servers or other servers that contain sensitive information and features from the Internet could allow unauthorized connectivity. In this control objective, such connectivity should be configured to only use documented, restricted pathways that the organization has deemed safe and appropriate for use.
| ID_9508d9f4_8dda_487b_b046_161f5787aaf2 | System.Compliance.ControlObjectiveProjection |
| Communication of Change |
Objective: Communicate the change to the change requestor.
Example: Failure to communicate requested changes to the requesting party may lead to duplicate requests, and fails to close the communications loop on any changes made.
| ID_952d90e5_327c_4fbf_a4f2_9268abef7fdd | System.Compliance.ControlObjectiveProjection |
| Data Classification |
Objective: Conspicuously label sensitive data within files, folders, and groups of documents according to a managed data classification schema.
Example: Failure to label data might cause unauthorized duplication, retention, destruction, or propagation of sensitive data that includes information about the organization, its personnel, and its customers. Failure to manage the data classification schema could result in ambiguous, conflicting , and unnecessarily complicated labels that might cause misclassification or misuse of data. The Windows operating system allows for data classification by location and file tagging. Data must be labeled in a manner that carries data classification with the data entity, such as a file, folder, email, or database table. Rules that affect the availability of information may be enforced through Rights Management Services (RMS).
| ID_954c5591_a9e2_457d_9287_5d5be75f66d8 | System.Compliance.ControlObjectiveProjection |
| Reliability Management | Reliability Management | ID_9550ce62_fcee_4ca9_926f_6171d5710c36 | System.Compliance.CategoryProjection |
| Functional Specification Documentation |
Objective: Write the functional specification by documenting requirements and linking requirements to a detailed description of what the solution will look like and how it will behave.
Example: Failure to capture requirements or adequately describe the appearance and behavior could affect the project by leading to rework and unfulfilled customer expectations."
| ID_95ac6bbf_7c1a_47eb_97a2_be9234927f7e | System.Compliance.ControlObjectiveProjection |
| Business/IT Alignment Management | Business/IT Alignment Management | ID_97f7cf06_417f_438e_b86b_73ba9dc5cc2d | System.Compliance.CategoryProjection |
| Access Management | Access Management | ID_99925f98_57c6_4717_8b94_e154f75d0cb6 | System.Compliance.CategoryProjection |
| Deploy | Deploy | ID_99fb475e_ab85_487f_8f46_22a45df0d8f4 | System.Compliance.CategoryProjection |
| Remote Access |
Objective: Configure remote access services to only use authorized remote access connectivity pathways and authorization methods.
Example: Failure to manage and properly configure remote access services might allow the use of unauthorized pathways and authorization methods, which could result in unauthorized access to sensitive data or assets.
| ID_9c90d625_5ff7_43ad_ad2d_ab73a65e32c5 | System.Compliance.ControlObjectiveProjection |
| Research Outcome |
Objective: Research the outcome by determining if a workaround or fix has been discovered, determining if a proactive action is possible, and closing the problem record.
Example: Failure to research the outcome of the problem research activities may result in the identification of workarounds or fixes that are not viable or usable in the actual, complex, production environment.
| ID_9fa15845_db8e_4bb6_bec8_fd496752c5fa | System.Compliance.ControlObjectiveProjection |
| Operations | Operations | ID_a06c3575_58b9_4b72_8fd3_65adb3a81039 | System.Compliance.CategoryProjection |
| Create Master Schedule |
Objective: Create a master schedule by combining and integrating all the schedules from bottom-up estimating, determining the release date after creating drafts of the functional specification and master project plan.
Example: Failure to create a master schedule based on bottom-up estimating can impact the project by setting a final release date that is not realistic or achievable.
| ID_a0a8c1e5_d600_43b7_b337_dece838c1e7b | System.Compliance.ControlObjectiveProjection |
| Local Logon |
Objective: Configure local logon functionality to prevent unauthorized access.
Example: Failure to configure authentication mechanisms may result in system compromise.
| ID_a14b1c52_1473_4eba_bbb7_f428d9defa15 | System.Compliance.ControlObjectiveProjection |
| Outsourced Development Quality and Oversight |
Objective: Implement and maintain a quality and oversight program for outsourced software development, including the application of the security development lifecycle as appropriate.
Example: Failure to independently validate the security design of an application could prevent the organization from identifying and remediating one or more security vulnerabilities in that application.
| ID_a1644570_ec3f_4bf2_8d7c_dc7b745067b1 | System.Compliance.ControlObjectiveProjection |
| Deployment Management Process |
Objective: Manage the deployment of services.
Example: During deployment, the project team deploys the core solution and the site components into the production environment, stabilizes the deployment, transfers the project to operations, and gets final customer approval for the new solution. Failure to control deployment within the organization's IT environment and services may result in poor handoff to affected parties and an uncoordinated customer experience.
| ID_a351a74b_7de0_4c44_8517_aeda7e84483f | System.Compliance.ControlObjectiveProjection |
| Business Continuity Management | Business Continuity Management | ID_a5e2b8b7_65a6_4950_bd09_142cde168d35 | System.Compliance.CategoryProjection |
| Implement Service |
Objective: Implement the service by aligning new IT service to existing processes and functions, to existing IT organization, and to existing SMC tools.
Example: Failure to successfully implement the service could affect the ability to manage the solution.
| ID_a76d81c8_1fd1_4a87_b9cb_b9ac67401799 | System.Compliance.ControlObjectiveProjection |
| Identity and Access Management | Identity and Access Management | ID_a7a0566f_f993_4924_99c1_91d667ad108d | System.Compliance.CategoryProjection |
| Manage Operational Work |
Objective: Manage operational work by ensuring that the work outlined in the operations guide is being completed cost-effectively and is fulfilling the SLAs. This is accomplished by verifying work completed, optimizing the operations schedule, and optimizing operations resources.
Example: Failure to manage operational work could impact the organization by creating inefficiencies, wasting resources, and failing to fulfill contractual obligations.
| ID_a7d3182b_3837_4917_a963_1adc28553e22 | System.Compliance.ControlObjectiveProjection |
| Policy Publication |
Objective: Publish the organization's written policies.
Example: Without policy publication, the organization may not know what version of policy is in effect; also, audit bodies may determine that the organization does not provide adequate training for current policy, and that the policy is not readily available for reference.
| ID_a90469c8_424a_4e3b_bfd3_e0bcbd79fea5 | System.Compliance.ControlObjectiveProjection |
| Vision and Scope Documentation |
Objective: Manage the project's vision and scope by providing clear direction for the project team, including outlining explicit project goals, priorities, and constraints as well as setting customer expectations.
Example: Failure to properly manage vision and scope could affect the project results by attempting to achieve more than is needed, more than can be delivered, or failing to meet customer expecations.
| ID_ac8a05b5_cfe5_4976_8435_c2a6d1574a2f | System.Compliance.ControlObjectiveProjection |
| Evaluate Products and Technologies |
Objective: Manage the organization's project planning by creating a customer technology baseline and evaluating products and technologies.
Example: Failure to manage project planning for baselines and evaluations may lead to waste from redundancy or making incorrect build/buy decisions.
| ID_ac9aa917_16d3_4290_9689_dbb0405ed528 | System.Compliance.ControlObjectiveProjection |
| Requirements Phase | Objective: Document software security requirements, define quality gates, and define bug bars to establish minimum acceptable levels of security and privacy quality. | ID_ad5273f2_c4df_4f0c_9a2e_41155e7b1b92 | System.Compliance.ControlObjectiveProjection |
| Management Authorization of Acquisition |
Objective: Policies and procedures shall be established for management authorization for development or acquisition of new applications, systems, databases, infrastructure, services, operations, and facilities.
Example: Failure to implement this MCO could lead to the development or acquisition of systems that do not comply with the organization's policies, standards, or procedures. It could also lead to the development or acquisition of an unauthorized system.
| ID_ae27af38_cd11_49a6_a2b6_6744914d4e4f | System.Compliance.ControlObjectiveProjection |
| User Access Contracts |
Objective: Ensure that employment contracts are signed by all users, and that the contracts address information security controls relevant to the position, physical location, systems, and data to be accessed.
Example: Failure to contractually bind employees to required information security policy may result in a user claiming that information controls were not clearly prescribed.
| ID_b044877c_c54e_4afc_868b_27fe84ce7ee2 | System.Compliance.ControlObjectiveProjection |
| License Management |
Objective: Develop and maintain the organization's license management process.
Example: Failure to maintain licenses may result in illegal or unlicensed use of software in a production environment, resulting in fines to the organization.
| ID_b0ba2a64_6201_413f_86cd_3b699ca4dc26 | System.Compliance.ControlObjectiveProjection |
| Policy Management | Policy Management | ID_b16c7581_b770_4a7c_957a_957747b324c3 | System.Compliance.CategoryProjection |
| Authentication Types |
Objective: Enable only authorized authentication mechanisms, and enforce their use when accessing assets, applications, or data.
Example: Failure to control the authentication methods used to access the organization's systems, applications, and information might result in access methods that circumvent required access controls, account rules, and access log functions. Circumvention of these controls, rules, and functions could cause audit control failures if the authentication method violates password, access, and other associated policies. For example, organizations might require two-factor authentication when logging into the domain or network. If an alternate unauthorized authentication mechanism is used, two-factor authentication would not be enforced and the control would not be complied with.
| ID_b5fe3fc3_b45f_483f_b2cc_c25908d6dba8 | System.Compliance.ControlObjectiveProjection |
| Capacity and Performance Management |
Objective: Configure logging functionality to accurately and securely record and store events.
Example: The system's operating system typically controls the logging of security, system, and other operating system events as well as events within applications that run on the operating system. In this control objective, logging functionality should be configured to record the time, type, result, origin, and assets involved with recorded events. Access to logging functionality and output should be limited to authorized personnel, and all access attempts should be logged. Limited access prevents log alteration, and the logging of access attempts allows for investigation if unauthorized attempts are made. Log retention should be configured to accommodate investigation of events that relate to the types of data stored or processed. Logging functionality should be configured to halt sensitive transactional processes if log files are unavailable.
| ID_b836e846_2b92_470f_bd5a_0f9f06663984 | System.Compliance.ControlObjectiveProjection |
| Research Problem |
Objective: Research problems by reproducing the problem in a test environment, observing and documenting the symptoms of the problem, performing root cause analysis, developing a hypothesis and testing it, repeating this process until the root cause has been determined.
Example: Failure to manage the researching of problems may result in inefficient and ineffective attempts at finding root cause, or failing to identify the true root cause.
| ID_b9ecddd7_cff7_4c8c_b87f_044de2be4847 | System.Compliance.ControlObjectiveProjection |
| Operations Management Process |
Objective: Manage the IT operations process, which includes the day to day operations of each IT service.
Example: The operations process addresses what it takes to ensure effective and efficient day-to-day operations of an IT service after it has been conceived, built, and deployed into the production environment. Without such a process, the organization may not be able to measure or improve operational efficiency.
| ID_ba1f92d7_ada0_4ad8_aff5_0f3ccf056d0c | System.Compliance.ControlObjectiveProjection |
| Security Awareness Training |
Objective: Train all users on their information security responsibilities.
Example: Failure to train users on their information security responsibilities could lead to more information security incidents, more severe incidents, or both.
| ID_ba2b2c14_a48e_4ee6_bc40_cf30e3f25038 | System.Compliance.ControlObjectiveProjection |
| Package Master Project Plan |
Objective: Create a master project plan by writing individual project plans and then rolling up individual plans into the master project plan.
Example: Failure to roll up individual plans into the master project plan could impact clarity and understanding by introducing inconsistent document structures and conflicting terminology.
| ID_bb54df5f_7da2_46e2_b7b0_d5a602b5f30b | System.Compliance.ControlObjectiveProjection |
| Governance, Risk, and Compliance | Governance, Risk, and Compliance | ID_bb986361_28fc_49b9_bdf0_9abe3902aeb8 | System.Compliance.CategoryProjection |
| Confirm Resolution and Close Request |
Objective: Manage the confirmation and closure of a customer service request by updating the Help request, determining if the service has been resumed, determining if the incident has been resolved, verifying successful fulfillment, and closing the Help request.
Example: Failure to properly manage confirmation and closure of a customer service request could affect the continuous improvement of customer services, inappropriately closed requests, and customer satisfaction.
| ID_bccb3e2d_b705_493e_850a_af64da992c30 | System.Compliance.ControlObjectiveProjection |
| Information Privacy |
Objective: Ensure that personal information is collected and handled in a way that is compliant with applicable rules and regulations.
Example: Aggregation of different fields in the same record could allow an organization to unique identify an individual, which may mean the organization is collecting, storing, and processing personal data in a way that does not comply with privacy laws, regulations, and standards.
| ID_bcfcca1a_a3bb_4b1f_9c1a_e8d123ead5eb | System.Compliance.ControlObjectiveProjection |
| System Architecture | System Architecture | ID_bf537aa4_faba_4537_b3b3_1bf28366b4cf | System.Compliance.CategoryProjection |
| Vision and Scope Approval |
Objective: Manage the approval signoff on the vision/scope milestone by the team, customers, and stakeholders that indicates their approval of the vision/scope document and their agreement that the project team is ready to proceed to planning.
Example: Failure to properly manage the vision/scope signoff could affect the quality, scope, timing, and viability of projects.
| ID_bf6ec5fc_3dc9_4518_8bcf_556ea6baf7ca | System.Compliance.ControlObjectiveProjection |
| Hardware Configuration | Hardware Configuration | ID_c0652654_bf03_4a70_836f_106bc358f28c | System.Compliance.CategoryProjection |
| Operations Monitoring and Reporting | Operations Monitoring and Reporting | ID_c0ffeb6c_d945_4127_84ea_b2b3a8ae04ff | System.Compliance.CategoryProjection |
| Audit Management | Audit Management | ID_c19c894c_6cdf_484b_8e28_cf44c046a03b | System.Compliance.CategoryProjection |
| Protocol Configuration Exception Process |
Objective: Manage exceptions to standardized configuration of protocols used by assets.
Example: Failure to properly manage exceptions to standardized protocol configuration could result in undocumented enablement of unauthorized protocols, which may lead to asset compromise.
| ID_c2b549a4_66c6_4170_97a3_57988d87e0a9 | System.Compliance.ControlObjectiveProjection |
| Environment Mgmt | Environment Mgmt | ID_c6d8c7a9_5bdd_4c9b_b0e6_88ae28eccae5 | System.Compliance.CategoryProjection |
| Logging Configuration |
Objective: Configure logging functionality to accurately and securely record and store events.
Example: The operating system typically controls the logging of security, system, and other operating system events as well as events within applications that run on the operating system. In this control objective, logging functionality should be configured to record the time, type, result, origin, and assets involved with recorded events. Access to logging functionality and output should be limited to authorized personnel, and all access attempts should be logged. Limited access prevents log alteration, and the logging of access attempts allows for investigation if unauthorized attempts are made. Log retention should be configured to accommodate investigation of events that relate to the types of data stored or processed. Logging functionality should be configured to halt sensitive transactional processes if log files are unavailable.
| ID_c7507c26_ad07_46e0_9a0e_d97d9c20f1c2 | System.Compliance.ControlObjectiveProjection |
| Security Development Lifecycle | Security Development Lifecycle | ID_c83e378e_4932_4de8_b843_be6f53e5c58d | System.Compliance.CategoryProjection |
| Network Security | Network Security | ID_c8bf0adb_65ce_44b7_ac37_08df929b909c | System.Compliance.CategoryProjection |
| System Integrity |
Objective: Manage the integrity of IT systems and the services they provide.
Example: Failure to properly manage the integrity of the organization’s IT systems and the services they provide might result in errors that affect calculations, transactions, values, measures, and other fundamental components of different IT services. For example, the organization might inadvertently draw conclusions or make statements that are based on erroneous data.
| ID_ca78d49f_7f1a_4c0b_81bf_637cd495f9b6 | System.Compliance.ControlObjectiveProjection |
| Policy Needs Assessment |
Objective: Assess what policies apply to the organization by documenting goals, assessing current state, envisioning future state, and performing gap analyses.
Example: Policy is the written intention of the organization. Without policy, organizational practices may self-determine and potentially fail to adequately address the applicability, sufficiency, and reasonableness of compliance requirements.
| ID_cd2653cd_e741_401a_9720_73f5efcc82e6 | System.Compliance.ControlObjectiveProjection |
| Policy Creation |
Objective: Create applicable policies for the organization that address security, privacy, partner relationships, knowledge management, appropriate use, and policy governance.
Example: Policy is the written intention of the organization. Without policy, organizational practices may self-determine the applicability, sufficiency, and reasonableness of compliance requirements. Also, failure to organize and document the intentions of the organization can result in duplicative and conflicting policy.
| ID_d26a6176_3dc6_4dad_bf64_d90f66dfcb9a | System.Compliance.ControlObjectiveProjection |
| Policy Enforcement and Evaluation |
Objective: Enforce and evaluate the efficacy, reasonableness, and applicability of the organization's policies and processes for requesting changes to policy.
Example: Failure to enforce the organization's policies may result in undocumented noncompliance within the organization's practices and technologies. Failure to evaluate the efficacy, reasonableness, and applicability of the organization's policies may result in inefficient (time consuming, laborious), unreasonable (expensive), and unnecessary (no longer applicable) requirements within the organization's practices and technologies. Failure to address how to request changes to policy may result in noncompliant activities that undermine inappropriate or out of date policies.
| ID_d2b668b6_ebc3_4239_b1e7_fc19dd49d806 | System.Compliance.ControlObjectiveProjection |
| Team Accountability Management | Team Accountability Management | ID_d69cbbbd_d590_4a30_9bd6_48e80f60b314 | System.Compliance.CategoryProjection |
| Baseline Configuration |
Objective: Manage change by initially baselining the configuration to capture the starting configuration, preparing for rollback and disaster recovery, and understanding the impact of the proposed change.
Example: Failure to baseline the configuration could affect the ability to apply the change, the time it takes to make the change, or assess the impact of the change.
| ID_d84cb800_7601_4dd6_8a52_8026bdfb5bfc | System.Compliance.ControlObjectiveProjection |
| Customer Service Management | Customer Service Management | ID_d8f63c13_0a6a_4fc2_ba58_f9822d736bc0 | System.Compliance.CategoryProjection |
| User Rights Assignment |
Objective: Restrict asset and data access to individuals with a specific, authorized business need.
Example: Failure to restrict access to assets and data, such as different types of accounts/roles in the organization, might lead to system failure through unauthorized configuration changes and loss of sensitive data, such as personal or financial data.
| ID_d992e435_fbb1_4c9c_ba38_bc72aef57531 | System.Compliance.ControlObjectiveProjection |
| Data Handling | Data Handling | ID_dc0a85c7_b8a3_4c3b_b5c0_c62f9abe440c | System.Compliance.CategoryProjection |
| General Access Limitation |
Objective: Grant service and system access only to authorized user and system accounts.
Example: The Windows operating system controls identity and access management through Active Directory Domain Services (AD DS). If products use AD DS for authentication management, this control objective might be satisfied through role and account management as configured through AD DS.
| ID_dc64e7ea_345b_4195_a0eb_660a6d3e9456 | System.Compliance.ControlObjectiveProjection |
| Data Access |
Objective: Allow only authorized personnel to access, modify, delete, or duplicate sensitive data.
Example: Failure to control access to data might result in authorized access, modification, deletion, or duplication. Such actions might result in the loss of control of private or personal information, and could require the organization to report such losses to governing bodies and affected persons. Unauthorized data modification might result in significant problems, including but not limited to loss of transactional integrity, falsification of records, configuration modifications to assets, and escalation of privileges.
| ID_df104707_5386_46ed_840d_1cf3ae8faef6 | System.Compliance.ControlObjectiveProjection |
| Controls Management Process |
Objective: Develop and maintain the organization's controls management process.
Example: Failure to maintain a controls management process may result in unorganized, duplicative, inapplicable, unreasonable, or inefficient application of controls within the environment.
| ID_e06ffb56_9286_4494_8938_8d46348c4248 | System.Compliance.ControlObjectiveProjection |
| Personnel Management | Personnel Management | ID_e0e1113a_dead_4ac9_aefe_a424a03da0e1 | System.Compliance.CategoryProjection |
| User Notification |
Objective: Notify users at logon of applicable information about authorized and unauthorized use of system assets.
Example: Failure to notify users when they log on might result in inappropriate use of assets or data. Failure to notify might also affect the ability of an organization to prosecute inappropriate or unauthorized use of assets and data. The Windows operating system allows configuration of warning banners upon logon. Information within a logon banner should be developed in conjunction with the organization's legal counsel, auditors, and internal control personnel. Logon banners typically summarize who may use the asset, and applicable controls associated with data on these assets. Logon banners often reference written policy, and might direct users to additional relevant policy.
| ID_e0e410be_5f74_4f44_80c6_5a3798e83daa | System.Compliance.ControlObjectiveProjection |
| Data Roles and Responsibilities |
Objective: All data-related responsibilities shall be defined, documented and communicated.
Example: Failure to define, document, and communicate responsibilities could lead to those responsibilities not being performed correctly or at all.
| ID_e4d963b8_ee56_49b1_8e20_ad98ed9ff461 | System.Compliance.ControlObjectiveProjection |
| Application Security | Application Security | ID_e82ad99f_88cc_4abe_8eb9_e8248bcc39fa | System.Compliance.CategoryProjection |
| Least Privilege |
Objective: Restrict asset and data access to individuals with a specific, authorized business need.
Example: Failure to restrict access to assets and data might lead to system failure through unauthorized configuration changes and loss of sensitive data, such as personal or financial data. Data access is more than what is accessible upon successful login. Additional data access might be inadvertently available through less obvious means, such as locked screens (username, system type, data storage classification) and bug reports (internal database queries and table structures). Access management should follow an authorized procedure to assign access rights, associate accounts to personnel, communicate credentials, and revoke access rights. The process should allow for varied access according to the different types of accounts/roles in the organization, such as those for full time employee accounts, vendor accounts, emergency accounts, and maintenance accounts. These accounts might be configured with additional limitations, such as restricted access path, asset type, data types, or hours of availability.
| ID_e881929f_a2ae_4f20_9c62_d79935212267 | System.Compliance.ControlObjectiveProjection |
| Service Requirements and Budget Management |
Objective: Manage service requirements and budgets by addressing services and business strategy, planning budgets, conducting budget reviews, and managing IT value realization.
Example: Failure to properly manage the organization’s service requirements and budgets could result in failure to understand IT’s expected contribution to business results, or failure to track expected benefits through the process of value realization.
| ID_e8dd684d_135e_42a8_8e99_d5df06a132e0 | System.Compliance.ControlObjectiveProjection |
| Time Configuration |
Objective: Configure assets to reference a single, centralized time source.
Example: Failure to centrally manage the time source used by assets might hamper investigations when log files on more than one asset must be compared. Additional difficulties might arise within transactional sequences that require accurate time and date information. The Windows operating system provides the ability to centrally source time from a single server and require all other servers and computers to reference this server.
| ID_eb1ffb59_cf80_4c7f_802f_6f70ae15786b | System.Compliance.ControlObjectiveProjection |
| Physical Entry Log Book |
Objective: Require that all visitors to the facility are entered in a log book. Retain the log book based on policy requirements. Periodically review the log book for suspicious activity.
Example: Failure to track visitors may result in unauthorized access to facilities and equipment residing at those facilities.
| ID_ec2c41a6_063c_438f_9bdb_f04a8a605829 | System.Compliance.ControlObjectiveProjection |
| Release Change |
Objective: Manage the release of the change and any accompanying site components into the production environment by stabilizing the release, getting final customer approval of the change, documenting the released change and communicating the impact to users, transferring responsibility from the project team that built the change to Operations and Support, and updating the request for change (RFC) and the configuration database.
Example: Failure to properly manage the release of the change could affect operations and the business by allowing into production an inadequate solution that does not fully address expected user, operations, and support requirements.
| ID_ec7d0760_e842_41c8_8c16_b65ee343492b | System.Compliance.ControlObjectiveProjection |
| Asset Management | Asset Management | ID_eca053af_9062_41cc_99ce_5fc0709971ee | System.Compliance.CategoryProjection |
| Reliability Monitoring and Improving Plans |
Objective: Manage the monitoring, reporting and trend analysis, and reviews of service reliability.
Example: Failure to properly manage the monitoring and improvement plans for reliability could affect the degree of achieved reliability and choices for resource investments.
| ID_ed3c3814_b4ba_456a_9d7e_751bf5df6e93 | System.Compliance.ControlObjectiveProjection |
| Physical Security | Physical Security | ID_ede094e1_cd5e_4432_bf33_369b6000b21c | System.Compliance.CategoryProjection |
| Stabilize Release Candidate |
Objective: Manage the stabilization of developed services. Stabilization involves incorporating feedback and resolving bugs against developed solutions prior to deployment.
Example: Failure to properly manage stabilization processes may result in improperly tested solutions, resulting in bugs or other undesired behavior within released solutions.
| ID_ee7b250d_abb2_4d1d_bd0f_a181efcf3a7e | System.Compliance.ControlObjectiveProjection |
| Project Envisioning | Project Envisioning | ID_ee993557_e608_47c4_a358_9210e22000be | System.Compliance.CategoryProjection |
| Conduct Pilot |
Objective: Validate the solution in production by pilot testing the entire solution in a subset of the live production environment, with a particular group of users, or on a subset of the infrastructure.
Example: Failure to conduct pilot testing of the solution in production development could impact user experience ability to understand, learn, and use the solution and impact the final deployment of the solution.
| ID_f221d499_1ee7_45e4_b6f6_a35b3078b5cc | System.Compliance.ControlObjectiveProjection |
| Policy Validation |
Objective: Validate the organization's written policies.
Example: Without validation, policies may not be enforced and audit bodies may determine that management is not vested in existing policy.
| ID_f28be5f5_1a3b_429a_9506_86df84437cf8 | System.Compliance.ControlObjectiveProjection |
| IT Service Portfolio Development |
Objective: Manage the development of the IT service portfolio to ensure that the value of IT services in relation to business outcome are measured and that new project concepts are analyzed and approved.
Example: Failure to properly manage the development of the IT portfolio could affect the ability to achieve the desired value that is derived from IT services.
| ID_f2aaadcd_7de7_4e03_af64_a2127dd254dc | System.Compliance.ControlObjectiveProjection |
| Report Configuration |
Objective: Manage IT services and associated products to ensure required reports and other evidentiary output is configured according to policy.
Example: Failure to configure reports and evidentiary output might result in the wrong information being recorded, or omission of important information. Such failures can result in adverse court findings, fines, and other legal proceedings against the organization. Evidentiary output may be produced from services (collections of assets, data, processes, and applications) or an indivual service component. Output might include log files, configuration reports, status reports, process and procedure status reports, or financial transaction logs.
| ID_f3eba8e6_60d0_421e_8d9a_dcf572f6ee09 | System.Compliance.ControlObjectiveProjection |
| Team Organization |
Objective: Manage the project by assembling the core team, creating a project structure document that describes the team’s organization and the roles and specific responsibilities assigned to each team member, clarifying the chain of accountability to the customer, and specifying the designated points of contact that the project team has with the customer.
Example: Failure to properly manage the team's formation and document the structure could affect role clarity with regard to who does what work, who should care about what deliverables, and who is responsible for maintaining customer relationships.
| ID_f4bc22bf_2175_4237_9313_255bbe54f3e2 | System.Compliance.ControlObjectiveProjection |
| Service Health | Service Health | ID_f58cd8a3_e6c2_474c_8ef2_e0bf717aed55 | System.Compliance.CategoryProjection |
| Identity Management | Identity Management | ID_f5915b0c_2df8_49e2_9f82_9a27a3aa0a51 | System.Compliance.CategoryProjection |
| Disaster Recovery | Disaster Recovery | ID_f8037189_4990_4e45_8ad9_b96d248792ef | System.Compliance.CategoryProjection |
| Background Checks |
Objective: Require that all personnel with access to sensitive information have received background checks in compliance with applicable laws and regulations.
Example: Failure to perform background checks may result in unauthorized behavior by personnel with a known history of crime.
| ID_f898e1f1_fef8_4cab_8dc0_6278b1bddeca | System.Compliance.ControlObjectiveProjection |
| Local Firewall |
Objective: Configure local firewalls to prevent unauthorized connections, and allow configuration changes only through authorized administrative accounts.
Example: Firewalls installed on local users' computers should not allow users to change access control lists (ACLs) or other configuration parameters. Configuration should only be conducted through authorized accounts, typically administrative accounts or roles. This control objective helps prevent unauthorized opening of ports and pathways that are potential vulnerabilities.
| ID_f90c4628_b3a1_4019_a3f9_8e3661265a95 | System.Compliance.ControlObjectiveProjection |
| Project Planning Management | Project Planning Management | ID_fc089f22_7579_446e_9e2a_7641327c606d | System.Compliance.CategoryProjection |
| Build Management Process |
Objective: Manage the build management service management function. Build management is the process of developing solution components, including the code for any in-house application or infrastructure solution, documentation that developers create, as well as the infrastructure that supports the solution.
Example: Failure to manage the build process may result in uncoordinated infrastructure solutions, missing documentation to guide developers in the creation of software, and improperly configured infrastructure to support the development of quality solutions."
| ID_fc1d53dc_09f3_4340_b5f9_962e6e37a2f6 | System.Compliance.ControlObjectiveProjection |
| Manage Finances |
Objective: Manage IT finances by creating IT budgets that reflect the business priorities; determine maintenance and operations costs, develop innovation and improvement initiatives, determine project costs, and establish value realization awareness across IT.
Example: Failure to properly manage the organization’s finances could affect business performance, viability, and the stewardship of organization resources.
| ID_fd3e6ecd_d34c_493a_9087_c92ae58ad18d | System.Compliance.ControlObjectiveProjection |
| Comply with Directives |
Objective: Comply with directives by monitoring the legal and regulatory environment, adapting to regulatory changes, and responding to management directives.
Example: Failure to comply with directives could lead to illegal activity, noncompliance with contracts, and generally underperforming organizations.
| ID_fe36cf69_225d_4a30_aa37_1a39fab5b468 | System.Compliance.ControlObjectiveProjection |
| IT Service Strategy Development |
Objective: Manage IT strategy so that IT goals are aligned with business goals to help ensure that IT invests in services that are effective and efficient in meeting organization needs.
Example: Failure to properly manage the organization’s service strategy could affect the business's ability to function, adjust to changes in business and regulatory environment, and exercise stewardship of organization resources.
| ID_ff1d24ca_17e1_4980_af6c_9aab6952f17d | System.Compliance.ControlObjectiveProjection |
| Release Phase | Objective: Conduct a final security review, maintain an incident response plan, and execute a release plan for developed software. | ID_ffb85a0e_8078_48fa_885c_a678f611077e | System.Compliance.ControlObjectiveProjection |
Home