Jul 4th, 2008 by John Gerber
PO1: Define a strategic IT plan.
| Cobit Control |
ITIL |
|
| PO1.1: IT value management |
|
| A: SA-2: Allocation of Resources |
|
| 10.3.1: Capacity management |
|
|
| PO1.2: Business-IT alignment |
| SD-CapMgmt: Capacity Management (6.2.1) |
|
|
| PO1.3: Assessment of current capability and performance |
|
|
| PO1.4: IT strategic plan |
|
|
| PO1.5: IT tactical plans |
|
|
| PO1.6: IT portfolio management |
|
|
PO2: Define the information architecture.
| Cobit Control |
ITIL |
|
| PO2.1: Enterprise information architecture model |
|
|
| PO2.2: Enterprise data dictionary and data syntax rules |
|
|
| PO2.3: Data classification scheme |
|
| A: AC-3: Access Enforcement |
| DCFA-1: Functional Architecture for information system App |
| ECAN-1: Access for Need-to-Know |
| EBRU-1: Remote Access for User Functions |
| PRNK-1: Access to Need-to-Know Information |
| ECCD-1: Changes to Data |
|
| 11.2.4: Review of user access rights |
| 11.4.5: Segregation in networks |
|
| A: AC-15: Automated Marking |
| ECML-1: Marking and Labeling |
|
| 7.2.2: Information labeling and handling |
|
| A: AC-16: Automated Labeling |
| ECML-1: Marking and Labeling |
|
| 7.2.2: Information labeling and handling |
|
|
| PO2.4: Integrity management |
|
| C: SI-1: System and Information Integrity Policy and Proced |
| DCAR-1: Procedural Review |
|
| 15.1.1: Identification of applicable legislation |
|
| C: SI-4: Information System Monitoring Tools and Techniques |
|
| 10.6.2: Security of network services |
| 10.10.1: Audit logging |
| 10.10.2: Monitoring system use |
| 10.10.4: Administrator and operator logs |
|
| C: SI-7: Software and Information Integrity |
|
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
| 12.2.4: Output data validation |
|
| C: SI-10: Information Accuracy, Completeness, Validity, and |
|
| 10.7.3: Information handling procedures |
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
|
|
PO3: Determine technological direction.
| Cobit Control |
ITIL |
|
| PO3.1: Technological direction planning |
|
|
| PO3.2: Technical infrastructure plan |
|
|
| PO3.3: Monitor future trends and regulations |
|
|
| PO3.4: Technology standards |
|
|
| PO3.5: IT architecture board |
|
|
PO4: Define the IT processes, organization and relation
| Cobit Control |
ITIL |
|
| PO4.1: IT process framework |
| SS-Implement: Planning for the Implementation of Service Management (11.3.2) |
| SD-Implement: Planning for the Implementation of Service Management (10.3.2) |
|
|
| PO4.2: IT strategy committee |
|
|
| PO4.3: IT steering committee |
|
|
| PO4.4: Organizational placement of the IT function |
|
|
| PO4.5: IT organizational structure |
|
|
| PO4.6: Establishment of roles and responsibilities |
|
|
| PO4.7: Responsibility for IT quality assurance |
|
|
| PO4.8: Responsibility for risk, security and compliance |
|
|
| PO4.9: Data and system ownership |
|
|
| PO4.10: Supervision |
|
| A: AC-13: Supervision and Review-Access Control |
| ECAT-1: Audit Trail Monitoring, Analysis and Reporting |
|
| 10.10.2: Monitoring system use |
| 11.2.4: Review of user access rights |
|
|
| PO4.11: Segregation of duties |
|
| A: AC-5: Least Privilege |
|
| 10.1.3: Segregation of duties |
| 10.6.1: Network controls |
| 10.10.1: Audit logging |
|
| A: AC-6: Unsuccessful Login Attempts |
|
| 11.2.2: Privilege management |
|
|
| PO4.12: IT staffing |
|
|
| PO4.13: Key IT personnel |
|
|
| PO4.14: Contracted staff policies and procedures |
|
|
| PO4.15: Relationships |
| SS-Relation: Relationship Between Processes (2) |
| SD-Relation: Relationship Between Processes (2) |
|
|
PO5: Manage the IT investment.
| Cobit Control |
ITIL |
|
| PO5.1: Financial management framework |
| SD-FinMgmt: Financial Management for IT Services (5.3.12) |
|
|
| PO5.2: Prioritization within IT budget |
| SD-FinMgmt: Financial Management for IT Services (5.3.1) |
|
| A: SA-2: Allocation of Resources |
|
| 10.3.1: Capacity management |
|
|
| PO5.3: IT budgeting |
| SD-FinMgmt: Financial Management for IT Services (5.2.1) |
| SD-FinMgmt: Financial Management for IT Services (5.2.2) |
| SD-FinMgmt: Financial Management for IT Services (5.3.14) |
|
|
| PO5.4: Cost management |
| SD-FinMgmt: Financial Management for IT Services (5.1.2) |
| SD-FinMgmt: Financial Management for IT Services (5.2.1) |
| SD-FinMgmt: Financial Management for IT Services (5.5.4) |
|
|
| PO5.5: Benefit management |
| SD-FinMgmt: Financial Management for IT Services (5.5.2) |
| SD-FinMgmt: Financial Management for IT Services (5.7.11) |
|
|
PO6: Communicate management aims and direction.
| Cobit Control |
ITIL |
|
| PO6.1: IT policy and control environment |
|
|
| PO6.2: Enterprise IT risk and control framework |
|
|
| PO6.3: IT policies management |
|
|
| PO6.4: Policy, standards and procedures rollout |
|
|
| PO6.5: Communication of IT objectives and direction |
|
|
PO7: Manage IT human resources.
| Cobit Control |
ITIL |
|
| PO7.1: Personnel recruitment and retention |
|
|
| PO7.2: Personnel competencies |
| SS-SerDesk: The Service Desk (4.7.1) |
|
|
| PO7.3: Staffing of roles |
|
|
| PO7.4: Personnel training |
| SS-SerDesk: The Service Desk (4.7.7) |
| SD-RelMgmt: Release Management (9.3) |
|
|
| PO7.5: Dependence upon individuals |
|
|
| PO7.6: Personnel clearance procedures |
|
|
| PO7.7: Employee job performance evaluation |
|
|
| PO7.8: Job change and termination |
|
|
PO8: Manage quality.
| Cobit Control |
ITIL |
|
| PO8.1: Quality management system |
|
|
| PO8.2: IT standards and quality practices |
|
|
| PO8.3: Development and acquisition standards |
|
| A: SA-3: Life Cycle Support |
|
|
|
| PO8.4: Customer focus |
|
|
| PO8.5: Continuous improvement |
|
|
| PO8.6: Quality measurement, monitoring and review |
|
|
PO9: Assess and manage IT risks.
| Cobit Control |
ITIL |
|
| PO9.1: IT risk management alignment |
| SD-AvaMgmt: Availability Management (8.9.3) |
| SD-SCM: IT Service Continuity Management (7.1.5) |
|
|
| PO9.2: Establishment of risk context |
| SD-SCM: IT Service Continuity Management (7.2.2) |
|
|
| PO9.3: Event identification |
| SD-SCM: IT Service Continuity Management (7.2.1) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
|
|
| PO9.4: Risk assessment |
| SD-AvaMgmt: Availability Management (8.6.2) |
| SD-AvaMgmt: Availability Management (8.7.5) |
| SD-AvaMgmt: Availability Management (8.9.3) |
| SD-SCM: IT Service Continuity Management (7.2.1) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
| SD-SCM: IT Service Continuity Management (7.5.1) |
|
|
| PO9.5: Risk response |
| SD-SCM: IT Service Continuity Management (7.5.1) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
|
|
| PO9.6: Maintenance and monitoring of a risk action plan |
|
|
PO10: Manage projects.
| Cobit Control |
ITIL |
|
| PO10.1: Program management framework |
|
|
| PO10.2: Project management framework |
| SS-Implement: Planning for the Implementation of Service Management (11.4.1) |
| SD-Implement: Planning for the Implementation of Service Management (10.4.1) |
|
|
| PO10.3: Project management approach |
|
|
| PO10.4: Stakeholder commitment |
|
|
| PO10.5: Project scope statement |
|
|
| PO10.6: Project phase initiation |
|
|
| PO10.7: Integrated project plan |
| SS-Implement: Planning for the Implementation of Service Management (11.4.7) |
| SD-Implement: Planning for the Implementation of Service Management (10.4.7) |
|
|
| PO10.8: Project resources |
| SS-Implement: Planning for the Implementation of Service Management (11.4.5) |
| SD-Implement: Planning for the Implementation of Service Management (10.4.5) |
|
|
| PO10.9: Project risk management |
|
|
| PO10.10: Project quality plan |
| SD-Implement: Planning for the Implementation of Service Management (10.5.4) |
|
|
| PO10.11: Project change control |
|
|
| PO10.12: Project planning of assurance methods |
|
|
| PO10.13: Project performance measurement, reporting and mon |
| SD-Implement: Planning for the Implementation of Service Management (10.5) |
| SD-Implement: Planning for the Implementation of Service Management (10.5.1) |
|
|
| PO10.14: Project closure |
| SD-Implement: Planning for the Implementation of Service Management (10.5.2) |
| SD-Implement: Planning for the Implementation of Service Management (10.5.3) |
|
|
AI1: Identify automated solutions.
| Cobit Control |
ITIL |
|
| AI1.1: Definition and maintenance of business functional |
| SD-RelMgmt: Release Management (9.2) |
|
|
| AI1.2: Risk analysis report |
|
|
| AI1.3: Feasibility study and formulation of alternative c |
| SS-Implement: Planning for the Implementation of Service Management (11.2) |
| SD-Implement: Planning for the Implementation of Service Management (10.2) |
|
|
| AI1.4: Requirements and feasibility decision and approval |
|
|
AI2: Acquire and maintain application software.
| Cobit Control |
ITIL |
|
| AI2.1: High-level design |
|
|
| AI2.2: Detailed design |
|
|
| AI2.3: Application control and auditability |
|
| A: SI-10: Information Accuracy, Completeness, Validity, and |
|
| 10.7.3: Information handling procedures |
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
|
|
| AI2.4: Application security and availability |
|
| C: AC-3: Access Enforcement |
| DCFA-1: Functional Architecture for information system App |
| ECAN-1: Access for Need-to-Know |
| EBRU-1: Remote Access for User Functions |
| PRNK-1: Access to Need-to-Know Information |
| ECCD-1: Changes to Data |
|
| 11.2.4: Review of user access rights |
| 11.4.5: Segregation in networks |
|
| C: SA-4: Acquisitions |
| DCAS-1: Acquisition Standards |
| DCDS-1: Dedicated IA Services |
| DCIT-1: IA for IT Services |
| DCMC-1: Mobile Code |
|
| 12.1.1: Security requirements analysis and specification |
|
| C: SA-8: Security Engineering Principles |
| DCBP-1: Best Security Practices |
| DCCS-1: Configuration Specifications |
|
| 12.1: Security requirements of information systems |
|
| C: SC-2: Application Partitioning |
|
| 11.4.5: Segregation in networks |
|
| C: SI-7: Software and Information Integrity |
|
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
| 12.2.4: Output data validation |
|
| C: SI-10: Information Accuracy, Completeness, Validity, and |
|
| 10.7.3: Information handling procedures |
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
|
|
| AI2.5: Configuring and implementation of acquired applica |
| SS-RelMgmt: Release Management (9.8.3) |
|
| A: SA-1: System and Services Acquisition Policy and Procedu |
| DCAR-1: Procedural Review |
|
| 12.1: Security requirements of information systems |
| 15.1.1: Identification of applicable legislation |
|
|
| AI2.6: Major upgrades to existing systems |
| SS-RelMgmt: Release Management (9.3.5) |
|
|
| AI2.7: Development of application software |
|
| A: SA-3: Life Cycle Support |
|
|
|
| AI2.8: Software quality assurance |
|
| A: SA-11: Developer Security Testing |
|
| 12.5.1: Change control procedures |
| 12.5.2: Technical review of applications after operating system changes |
|
|
| AI2.9: Applications requirements management |
|
|
| AI2.10: Application software maintenance |
| SS-RelMgmt: Release Management (9.4.1) |
|
|
AI3: Acquire and maintain technology infrastructure.
| Cobit Control |
ITIL |
|
| AI3.1: Technological infrastructure acquisition plan |
| SD-AvaMgmt: Availability Management (8.5.1) |
| SD-AvaMgmt: Availability Management (8.6.1) |
|
|
| AI3.2: Infrastructure resource protection and availabilit |
|
|
| AI3.3: Infrastructure maintenance |
| SD-AvaMgmt: Availability Management (8.2.3) |
| SD-AvaMgmt: Availability Management (8.5.3) |
|
|
| AI3.4: Feasibility test environment |
|
|
AI4: Enable operation and use.
| Cobit Control |
ITIL |
|
| AI4.1: Planning for operational solutions |
|
|
| AI4.2: Knowledge transfer to business management |
| SS-RelMgmt: Release Management (9.6.1) |
| SS-RelMgmt: Release Management (9.6.3) |
| SS-RelMgmt: Release Management (9.6.4) |
| SS-RelMgmt: Release Management (9.6.5) |
|
|
| AI4.3: Knowledge transfer to end users |
| SS-RelMgmt: Release Management (9.6.5) |
|
|
| AI4.4: Knowledge transfer to operations and support staff |
| SS-RelMgmt: Release Management (9.6.5) |
|
|
AI5: Procure IT resources.
| Cobit Control |
ITIL |
|
| AI5.1: Procurement control |
|
| A: SA-1: System and Services Acquisition Policy and Procedu |
| DCAR-1: Procedural Review |
|
| 12.1: Security requirements of information systems |
| 15.1.1: Identification of applicable legislation |
|
|
| AI5.2: Supplier contract management |
|
|
| AI5.3: Supplier selection |
|
|
| AI5.4: IT resources acquisition |
|
| A: SA-4: Acquisitions |
| DCAS-1: Acquisition Standards |
| DCDS-1: Dedicated IA Services |
| DCIT-1: IA for IT Services |
| DCMC-1: Mobile Code |
|
| 12.1.1: Security requirements analysis and specification |
|
|
AI6: Manage changes.
| Cobit Control |
ITIL |
|
| AI6.1: Change standards and procedures |
| SS-ChgMgmt: Change Management (8.1) |
| SS-ChgMgmt: Change Management (8.1.1) |
| SS-ChgMgmt: Change Management (8.2) |
| SS-ChgMgmt: Change Management (8.3) |
| SS-ChgMgmt: Change Management (8.5.1) |
|
|
| AI6.2: Impact assessment, prioritization and authorizatio |
| SS-ChgMgmt: Change Management (8.2) |
| SS-ChgMgmt: Change Management (8.3.1) |
| SS-ChgMgmt: Change Management (8.3.2) |
| SS-ChgMgmt: Change Management (8.3.4) |
| SS-ChgMgmt: Change Management (8.5.2) |
| SS-ChgMgmt: Change Management (8.5.3) |
| SS-ChgMgmt: Change Management (8.5.4) |
| SS-ChgMgmt: Change Management (8.5.6) |
| SS-ChgMgmt: Change Management (8.5.7) |
|
|
| AI6.3: Emergency changes |
| SS-ChgMgmt: Change Management (8.3.2) |
| SS-ChgMgmt: Change Management (8.5.10) |
| SS-ChgMgmt: Change Management (8.5.11) |
|
|
| AI6.4: Change status tracking and reporting |
| SS-ChgMgmt: Change Management (8.3.1) |
| SS-ChgMgmt: Change Management (8.3.4) |
| SS-ChgMgmt: Change Management (8.5.2) |
| SS-ChgMgmt: Change Management (8.5.4) |
|
|
| AI6.5: Change closure and documentation |
| SS-ChgMgmt: Change Management (8.3.1) |
| SS-ChgMgmt: Change Management (8.5.13) |
| SS-ChgMgmt: Change Management (8.5.12) |
|
|
AI7: Install and accredit solutions and changes.
| Cobit Control |
ITIL |
|
| AI7.1: Training |
|
|
| AI7.2: Test plan |
| SS-ChgMgmt: Change Management (8.3.4) |
|
|
| AI7.3: Implementation plan |
| SS-ChgMgmt: Change Management (8.2.2) |
| SS-ChgMgmt: Change Management (8.3.1) |
| SS-ChgMgmt: Change Management (8.3.6) |
| SS-ChgMgmt: Change Management (8.5.9) |
| SS-ChgMgmt: Change Management (8.6.4) |
| SS-RelMgmt: Release Management (9.3.6) |
| SS-RelMgmt: Release Management (9.5.1) |
| SS-RelMgmt: Release Management (9.6.3) |
|
|
| AI7.4: Test environment |
| SS-ChgMgmt: Change Management (8.5.9″) |
|
|
| AI7.5: System and data conversion |
|
|
| AI7.6: Testing of changes |
| SS-ChgMgmt: Change Management (8.2.2) |
| SS-ChgMgmt: Change Management (8.3.6) |
| SS-ChgMgmt: Change Management (8.5.9) |
| SS-RelMgmt: Release Management (9.6.3) |
| SS-RelMgmt: Release Management (9.6.6) |
|
|
| AI7.7: Final acceptance test |
| SS-ChgMgmt: Change Management (8.5.9) |
| SS-RelMgmt: Release Management (9.6.6) |
|
|
| AI7.8: Promotion to production |
|
|
| AI7.9: Post-implementation review |
| SS-ChgMgmt: Change Management (8.5.8) |
| SS-RelMgmt: Release Management (9.1) |
| SS-RelMgmt: Release Management (9.2) |
| SS-RelMgmt: Release Management (9.3.4) |
| SS-RelMgmt: Release Management (9.3.10) |
| SS-RelMgmt: Release Management (9.3.11) |
| SS-RelMgmt: Release Management (9.4.1) |
| SS-RelMgmt: Release Management (9.4.2) |
| SS-RelMgmt: Release Management (9.5.1) |
| SS-RelMgmt: Release Management (9.5.2) |
| SS-RelMgmt: Release Management (9.6.1) |
| SS-RelMgmt: Release Management (9.6.3) |
| SS-RelMgmt: Release Management (9.9.3) |
| SS-RelMgmt: Release Management (9.11.3) |
| SS-Annex: Annex () |
| SS-Annex: Annex (7A) |
|
|
DS1: Define and manage service levels.
| Cobit Control |
ITIL |
|
| DS1.1: Service level management framework |
| SD-SerMgmt: Service-level Management (4.1.3) |
| SD-SerMgmt: Service-level Management (4.1.4) |
| SD-SerMgmt: Service-level Management (4.2) |
| SD-SerMgmt: Service-level Management (4.2.1) |
| SD-SerMgmt: Service-level Management (4.2.3) |
| SD-SerMgmt: Service-level Management (4.3.1) |
| SD-SerMgmt: Service-level Management (4.4.1) |
| SD-SerMgmt: Service-level Management (4.6.1) |
|
|
| DS1.2: Definition of services |
| SD-SerMgmt: Service-level Management (4.2.2) |
| SD-SerMgmt: Service-level Management (4.4.1) |
|
|
| DS1.3: Service level agreements |
| SD-SerMgmt: Service-level Management (4.1.4) |
| SD-SerMgmt: Service-level Management (4.4.1) |
| SD-SerMgmt: Service-level Management (4.4.2) |
| SD-SerMgmt: Service-level Management (4.4.3) |
| SD-SerMgmt: Service-level Management (4.4.4) |
| SD-SerMgmt: Service-level Management (4.4.5) |
| SD-SerMgmt: Service-level Management (4.4.6) |
| SD-SerMgmt: Service-level Management (4.6) |
| SD-AvaMgmt: Availability Management (8.7) |
| SD-CapMgmt: Capacity Management (6.2.1) |
| SD-AvaMgmt: Availability Management (8.2.1) |
|
|
| DS1.4: Operating level agreements |
| SD-SerMgmt: Service-level Management (4.4.8) |
| SD-AvaMgmt: Availability Management (8.2.1) |
|
|
| DS1.5: Monitoring and reporting of service level achievem |
| SD-SerMgmt: Service-level Management (4.3.2) |
| SD-SerMgmt: Service-level Management (4.4.7) |
| SD-SerMgmt: Service-level Management (4.5.1) |
| SD-CapMgmt: Capacity Management (6.3.1) |
|
|
| DS1.6: Review of service level agreements and contracts |
| SD-SerMgmt: Service-level Management (4.3.3) |
| SD-SerMgmt: Service-level Management (4.3.4) |
| SD-SerMgmt: Service-level Management (4.4.8) |
| SD-SerMgmt: Service-level Management (4.4.9) |
| SD-SerMgmt: Service-level Management (4.5.2) |
| SD-SerMgmt: Service-level Management (4.5.4) |
|
| A: SA-9: External Information System Services |
| DCDS-1: Dedicated IA Services |
| DCID-1: Interconnection Documentation |
| DCIT-1: IA for IT Services |
| DCPP-1: Ports, Protocols, and Services |
|
| 6.2.1: Identification of risks related to external parties |
| 6.2.3: Addressing security in third party agreements |
| 10.2.1: Service delivery |
| 10.2.2: Monitoring and review of third party services |
| 10.6.2: Security of network services |
|
|
DS2: Manage third-party services.
| Cobit Control |
ITIL |
|
| DS2.1: Identification of all supplier relationships |
| SD-SerMgmt: Service-level Management (4.3.3) |
| SD-SerMgmt: Service-level Management (4.4.1) |
| SD-SerMgmt: Service-level Management (4.4.2) |
| SD-Annex: Annex (4A) |
|
|
| DS2.2: Supplier relationship management |
| SD-SerMgmt: Service-level Management (4.4.3) |
|
|
| DS2.3: Supplier risk management |
|
| A: SA-9: External Information System Services |
| DCDS-1: Dedicated IA Services |
| DCID-1: Interconnection Documentation |
| DCIT-1: IA for IT Services |
| DCPP-1: Ports, Protocols, and Services |
|
| 6.2.1: Identification of risks related to external parties |
| 6.2.3: Addressing security in third party agreements |
| 10.2.1: Service delivery |
| 10.2.2: Monitoring and review of third party services |
| 10.6.2: Security of network services |
|
|
| DS2.4: Supplier performance monitoring |
| SD-SerMgmt: Service-level Management (4.4.7) |
| SD-SerMgmt: Service-level Management (4.5.1) |
|
|
DS3: Manage performance and capacity.
| Cobit Control |
ITIL |
|
| DS3.1: Performance and capacity planning |
| SD-AvaMgmt: Availability Management (8.8) |
| SD-AvaMgmt: Availability Management (8.8.4) |
| SD-CapMgmt: Capacity Management (6.1) |
| SD-CapMgmt: Capacity Management (6.1.2) |
| SD-CapMgmt: Capacity Management (6.2) |
| SD-CapMgmt: Capacity Management (6.3.7) |
| SD-CapMgmt: Capacity Management (6.3.9) |
| SD-CapMgmt: Capacity Management (6.5.2) |
| SD-FinMgmt: Financial Management for IT Services (5.6.3) |
| SD-Annex: Annex (6B) |
|
|
| DS3.2: Current performance and capacity |
| SD-CapMgmt: Capacity Management (6.2) |
| SD-CapMgmt: Capacity Management (6.2.2) |
| SD-CapMgmt: Capacity Management (6.3.1) |
| SD-CapMgmt: Capacity Management (6.3.8) |
| SD-FinMgmt: Financial Management for IT Services (5.7.5) |
|
|
| DS3.3: Future performance and capacity |
| SD-CapMgmt: Capacity Management (6.2) |
| SD-CapMgmt: Capacity Management (6.3.5) |
| SD-CapMgmt: Capacity Management (6.3.7) |
| SD-FinMgmt: Financial Management for IT Services (5.1.5) |
| SD-FinMgmt: Financial Management for IT Services (5.2.3) |
|
|
| DS3.4: IT resources availability |
| SD-AvaMgmt: Availability Management (8.3.3) |
| SD-AvaMgmt: Availability Management (8.6) |
| SD-AvaMgmt: Availability Management (8.6.3) |
| SD-CapMgmt: Capacity Management (6.2) |
| SD-CapMgmt: Capacity Management (6.2.3) |
| SD-CapMgmt: Capacity Management (6.3.8) |
|
|
| DS3.5: Monitoring and reporting |
| SD-SerMgmt: Service-level Management (4.4.7) |
| SD-AvaMgmt: Availability Management (8.3.3) |
| SD-AvaMgmt: Availability Management (8.7) |
| SD-AvaMgmt: Availability Management (8.7.1) |
| SD-AvaMgmt: Availability Management (8.7.5) |
| SD-AvaMgmt: Availability Management (8.7.6) |
| SD-AvaMgmt: Availability Management (8.9.6) |
| SD-CapMgmt: Capacity Management (6.1) |
| SD-CapMgmt: Capacity Management (6.2) |
| SD-CapMgmt: Capacity Management (6.2.3) |
| SD-CapMgmt: Capacity Management (6.3) |
| SD-CapMgmt: Capacity Management (6.3.1) |
| SD-CapMgmt: Capacity Management (6.3.2) |
| SD-CapMgmt: Capacity Management (6.3.3) |
| SD-CapMgmt: Capacity Management (6.3.5) |
| SD-CapMgmt: Capacity Management (6.4.3) |
| SD-CapMgmt: Capacity Management (6.5.2) |
| SD-CapMgmt: Capacity Management (6.5.3) |
|
|
DS4: Ensure continuous service.
| Cobit Control |
ITIL |
|
| DS4.1: IT continuity framework |
| SD-SCM: IT Service Continuity Management (7.1.3) |
| SD-SCM: IT Service Continuity Management (7.2.3) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
| SD-SCM: IT Service Continuity Management (7.4.1) |
| SD-SCM: IT Service Continuity Management (7.4.2) |
| SD-SCM: IT Service Continuity Management (7.5) |
|
|
| DS4.2: IT continuity plans |
| SD-AvaMgmt: Availability Management (8.5.3) |
| SD-SCM: IT Service Continuity Management (7.1.7) |
| SD-SCM: IT Service Continuity Management (7.2.3) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
| SD-SCM: IT Service Continuity Management (7.4.1) |
| SD-SCM: IT Service Continuity Management (7.4.2) |
| SD-SCM: IT Service Continuity Management (7.5.1) |
| SD-Annex: Annex () |
| SD-Annex: Annex (7C) |
|
|
| DS4.3: Critical IT resources |
| SD-AvaMgmt: Availability Management (8.2.3) |
| SD-AvaMgmt: Availability Management (8.3.3) |
| SD-AvaMgmt: Availability Management (8.5.1) |
| SD-AvaMgmt: Availability Management (8.7.5) |
| SD-AvaMgmt: Availability Management (8.7.6) |
| SD-SCM: IT Service Continuity Management (7.1.3) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
|
|
| DS4.4: Maintenance of the IT continuity plan |
| SD-SCM: IT Service Continuity Management (7.3.4) |
|
|
| DS4.5: Testing of the IT continuity plan |
| SD-AvaMgmt: Availability Management (8.5.3) |
| SD-SCM: IT Service Continuity Management (7.1.7) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
| SD-SCM: IT Service Continuity Management (7.3.4) |
| SD-SCM: IT Service Continuity Management (7.5.3) |
|
|
| DS4.6: IT continuity plan training |
| SD-SCM: IT Service Continuity Management (7.3.4) |
| SD-SCM: IT Service Continuity Management (7.5.3) |
|
|
| DS4.7: Distribution of the IT continuity plan |
| SD-SCM: IT Service Continuity Management (7.3.5) |
|
|
| DS4.8: IT services recovery and resumption |
| SD-AvaMgmt: Availability Management (8.5.2) |
| SD-AvaMgmt: Availability Management (8.5.3) |
| SD-AvaMgmt: Availability Management (8.5.4) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
| SD-Annex: Annex () |
| SD-Annex: Annex (7C) |
|
| C: CP-10: Information System Recovery and Reconstitution |
| COTR-1: Trusted Recovery |
| ECND-1: Network Device Controls |
|
| 14.1.4: Business continuity planning framework |
|
|
| DS4.9: Offsite backup storage |
| SD-AvaMgmt: Availability Management (8.5.4) |
| SD-AvaMgmt: Availability Management (8.8.2) |
| SD-SCM: IT Service Continuity Management (7.3.2) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
|
|
| DS4.10: Post-resumption review |
| SD-AvaMgmt: Availability Management (8.5.3) |
| SD-SCM: IT Service Continuity Management (7.3.3) |
|
|
DS5: Ensure system security.
| Cobit Control |
ITIL |
|
| DS5.1: Management of IT security |
|
|
| DS5.2: IT security plan |
| SD-AvaMgmt: Availability Management (8.5.5) |
|
| E: SC-1: System and Communications Protection Policy and Pr |
| DCAR-1: Procedural Review |
|
| 10.8.1: Information exchange policies and procedures |
| 15.1.1: Identification of applicable legislation |
|
|
| DS5.3: Identity management |
|
|
| DS5.4: User account management |
|
| C: AC-2: Account Management |
|
| 6.2.2: Addressing security when dealing with customers |
| 6.2.3: Addressing security in third party agreements |
| 8.3.3: Removal of access rights |
| 11.2.1: User registration |
| 11.2.2: Privilege management |
| 11.2.4: Review of user access rights |
| 11.7.2: Teleworking |
|
|
| DS5.5: Security testing, surveillance and monitoring |
|
| E: SI-4: Information System Monitoring Tools and Techniques |
|
| 10.6.2: Security of network services |
| 10.10.1: Audit logging |
| 10.10.2: Monitoring system use |
| 10.10.4: Administrator and operator logs |
|
|
| DS5.6: Security incident definition |
|
|
| DS5.7: Protection of security technology |
|
| C: SA-5: Information System Documentation |
| DCCS-1: Configuration Specifications |
| DCHW-1: Hardware Baseline |
| DCID-1: Interconnection Documentation |
| DCSD-1: IA Documentation |
| DCSW-1: Software Baseline |
| ECND-1: Network Device Controls |
| DCFA-1: Functional Architecture for information system App |
|
| 10.7.4: Security of system documentation |
|
| C: SC-3: Security Function Isolation |
|
| 11.4.5: Segregation in networks |
|
|
| DS5.8: Cryptographic key management |
|
| C: SC-12: Cryptographic Key Establishment and Management |
|
| 12.3.1: Policy on the use of cryptographic controls |
| 12.3.2: Key management |
|
| C: SC-13: Use of Cryptography |
| IAKM-1: Key Management |
| IATS-1: Token and Certificate Standards |
|
|
|
| DS5.9: Malicious software prevention, detection and corre |
|
| C: SC-18: Mobile Code |
|
| 10.4.1: Controls against malicious code |
| 10.4.2: Controls against mobile code |
|
| C: SI-3: Malicious Code Protection |
| ECVP-1: Virus Protection |
| VIVM-1: Vulnerability Management |
|
| 10.4.1: Controls against malicious code |
|
| C: SI-7: Software and Information Integrity |
|
| 12.2.1: Input data validation |
| 12.2.2: Control of internal processing |
| 12.2.4: Output data validation |
|
| C: SI-8: Spam Protection |
|
|
|
