8.3 - Develop and manage IT resilience and risk
PCF ID: 20706 | Elements: 62 | Metrics Available: Y | Benchmarkable: 1
Definition
Develop and include the processes required to rapidly adapt and respond to any internal or external opportunity, demand, disruption, or threat to IT. Develop a more dynamic, strategic, and integrated approach to managing risk and compliance obligations.
Overview
This process group covers develop and manage it resilience and risk within the broader context of Manage Information Technology (IT).
Process Hierarchy
Processes
| ID | Process | PCF ID | Sub-elements | Metrics |
|---|---|---|---|---|
| 8.3.1 | Develop IT compliance, risk, and security strategy | 20707 | 10 | N |
| 8.3.2 | Develop IT resilience strategy | 20716 | 4 | N |
| 8.3.3 | Control IT risk, compliance, and security | 20721 | 10 | N |
| 8.3.4 | Plan and manage IT continuity | 20731 | 3 | N |
| 8.3.5 | Develop and manage IT security, privacy, and data protection | 20735 | 7 | N |
| 8.3.6 | Conduct and analyze IT compliance assessments | 20743 | 5 | N |
| 8.3.7 | Develop and execute IT resilience and continuity operations | 20749 | 6 | N |
| 8.3.8 | Manage IT user identity and authorization | 20756 | 8 | N |
8.3.1 - Develop IT compliance, risk, and security strategy
PCF ID: 20707
Definition: Ensuring that the organization effectively manages risk. Develop rules and standards for robust IT operations, manage risk, and adopt measures to protect integrity, confidentiality, and security of IT assets.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.1.1 | Determine and evaluate IT regulatory and audit requirements | 20708 | 0 | N |
| 8.3.1.2 | Understand business unit risk tolerance | 20940 | 0 | N |
| 8.3.1.3 | Establish IT risk tolerance | 20709 | 0 | N |
| 8.3.1.4 | Establish risk ownership | 20710 | 0 | N |
| 8.3.1.5 | Establish and maintain risk management roles | 20711 | 0 | N |
| 8.3.1.6 | Establish compliance objectives | 20712 | 0 | N |
| 8.3.1.7 | Identify systems to support compliance | 20941 | 0 | N |
| 8.3.1.8 | Identify and evaluate IT risk | 20713 | 0 | N |
| 8.3.1.9 | Evaluate IT-related risks resiliency | 20714 | 0 | N |
| 8.3.1.10 | Create IT risk mitigation strategies and approaches | 20715 | 0 | N |
8.3.1.1 - Determine and evaluate IT regulatory and audit requirements
Definition: Determining and evaluating IT regulatory and audit requirements. Train employees on regulatory and audit requirements. Records for the appropriate regulatory and audit agencies must be maintained and the new product process must be approved by the appropriate regulatory body before it is published to the organization.
8.3.1.2 - Understand business unit risk tolerance
Definition: Understand the risk tolerance levels of individual business units, given risk-return trade-offs for one or more anticipated and predictable consequences.
8.3.1.3 - Establish IT risk tolerance
Definition: Determine the specific maximum risk to take in quantitative terms for each relevant risk sub-category, including strategic, operational, financial, and compliance risks.
8.3.1.4 - Establish risk ownership
Definition: Establish an individual or a group who is ultimately accountable for ensuring that IT risks are managed appropriately.
8.3.1.5 - Establish and maintain risk management roles
Definition: Determine and maintain roles that are specialized in each risk areas and coordinating all risk management activities for IT function with due escalation structure.
8.3.1.6 - Establish compliance objectives
Definition: Establishing compliance objectives which ensures that the organization has systems of internal controls that adequately measure and manage IT risk.
8.3.1.7 - Identify systems to support compliance
Definition: Identifying and adopting information technology solutions to support changing regulatory compliance. Safeguard compliance and manage risk by outlining the risk policies and procedures.
8.3.1.8 - Identify and evaluate IT risk
Definition: Developing a timely and continuous process to identify and evaluate activities that might hinder IT operations or an IT project's goals.
8.3.1.9 - Evaluate IT-related risks resiliency
Definition: Assess IT-related risk resilience strategies to ensure that the organization effectively manages its risk.
8.3.1.10 - Create IT risk mitigation strategies and approaches
Definition: Developing activities to improve performance opportunities and lessen threats in IT. Evolve strategies and policies to attain organizational objectives.
8.3.2 - Develop IT resilience strategy
PCF ID: 20716
Definition: Developing resilience strategies of IT across the organization so that prospective risks can be avoided.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.2.1 | Determine IT delivery resiliency | 20717 | 0 | N |
| 8.3.2.2 | Determine critical IT risks | 20718 | 0 | N |
| 8.3.2.3 | Prioritize IT risks | 20719 | 0 | N |
| 8.3.2.4 | Establish mitigation approaches for IT risks | 20720 | 0 | N |
8.3.2.1 - Determine IT delivery resiliency
Definition: Determining resilience strategies to ensure that IT effectively manages it's delivery process to mitigate risk.
8.3.2.2 - Determine critical IT risks
Definition: Determining risks that could disrupt objectives of IT.
8.3.2.3 - Prioritize IT risks
Definition: Prioritize potential IT risks based on business need to ensure overall IT stability.
8.3.2.4 - Establish mitigation approaches for IT risks
Definition: Establishing activities to improve opportunities and lessen threats for IT.
8.3.3 - Control IT risk, compliance, and security
PCF ID: 20721
Definition: Ensure effective control in overall IT risk management, formulate and execute guidelines in-line with regulatory bodies, and manage organizational security throughout the business operations.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.3.1 | Evaluate enterprise regulatory and compliance obligations | 20722 | 0 | N |
| 8.3.3.2 | Analyze IT security threat impact | 20723 | 0 | N |
| 8.3.3.3 | Create and maintain IT compliance requirements | 20724 | 0 | N |
| 8.3.3.4 | Create and maintain IT security policies, standards, and procedures | 20942 | 0 | N |
| 8.3.3.5 | Develop and deploy risk management training | 20725 | 0 | N |
| 8.3.3.6 | Establish risk reporting capabilities and responsibilities | 20726 | 0 | N |
| 8.3.3.7 | Establish communication standards | 20727 | 0 | N |
| 8.3.3.8 | Conduct IT risk and threat assessments | 20728 | 0 | N |
| 8.3.3.9 | Monitor and manage IT activity risk | 20729 | 0 | N |
| 8.3.3.10 | Identify, supervise and monitor IT risk mitigation measures | 20730 | 0 | N |
8.3.3.1 - Evaluate enterprise regulatory and compliance obligations
Definition: Evaluation of dynamic, strategic, and integrated approach to manage regulatory requirements and compliance obligations.
8.3.3.2 - Analyze IT security threat impact
Definition: Analyzing the impact of threats to critical IT assets across different departments and functions in the organization in terms of quantifiable results.
8.3.3.3 - Create and maintain IT compliance requirements
Definition: Develop and maintain IT compliance standards. Maintaining requirements set forth by such directives as GRCP, PMI RMP, CGRC, CGEIT, CRMA.
8.3.3.4 - Create and maintain IT security policies, standards, and procedures
Definition: Develop and maintain an architecture for securing and ensuring the privacy of data flows throughout the organization. Create, test, evaluate, and implement IT security policies to ensure the safe use of IT services and solutions.
8.3.3.5 - Develop and deploy risk management training
Definition: Develop and implement training in regard to managing IT risks, understanding criticality, impact, and opportunities associated with business objectives.
8.3.3.6 - Establish risk reporting capabilities and responsibilities
Definition: Establishing processes to communicate IT risk to the organization.
8.3.3.7 - Establish communication standards
Definition: Establishing standards for communications within the organization which creates the road map for successful understanding of strategic initiatives for both business units and information technology services.
8.3.3.8 - Conduct IT risk and threat assessments
Definition: Evaluate IT risk and threat assessments by way of IT assets, information security, and breach points within the organization.
8.3.3.9 - Monitor and manage IT activity risk
Definition: Monitoring and managing risks related to IT adoption within the organization.
8.3.3.10 - Identify, supervise and monitor IT risk mitigation measures
Definition: Identifying and supervising a blueprint of measures for managing risk in IT. Monitor actions to enhance opportunities and reduce threats to project objectives.
8.3.4 - Plan and manage IT continuity
PCF ID: 20731
Definition: Planning and managing IT's ability to recover from exposure to internal and external threats.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.4.1 | Evaluate IT continuity | 20732 | 0 | N |
| 8.3.4.2 | Identify IT continuity gaps | 20733 | 0 | N |
| 8.3.4.3 | Manage IT business continuity | 20734 | 0 | N |
8.3.4.1 - Evaluate IT continuity
Definition: Evaluating IT business needs and IT's ability to recover from internal or external threat exposure.
8.3.4.2 - Identify IT continuity gaps
Definition: Identifying the limitations of the IT organization's ability to remediate disruptions in IT services.
8.3.4.3 - Manage IT business continuity
Definition: Integrating the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology continuity) and Business Continuity for IT.
8.3.5 - Develop and manage IT security, privacy, and data protection
PCF ID: 20735
Definition: Creating and deploying an architecture for securing and ensuring the privacy of data flows throughout the organization. Create and develop protocols that ensure proper and efficient use of IT services and solutions
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.5.1 | Assess IT regulatory and confidentiality requirements and policies | 20736 | 0 | N |
| 8.3.5.2 | Create IT security, privacy, and data protection risk governance | 20737 | 0 | N |
| 8.3.5.3 | Define IT data security and privacy policies, standards, and procedures | 20738 | 0 | N |
| 8.3.5.4 | Review and monitor physical and logical IT data security measures | 20739 | 0 | N |
| 8.3.5.5 | Review and monitor application security controls | 20740 | 0 | N |
| 8.3.5.6 | Review and monitor IT physical environment security controls | 20741 | 0 | N |
| 8.3.5.7 | Monitor/analyze network intrusion detection data and resolve threats | 20742 | 0 | N |
8.3.5.1 - Assess IT regulatory and confidentiality requirements and policies
Definition: Evaluate principles or rules employed in controlling, directing, or managing IT services. Assessing requirements and policies related to confidentiality.
8.3.5.2 - Create IT security, privacy, and data protection risk governance
Definition: Defining and managing organization's approach to governing IT security and ensuring the privacy of data flows throughout the organization. Establish and manage tools to support the governance process in order to avoid misuse of information and breach of organizational privacy.
8.3.5.3 - Define IT data security and privacy policies, standards, and procedures
Definition: Outlining and establishing policies, regulations, standards, and procedures for IT data security and privacy.
8.3.5.4 - Review and monitor physical and logical IT data security measures
Definition: Identifying, examining, and reviewing physical and logical IT data security measures such as hardware security (smart cards), cryptographic protocols, and access control.
8.3.5.5 - Review and monitor application security controls
Definition: Identifying, examining, and reviewing security control for IT applications. Test, analyze, and implement security protocols in order to safeguard IT applications.
8.3.5.6 - Review and monitor IT physical environment security controls
Definition: Identifying and examining security controls for physical environment of information technology such as business facilities, equipment, and resources.
8.3.5.7 - Monitor/analyze network intrusion detection data and resolve threats
Definition: Monitoring and evaluating network intrusion detection for any malicious activity or policy violations. Identify the gaps in order to resolve threats and enhance existing network security.
8.3.6 - Conduct and analyze IT compliance assessments
PCF ID: 20743
Definition: Evaluate and analyze the IT environment for the compliance of industry regulations and government legislation. Ensure that IT capability and resources meet the set standards.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.6.1 | Conduct projects to enhance IT compliance and remediate risk | 20744 | 0 | N |
| 8.3.6.2 | Conduct IT compliance control auditing of internal and external services | 20745 | 0 | N |
| 8.3.6.3 | Perform IT compliance reporting | 20746 | 0 | N |
| 8.3.6.4 | Identify and escalate IT compliance issues and remediation requirements | 20747 | 0 | N |
| 8.3.6.5 | Support external audits and reports | 20748 | 0 | N |
8.3.6.1 - Conduct projects to enhance IT compliance and remediate risk
Definition: Conducting projects in order to enhance set standards, established guidelines, and risk preventive measures for IT risk and resilience.
8.3.6.2 - Conduct IT compliance control auditing of internal and external services
Definition: Examine compliance control systems and tools implemented for internal and external IT services.
8.3.6.3 - Perform IT compliance reporting
Definition: Execute IT compliance reporting in order to review processes, standards, regulations, and laws are followed as laid out by the regulatory bodies.
8.3.6.4 - Identify and escalate IT compliance issues and remediation requirements
Definition: Identify and escalate issues related to IT compliance to ensure that corrective measures are taken.
8.3.6.5 - Support external audits and reports
Definition: Supporting audits and reports through external resources. This process requires the organization to follow all the regulations set forth by external auditors.
8.3.7 - Develop and execute IT resilience and continuity operations
PCF ID: 20749
Definition: Create and execute a process to rapidly adapt and respond to any internal or external opportunity, demand, disruption, or threat in IT. Maintain continuous IT operations to protect employees, assets, and overall brand equity.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.7.1 | Conduct IT resilience improvement projects | 20750 | 0 | N |
| 8.3.7.2 | Develop, document, and maintain IT business continuity planning | 20751 | 0 | N |
| 8.3.7.3 | Implement and enforce change control procedures | 20752 | 0 | N |
| 8.3.7.4 | Execute recurring IT service provider business continuity | 20753 | 0 | N |
| 8.3.7.5 | Provide IT resilience training | 20754 | 0 | N |
| 8.3.7.6 | Execute recurring IT business operations continuity | 20755 | 0 | N |
8.3.7.1 - Conduct IT resilience improvement projects
Definition: Conducting projects to improve the strategy and process for rapidly adapting to any threat in IT.
8.3.7.2 - Develop, document, and maintain IT business continuity planning
Definition: Develop, document, and maintain plans to ensure uninterrupted operations of critical IT services. Determine resources such as specialized personnel, equipment, support infrastructure, legal and financial aspects.
8.3.7.3 - Implement and enforce change control procedures
Definition: Implement and enforce procedures and policies in order to control changes in IT services and solutions. Manage changes in a rational and predictable manner for optimum resource utilization.
8.3.7.4 - Execute recurring IT service provider business continuity
Definition: Review and implement resources (including external parties) necessary to support uninterrupted operations of critical IT services.
8.3.7.5 - Provide IT resilience training
Definition: Conduct and manage employee training programs on IT resilience so that prospective risks can be avoided.
8.3.7.6 - Execute recurring IT business operations continuity
Definition: Implement regular resources supporting uninterrupted operations of critical IT services.
8.3.8 - Manage IT user identity and authorization
PCF ID: 20756
Definition: The process of identifying, authenticating, and authorizing IT users to have access to applications, systems, IT components, or networks by associating user rights and restrictions with established identities.
| ID | Activity | PCF ID | Tasks | Metrics |
|---|---|---|---|---|
| 8.3.8.1 | Support integration of identity and authorization policies | 20757 | 0 | N |
| 8.3.8.2 | Manage IT user directory | 20758 | 0 | N |
| 8.3.8.3 | Manage IT user authorization | 20759 | 0 | N |
| 8.3.8.4 | Manage IT user authentication mechanisms | 20760 | 0 | N |
| 8.3.8.5 | Audit IT user identity and authorization systems | 20761 | 0 | N |
| 8.3.8.6 | Respond to IT information security and network breaches | 20762 | 0 | N |
| 8.3.8.7 | Conduct penetration testing | 20763 | 0 | N |
| 8.3.8.8 | Audit integration of user identity and authorization systems | 20764 | 0 | N |
8.3.8.1 - Support integration of identity and authorization policies
Definition: Create and implement policies that integrate authorization policies with authorized profiles of users meant to access network resources.
8.3.8.2 - Manage IT user directory
Definition: Managing directory of user profiles and access requirements across different levels in the organization's IT network.
8.3.8.3 - Manage IT user authorization
Definition: Managing the process of authorizing IT users to access applications, systems, IT components, or networks by associating user rights.
8.3.8.4 - Manage IT user authentication mechanisms
Definition: Create and manage the process to authenticate IT users from user directory based on the internal policies.
8.3.8.5 - Audit IT user identity and authorization systems
Definition: Examine the processes responsible for reviewing IT user identity and authorization.
8.3.8.6 - Respond to IT information security and network breaches
Definition: Address any form of unauthorized network breach such as unauthorized access or usage of data, applications, services, networks, and/or devices. Identify the root cause and take corrective measures to resolve the breach.
8.3.8.7 - Conduct penetration testing
Definition: Conduct penetration testing (pen test) through an authorized stimulated attack to identify security weakness in an IT environment by evaluating the system or network with various harmful techniques.
8.3.8.8 - Audit integration of user identity and authorization systems
Definition: Reviewing the processes responsible for integration of user identity and access authorization in order to confirm that all the required regulations are followed.
Change Summary (v7.2.1 vs v6.1.1)
Changes indicated by:
+XXXXX- New element added-XXXXX- Element removedcXXXXX- Element changedNEW- Newly introduced
Complete Element List with Definitions
All 62 elements
| ID | Name | Definition |
|---|---|---|
| 8.3 | Develop and manage IT resilience and risk | Develop and include the processes required to rapidly adapt and respond to any internal or external ... |
| 8.3.1 | Develop IT compliance, risk, and securit... | Ensuring that the organization effectively manages risk. Develop rules and standards for robust IT o... |
| 8.3.1.1 | Determine and evaluate IT regulatory and... | Determining and evaluating IT regulatory and audit requirements. Train employees on regulatory and a... |
| 8.3.1.2 | Understand business unit risk tolerance | Understand the risk tolerance levels of individual business units, given risk-return trade-offs for ... |
| 8.3.1.3 | Establish IT risk tolerance | Determine the specific maximum risk to take in quantitative terms for each relevant risk sub-categor... |
| 8.3.1.4 | Establish risk ownership | Establish an individual or a group who is ultimately accountable for ensuring that IT risks are mana... |
| 8.3.1.5 | Establish and maintain risk management r... | Determine and maintain roles that are specialized in each risk areas and coordinating all risk manag... |
| 8.3.1.6 | Establish compliance objectives | Establishing compliance objectives which ensures that the organization has systems of internal contr... |
| 8.3.1.7 | Identify systems to support compliance | Identifying and adopting information technology solutions to support changing regulatory compliance.... |
| 8.3.1.8 | Identify and evaluate IT risk | Developing a timely and continuous process to identify and evaluate activities that might hinder IT ... |
| 8.3.1.9 | Evaluate IT-related risks resiliency | Assess IT-related risk resilience strategies to ensure that the organization effectively manages its... |
| 8.3.1.10 | Create IT risk mitigation strategies and... | Developing activities to improve performance opportunities and lessen threats in IT. Evolve strategi... |
| 8.3.2 | Develop IT resilience strategy | Developing resilience strategies of IT across the organization so that prospective risks can be avoi... |
| 8.3.2.1 | Determine IT delivery resiliency | Determining resilience strategies to ensure that IT effectively manages it's delivery process to mit... |
| 8.3.2.2 | Determine critical IT risks | Determining risks that could disrupt objectives of IT. |
| 8.3.2.3 | Prioritize IT risks | Prioritize potential IT risks based on business need to ensure overall IT stability. |
| 8.3.2.4 | Establish mitigation approaches for IT r... | Establishing activities to improve opportunities and lessen threats for IT. |
| 8.3.3 | Control IT risk, compliance, and securit... | Ensure effective control in overall IT risk management, formulate and execute guidelines in-line wit... |
| 8.3.3.1 | Evaluate enterprise regulatory and compl... | Evaluation of dynamic, strategic, and integrated approach to manage regulatory requirements and comp... |
| 8.3.3.2 | Analyze IT security threat impact | Analyzing the impact of threats to critical IT assets across different departments and functions in ... |
| 8.3.3.3 | Create and maintain IT compliance requir... | Develop and maintain IT compliance standards. Maintaining requirements set forth by such directives ... |
| 8.3.3.4 | Create and maintain IT security policies... | Develop and maintain an architecture for securing and ensuring the privacy of data flows throughout ... |
| 8.3.3.5 | Develop and deploy risk management train... | Develop and implement training in regard to managing IT risks, understanding criticality, impact, an... |
| 8.3.3.6 | Establish risk reporting capabilities an... | Establishing processes to communicate IT risk to the organization. |
| 8.3.3.7 | Establish communication standards | Establishing standards for communications within the organization which creates the road map for suc... |
| 8.3.3.8 | Conduct IT risk and threat assessments | Evaluate IT risk and threat assessments by way of IT assets, information security, and breach points... |
| 8.3.3.9 | Monitor and manage IT activity risk | Monitoring and managing risks related to IT adoption within the organization. |
| 8.3.3.10 | Identify, supervise and monitor IT risk ... | Identifying and supervising a blueprint of measures for managing risk in IT. Monitor actions to enha... |
| 8.3.4 | Plan and manage IT continuity | Planning and managing IT's ability to recover from exposure to internal and external threats. |
| 8.3.4.1 | Evaluate IT continuity | Evaluating IT business needs and IT's ability to recover from internal or external threat exposure. |
| 8.3.4.2 | Identify IT continuity gaps | Identifying the limitations of the IT organization's ability to remediate disruptions in IT services... |
| 8.3.4.3 | Manage IT business continuity | Integrating the disciplines of Emergency Response, Crisis Management, Disaster Recovery (technology ... |
| 8.3.5 | Develop and manage IT security, privacy,... | Creating and deploying an architecture for securing and ensuring the privacy of data flows throughou... |
| 8.3.5.1 | Assess IT regulatory and confidentiality... | Evaluate principles or rules employed in controlling, directing, or managing IT services. Assessing ... |
| 8.3.5.2 | Create IT security, privacy, and data pr... | Defining and managing organization's approach to governing IT security and ensuring the privacy of d... |
| 8.3.5.3 | Define IT data security and privacy poli... | Outlining and establishing policies, regulations, standards, and procedures for IT data security and... |
| 8.3.5.4 | Review and monitor physical and logical ... | Identifying, examining, and reviewing physical and logical IT data security measures such as hardwar... |
| 8.3.5.5 | Review and monitor application security ... | Identifying, examining, and reviewing security control for IT applications. Test, analyze, and imple... |
| 8.3.5.6 | Review and monitor IT physical environme... | Identifying and examining security controls for physical environment of information technology such ... |
| 8.3.5.7 | Monitor/analyze network intrusion detect... | Monitoring and evaluating network intrusion detection for any malicious activity or policy violation... |
| 8.3.6 | Conduct and analyze IT compliance assess... | Evaluate and analyze the IT environment for the compliance of industry regulations and government le... |
| 8.3.6.1 | Conduct projects to enhance IT complianc... | Conducting projects in order to enhance set standards, established guidelines, and risk preventive m... |
| 8.3.6.2 | Conduct IT compliance control auditing o... | Examine compliance control systems and tools implemented for internal and external IT services. |
| 8.3.6.3 | Perform IT compliance reporting | Execute IT compliance reporting in order to review processes, standards, regulations, and laws are f... |
| 8.3.6.4 | Identify and escalate IT compliance issu... | Identify and escalate issues related to IT compliance to ensure that corrective measures are taken. |
| 8.3.6.5 | Support external audits and reports | Supporting audits and reports through external resources. This process requires the organization to ... |
| 8.3.7 | Develop and execute IT resilience and co... | Create and execute a process to rapidly adapt and respond to any internal or external opportunity, d... |
| 8.3.7.1 | Conduct IT resilience improvement projec... | Conducting projects to improve the strategy and process for rapidly adapting to any threat in IT. |
| 8.3.7.2 | Develop, document, and maintain IT busin... | Develop, document, and maintain plans to ensure uninterrupted operations of critical IT services. De... |
| 8.3.7.3 | Implement and enforce change control pro... | Implement and enforce procedures and policies in order to control changes in IT services and solutio... |
| 8.3.7.4 | Execute recurring IT service provider bu... | Review and implement resources (including external parties) necessary to support uninterrupted opera... |
| 8.3.7.5 | Provide IT resilience training | Conduct and manage employee training programs on IT resilience so that prospective risks can be avoi... |
| 8.3.7.6 | Execute recurring IT business operations... | Implement regular resources supporting uninterrupted operations of critical IT services. |
| 8.3.8 | Manage IT user identity and authorizatio... | The process of identifying, authenticating, and authorizing IT users to have access to applications,... |
| 8.3.8.1 | Support integration of identity and auth... | Create and implement policies that integrate authorization policies with authorized profiles of user... |
| 8.3.8.2 | Manage IT user directory | Managing directory of user profiles and access requirements across different levels in the organizat... |
| 8.3.8.3 | Manage IT user authorization | Managing the process of authorizing IT users to access applications, systems, IT components, or netw... |
| 8.3.8.4 | Manage IT user authentication mechanisms | Create and manage the process to authenticate IT users from user directory based on the internal pol... |
| 8.3.8.5 | Audit IT user identity and authorization... | Examine the processes responsible for reviewing IT user identity and authorization. |
| 8.3.8.6 | Respond to IT information security and n... | Address any form of unauthorized network breach such as unauthorized access or usage of data, applic... |
| 8.3.8.7 | Conduct penetration testing | Conduct penetration testing (pen test) through an authorized stimulated attack to identify security ... |
| 8.3.8.8 | Audit integration of user identity and a... | Reviewing the processes responsible for integration of user identity and access authorization in ord... |
Back to: Category 8.0 - Manage Information Technology (IT) | APQC PCF Overview | Full Glossary