V     Infrastructure

Action Summary

 

Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity’s business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel. IT infrastructure implementation practices should include redundancy and resilience for physical infrastructure elements and related products, services, and telecommunications.

 

Examiners should review for the following:

 

  • Processes to identify, track, and monitor infrastructure components.
  • Contractual arrangements addressing infrastructure, if applicable.
  • Sufficient resources with infrastructure knowledge, skills, and expertise.
  • Network configuration management and change control processes.
  • Security and monitoring processes to analyze data traffic and detect anomalous activity.
  • Software planning to address:
    • Scalability, interoperability, and portability.
    • Adequate software controls.
    • Use of and controls over open source software.
  • Mainframe controls, if applicable, to address unique risks associated with mainframes.
  • Security controls for the use of application programming interfaces (API).
  • Environmental and physical access controls.

 

As previously stated, infrastructure refers to the physical elements, products, and services necessary to provide and maintain ongoing operations to support business activity and includes the maintenance of physical facilities. IT infrastructure includes hardware, network and telecommunications, software, IT environmental controls (e.g., power and HVAC), and physical access that allow for an enterprise IT environment’s operation and management. IT infrastructure implementation should include considerations for server and data redundancy and resilience of telecommunications lines. Planning and designing an effective IT architecture facilitates management’s ability to implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability and supports the entity’s business operations. IT infrastructure may be managed internally or externally by a third-party service provider, including a cloud service provider.

 

Previous Section
IV.D Enterprise Architecture		Next Section
V.A Hardware