The organization will develop, disseminate, and review: 1) a formal monitoring frequency standard that address purpose, scope, and compliance; and 2) formal procedures to facilitate implementing the policy. [UCF ID 00642]
Supporting and supported controls
This control directly supports:
• Operationalizing key monitoring and logging concepts [UCF Control ID 00638]
This control has the following supporting controls:
There are no supporting controls.
Authority documents complied with:
BIS Sound Practices for the Management and Supervision of Operational Risk ¶ 28; FFIEC IT Examination Handbook – Supervision of Technology Service Providers Pg 16, Pg 18; The Standard of Good Practice for Information Security SM7.2.1, CI5.5.4(d), SD2.3.4(d); VISA E-Commerce Merchants Guide to Risk Management Pg. 54; Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 § 10.6; Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 § 10.6; ISO 15489-1, Information and Documentation: Records management: General § 10; The DIRKS Manual: A Strategic Approach to Managing Business Information G.4.1.5; Sarbanes-Oxley Act (SOX) § 104(b); COSO Enterprise Risk Management (ERM) Framework Pg. 81; Turnbull Guidance on Internal Control, UK FRC ¶ 27
Sarbanes Oxley Guidance
§ 104(b) of Sarbanes-Oxley Act (SOX) states that public accounting firms that provide audit reports for more than 100 issuers must be inspected annually. If the firm provides audit reports for 100 or fewer issuers, it must be inspected not less than once every 3 years.
Banking and Finance Guidance
The FFIEC IT Examination Handbook – Supervision of Technology Service Providers Pg 16, Pg 18 states that examiners should continously monitor the status of the service provider between examinations through off-site and/or informal reviews. At least one review should be conducted between each scheduled examination. The review should identify changes in management, new products, and mergers and acquisitions. The review should follow up on any issues or concerns identified during the examination.
Credit Card Guidance
The VISA E-Commerce Merchants Guide to Risk Management Pg. 54 states that the organization should monitor transactions and authorizations on a daily basis. If the organization submits the transactions in batches, it should check the transactions for completeness and accuracy before they are submitted for approval..
§ 10.6 of Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures Version 1.2 states that the organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
§ 10.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
NIST Guidance
§ 10.6 of Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers Version 1.2 October 2008 states that the organization must ensure all logs are reviewed on a daily basis. Logging tools may be used to meet this requirement.
Metrics
The metrics associated with this control are as follows:
• Metric Reporting Standard 02103.doc