Establish and maintain an organizational framework of policies, standards, and procedures.

UCF ID: 01406
Control Type: Process or Activity
Status: Live

Supporting and supported controls

This control directly supports:

This control has the following supporting controls:

Authority documents complied with:

AICPA/CICA Privacy Framework, ID 1.1.0, ID 2.2.3, ID 3.1.0; COSO Enterprise Risk Management (ERM) Integrated Framework (2004), Pg 63; SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement, § 314.89; Safety and Soundness Standards, Appendix of OCC 12 CFR 30, App A § I.ii; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 86, Obj 2 (Policy); Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework, ¶ 115; FFIEC IT Examination Handbook – Audit, August 2003, Exam Tier II Obj C.1; FFIEC IT Examination Handbook – Business Continuity Planning, March 2008, Exam Tier I Obj 8.3; FFIEC IT Examination Handbook – E-Banking, August 2003, Obj 2.2; FFIEC IT Examination Handbook – Information Security, Exam Tier I Obj 2.7; FFIEC IT Examination Handbook – Management, Pg 26; FFIEC IT Examination Handbook – Operations, July 2004, Exam Tier I Obj 4.4; FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004, Pg 22; System Security Plan (SSP) Procedure, Version 1.0, § 2.1; Introductory Resource Guide for HIPAA NIST SP 800-66, § 4.7; FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, § 3; IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information, Exhibit 4 PL-1; Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996, § 3.1; Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3, App F § PL-1, App G § PM-3; Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008, PL-1; IIA Global Technology Audit Guide (GTAG): Information Technology Controls, § 5.3.1; ISF Security Audit of Networks, Pg 37; The Standard of Good Practice for Information Security, CI1.1.4(a), NW1.1.4(a); ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008, § 16.1; ISO/IEC 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005, § 8.3.3, § 9.3.3, § 9.3.5; ISO/IEC 27001 Information Security Management Systems - Requirements, 2005, § 4.2.1(b), § 5.1; OECD Principles of Corporate Governance, 2004, § I; The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003, ¶ V.1.3; Australian Government ICT Security Manual (ACSI 33), § 2.2.11; OMB Circular A-123 Management’s Responsibility for Internal Control, § I, § II.C; Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control, Pg 25; Austria Data Protection Act, § 14(6); Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1, § 14.1 thru § 14.1.2; Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009, § 4.4.4; ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008, § 6.3.14; Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft), § 3.1; Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 86, Obj 2 (Policy); Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 86, Obj 2 (Policy); Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 86, Obj 2 (Policy); Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000, Pg 86, Obj 2 (Policy); Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5, Sched 1 Clause 4.1.4; Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3, ¶ 35; ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004, § 5.2.2, § 6.2; ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000, ¶ 8.2.4, ¶ 9.2 Table Row “Operational Procedures”, ¶ 9.2 Table Row “System Planning”, ¶ 9.2 Table Row “Network Configuration”, ¶ 9.2 Table Row “Network Segregation”, ¶ 9.2 Table Row “Network Monitoring”, ¶ 9.2 Table Row “Intrusion Detection”; ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001, ¶ 13.2, ¶ 13.2.1

Sarbanes Oxley Guidance

The organization should develop policies, either written or oral. The policies should be implemented thoughtfully and consistently. [Pg 63, COSO Enterprise Risk Management (ERM) Integrated Framework (2004)]

The auditor should examine the policies and procedures used by the organization to ensure that management's directives are followed. [§ 314.89, SAS 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement]

Management has the responsibility to develop and maintain effective policies and procedures to assure that any weaknesses would be prevented or detected. The policies and procedures should help to ensure that all objectives of the organization are met. [§ I, § II.C, OMB Circular A-123 Management’s Responsibility for Internal Control]

The organization should develop policies, procedures, and controls to ensure that all applicable regulations and directives are being followed. [Pg 25, Implementation Guide for OMB Circular A-123 Management’s Responsibility for Internal Control]

Banking and Finance Guidance

The organization should develop operational and managerial standards for internal controls, internal audit systems, and information systems. [App A § I.ii, Safety and Soundness Standards, Appendix of OCC 12 CFR 30]

The organization should develop policies to comply with the requirements of the Bank Secrecy Act (BSA). [Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

The organization should implement robust procedures and policies to control residual risks. [¶ 115, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework]

[Exam Tier II Obj C.1, FFIEC IT Examination Handbook – Audit, August 2003]

[Exam Tier I Obj 8.3, FFIEC IT Examination Handbook – Business Continuity Planning, March 2008]

[Obj 2.2, FFIEC IT Examination Handbook – E-Banking, August 2003]

[Exam Tier I Obj 2.7, FFIEC IT Examination Handbook – Information Security]

The specific requirements for internal controls should be identified in the organization's policies, procedures, and standards in order to establish an auditable baseline. [Pg 26, FFIEC IT Examination Handbook – Management]

[Exam Tier I Obj 4.4, FFIEC IT Examination Handbook – Operations, July 2004]

The operational policies and controls of the organization should cover all critical and core systems supporting the wholesale payment activities. The procedures and controls should include business continuity planning, physical and logical security, and vendor management. [Pg 22, FFIEC IT Examination Handbook – Wholesale Payment Systems, July 2004]

Verify that the compliance policy addresses independent testing. [Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

Verify that the compliance policy addresses training. [Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

Verify that the compliance policy addresses designating a compliance officer. [Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

Verify that the compliance policy addresses reporting requirements. [Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000]

Healthcare and Life Science Guidance

Policies, principles, and references need to be created to support major and minor applications, general support systems, and “other” systems. [§ 2.1, System Security Plan (SSP) Procedure, Version 1.0]

The organization should establish the organizational framework, roles and responsibilities for this area. [§ 4.7, Introductory Resource Guide for HIPAA NIST SP 800-66]

Payment Card Guidance

An implementation guide should be developed, maintained, and disseminated to resellers, customers, and integrators addressing all the requirements in this document. The guide should be reviewed annually and updated when changes are made to the software or the requirements. [§ 14.1 thru § 14.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1]

US Federal Security Guidance

Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems. [§ 3, FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006]

Management should adopt and enforce appropriate policies and procedures to manage risk related to a bank's use of technology. [¶ 35, Technology Risk Management Guide for Bank Examiners – OCC Bulletin 98-3]

US Internal Revenue Guidance

The organization must develop, document, and distribute a security planning policy and procedures for implementing security planning controls. [Exhibit 4 PL-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information]

NIST Guidance

Policy is senior management’s directives to create a computer security program, establish its goals, and other managerial decisions. [§ 3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996]

App F § PL-1 The organization must develop, document, disseminate, implement and periodically review and update a security planning policy and procedure that addresses purpose, scope, roles, responsibilities, management commitment, coordination within the organization, and compliance.
App G § PM-3 The organization must establish and maintain information security resources policies and procedures that all capital planning and investment requests include resources needed to implement information security program and document exceptions; establish a record of the resources required; and ensure resources are available for planned expenditure. [App F § PL-1, App G § PM-3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53, Revision 3]

Organizational records and documents should be examined to ensure the security planning policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the security planning policy and procedures control. Any problems discovered during the implementation of the security planning policy and procedures control should be documented and used to improve the controls. The security planning policy and procedures should be examined for purpose, scope, and responsibilities; compliance with laws, regulations, and directives; and consistency with the organization's mission and function.
Interviews should be conducted with personnel who review, update, and maintain security plans. [PL-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A, July 2008]

The organization should have a contingency planning policy statement that defines the organization’s overall contingency objectives and establishes the organizational framework and responsibilities for system contingency planning. [§ 3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft)]

ISO Guidance

The Administrators Guide should include the following: a description of the administrative functions and interfaces; procedures on how to securely administer the product; a list of the security parameters and their values that the Administrator has control over; procedures on how to change security characteristics; a description of all possible security-relevant events; and a description of all security requirements that are applicable to the Administrator. [§ 16.1, ISO/IEC 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008]

The security requirements documentation should contain labeling and descriptive information in the introduction to allow for identification, registration, cataloging, and cross-referencing; describe the security requirements in narrative form; be understandable to the target audience; and be consistent throughout the document in terms of content, writing, and formatting. All security requirements should be identified by title and version number and examined to ensure security objectives are listed, and operations should identify the security requirements and work within the bounds of the requirements. [§ 8.3.3, § 9.3.3, § 9.3.5, ISO/IEC 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005]

The organization's management should establish an Information Security Management System (ISMS) policy. The ISMS should provide objectives and direction for the organization's information security policy. [§ 4.2.1(b), § 5.1, ISO/IEC 27001 Information Security Management Systems - Requirements, 2005]

Facilities, procedures, and policies that have been implemented should be operational 24x7. [§ 6.3.14, ISO/IEC 24762 Information technology — Security techniques — Guidelines for information and communications technology disaster recovery services, 2008]

§ 5.2.2 An organization should include ICT security as a component of all planning, implementation and operational activities. Protection should continue throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation.
An organizational structure should support ICT security, based on standards, throughout the organization. Standards may include international, national, regional, industry sector, and corporate standards or rules, selected and applied according to the ICT security needs of the organization. Technical standards need to be complemented by rules and guidelines on their implementation and use.
The benefits of using standards include:
• integrated security,
• interoperability,
• consistency,
• portability,
• economies of scale, and
• interworking between organizations.

§ 6.2 An organization should take into account the culture and the environment in which the organization operates, as these may have a significant effect on the overall approach to security. In addition, the culture and environment can have an impact on those that are responsible for the protection of specific parts of the organization. In some instances the government is considered to be responsible and discharges this responsibility by the enactment and enforcement of laws. In other instances it is the owner or manager who is considered responsible. This issue may have a considerable influence on the approach adopted. [§ 5.2.2, § 6.2, ISO/IEC 13335-1, Information technology — Security techniques — Management of information and communications technology security — Part 1: Concepts and models for information and communications technology security management, 2004]

¶ 8.2.4 Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of network management are listed below.
1. Operational Procedures
The establishment of operational procedures and responsibilities is necessary to ensure the correct and secure operation of networks. This includes the documentation of the operating procedures and the establishment of procedures to react to security relevant incidents.
2. System Planning
In order to ensure reliable functioning and adequate network capacity, advanced planning and preparation, and monitoring (including of loading statistics) should be implemented. Acceptance criteria for new systems should be applied and changes should be controlled and reacted to.
3. Network Configuration
An appropriate network configuration should be implemented for reliable functioning. This includes a standardized approach for the configuration of servers throughout the organization, and good documentation. Servers used for special purposes should only used for these purposes (e.g. no other tasks should run on a firewall), and that sufficient protection from failure is in place.
4. Network Segregation
In order to minimize the risks and the possibilities of misuse in a network in operation, business areas dealing with critical business issues and information should be kept separate, logically or physically. As well, development facilities should be separated from operational facilities.
5. Network Monitoring
Network monitoring should be used to identify the weaknesses within the existing network configuration. It allows for reconfiguration caused by traffic analysis and helps to identify attackers.
6. Intrusion Detection
Attempts to gain entry to systems or networks and successful unauthorized entry should be detected so that the organization can respond in an appropriate and effective manner.
¶ 9.2 Table Row “Operational Procedures” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 10.3.4 Masquerading of user identity. An organization should implement safeguards to prevent masquerading of user identity, which can be used to circumvent authentication and all services and security functions related to that. In conclusion it can lead to integrity problems whenever this masquerade allows access and modification to information. Safeguards in this area are listed below.
• I&A (Identification & Authentication): Masquerade becomes more difficult if I&A (Identification & Authentication) safeguards based on combinations of something known, something possessed, as well as intrinsic characteristics of users are applied.
• Logical access control and audit: Logical access control cannot distinguish between an authorized user and somebody masquerading as this authorized user, but the use of access control mechanisms in place can reduce the area of impact. Review and analysis of audit logs can detect unauthorized activities.
• Protection against malicious code: A way to acquire passwords is to introduce malicious code to capture passwords, protection against such software should be in place.
• Network management: Implement network management to prevent unauthorized access by masquerading as a user in traffic, e.g. e-mail.
• Data integrity protection: Additional protection can be provided using cryptographic means like digital signatures.
¶ 10.4.15 Traffic overloading. An organization should implement safeguards that prevent traffic overloading, which threatens the availability of information communicated via these services. Safeguards to protect the availability are listed below.
• Redundancy and Back-ups: Redundant implementation of communication services components can be used to lower the probability of traffic overloading. Depending on the maximal acceptable downtime, standby equipment may also be used to fulfill the requirements. In any case, configuration and layout data should be backed up to ensure availability in case of an emergency.
• Network management: The proper configuration, management and administration of networks and communication services should be used to avoid overloading.
• Network management: Network security can be applied to protect against traffic overloading.
¶ 10.4.16 Transmission errors. An organization should implement safeguards that prevent transmission errors, which can destroy the availability of the information transmitted. Safeguards to protect availability are listed below.
• Cabling: Careful planning and laying of cables can avoid transmission errors, for example, if the error is caused by overloading.
• Network management: Network management cannot protect against transmission errors but can be used to recognize problems occurring from transmission errors and to raise alarms in such cases. This allows timely reaction to these problems.
¶ 9.2 Table Row “Operational Procedures” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “System Planning” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “Network Configuration” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “Network Segregation” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “Network Monitoring” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network.
¶ 9.2 Table Row “Intrusion Detection” in safeguard Network Management should be implemented under normal circumstances for Servers or Workstations with Shared Resources Connected to a Network. [¶ 8.2.4, ¶ 9.2 Table Row “Operational Procedures”, ¶ 9.2 Table Row “System Planning”, ¶ 9.2 Table Row “Network Configuration”, ¶ 9.2 Table Row “Network Segregation”, ¶ 9.2 Table Row “Network Monitoring”, ¶ 9.2 Table Row “Intrusion Detection”, ISO/IEC 13335-4 Information technology — Guidelines for the management of IT Security — Part 4: Selection of safeguards, 2000]

¶ 13.2 Secure Service Management should be implemented for network security.
¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and operation, of security. These activities should take place to ensure the security of all of an organization's IT. With regard to network connections, management activities should include:
• definition of all responsibilities related to the security of network connections, and designation of a security manager with overall responsibility,
• documented system security policy, and accompanying documented technical security architecture 2,
• documented security operating procedures (SecOPs),
• the conduct of security compliance checking, to ensure security is maintained at the required level,
• documented security conditions for connection to be adhered to before connection to an organization or community is permitted,
• documented security conditions for users of network services,
• a security incident handling scheme,
• documented and tested business continuity/disaster recovery plans. [¶ 13.2, ¶ 13.2.1, ISO/IEC 13335-5 Information technology — Guidelines for the management of IT Security — Part 5: Management guidance on network security, 2001]

General Guidance

The organization should develop privacy policies and make them available to appropriate individuals. The privacy policies should be documented in clear and plain language and should include the choices individuals have and how consent should be obtained. [ID 1.1.0, ID 2.2.3, ID 3.1.0, AICPA/CICA Privacy Framework]

All organizations need to define their aims and objectives through strategic plans and policy statements. “Without clear statements of policy and standards for direction, organizations can become disoriented and perform ineffectively. Organizations with clearly defined aims and objectives tend to be successful.” The section further states that for some smaller organizations a single policy statement might suffice, but for larger organizations there will most likely be a need for multiple policy statements. [§ 5.3.1, IIA Global Technology Audit Guide (GTAG): Information Technology Controls]

It is suggested that control questionnaires be used to assess the extent to which controls have been implemented in a communications network. It goes on to further state that the control questionnaires are normally grouped by subject or theme with the respondents being required to indicate if they are complying with each control listed, or according to a certain degree of compliance or maturity. [Pg 37, ISF Security Audit of Networks]

All policies and procedures should be consistent throughout the organization. [CI1.1.4(a), NW1.1.4(a), The Standard of Good Practice for Information Security]

The organizational resilience system documentation must include the organizational resilience management policy, the objectives, the targets, a description of the organizational resilience management system's scope, a description of the organizational resilience management system's main elements and how they integrate with related documents, documents and records required by this Standard, and documents and records the organization determines is necessary for effective planning, operations, and process controls relating to its significant risks. [§ 4.4.4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009]

EU Guidance

The organization should develop a corporate governance framework. This framework should be consistent with applicable laws and regulations and ensure the responsibilities between the different authorities are clearly stated. [§ I, OECD Principles of Corporate Governance, 2004]

UK and Canadian Guidance

The organization must implement policies and practices, including implementing procedures for protecting personal information; establishing procedures for receiving and responding to inquiries and complaints; communicating to and training staff about the practices and policies of the organization; and developing information to explain the organization's procedures and policies. [Sched 1 Clause 4.1.4, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5]

Other European and African Guidance

The Management Board must establish and maintain procedures to ensure all major financial information is reported to the Management Board in a timely manner without losing its integrity. [¶ V.1.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003]

Data security regulations must be issued and available to all employees, so they can review it at anytime. [§ 14(6), Austria Data Protection Act]

Asia and Pacific Rim Guidance

The organization should create a document describing the documentation framework. It should include a hierarchical list of all security documents. [§ 2.2.11, Australian Government ICT Security Manual (ACSI 33)]

Metrics

The metrics associated with this control are as follows:

    Report on the percentage of key IT assets for which an assurance strategy has been implemented. [UCF Control ID 01657]
    Report on the percentage of key organizational functions for which an assurance strategy has been implemented. [UCF Control ID 01658]
    Report on the percentage of key external requirements for which an assurance strategy has been implemented. [UCF Control ID 01659]
    Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. [UCF Control ID 01679]
    Report on the percentage of systems for which approved configuration settings have been implemented as required by policy. [UCF Control ID 02097]
    Report on the percentage of systems for which event and activity logging has been implemented in accordance with policy. [UCF Control ID 02102]
    Report on the percentage of systems for which log size and retention duration have been implemented in accordance with policy. [UCF Control ID 02104]

Copyright 2005-2009 Unified Compliance Framework™. All rights reserved.


Site and content © Copyright 2003-2009 Network Frontiers, LLC. All rights reserved.