Establish, implement, and maintain a corrective action plan., CC ID: 00675
Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary., CC ID: 00676
Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis., CC ID: 12330
Report known security issues to interested personnel and affected parties on a regular basis., CC ID: 12329
Protect against misusing automated audit tools., CC ID: 04547
Provide intelligence support to the organization, as necessary., CC ID: 14020
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
§ 7.6: The organization shall determine what measuring and monitoring devices are needed to monitor and measure the product to provide evidence that it conforms to the requirements. The organization shall establish procedures to execute monitoring and measurement in such a way to be consistent with… (§ 7.6, § 8.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
The organization should measure risk management performance; periodically measure risk management progress; periodically review the risk management framework, policy, and plan; report on risk, the risk management plan progress, and the degree to which the risk management policy is being followed; an… (§ 4.5, ISO 31000 Risk management -- Principles and guidelines, 2009)
The organization must include the following in the information system continuous monitoring activities: information system component controls; configuration management; on-going security control assessment; security impact analyses of system changes; and status reporting. (CSR 1.9.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)