0003192
Final Report on EBA Guidelines on outsourcing arrangements
European Banking Authority
Regulation or Statute
Free
EBA/GL/2019/02
Final Report on EBA Guidelines on outsourcing arrangements
2019-02-25
The document as a whole was last reviewed and released on 2020-08-03T00:00:00-0700.
0003192
Free
European Banking Authority
Regulation or Statute
EBA/GL/2019/02
Final Report on EBA Guidelines on outsourcing arrangements
2019-02-25
The document as a whole was last reviewed and released on 2020-08-03T00:00:00-0700.
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within Final Report on EBA Guidelines on outsourcing arrangements that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for Final Report on EBA Guidelines on outsourcing arrangements are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Acquisition or sale of facilities, technology, and services CC ID 01123 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a) {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)] | Business Processes | Preventive | |
Establish, implement, and maintain expedited recredit procedures. CC ID 13574 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain payment systems. CC ID 13539 | Business Processes | Preventive | |
Document the business need justification for payment page scripts. CC ID 15480 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Business Processes | Preventive | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Business Processes | Preventive | |
Employ Remote Deposit Capture systems, as necessary. CC ID 13570 | Configuration | Preventive | |
Include liquidity plans in the payment and settlement functions. CC ID 16722 | Process or Activity | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Business Processes | Preventive | |
Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 | Investigate | Detective | |
Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 | Business Processes | Preventive | |
Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 | Business Processes | Preventive | |
Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 | Business Processes | Corrective | |
Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 | Business Processes | Corrective | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Technical Security | Preventive | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Business Processes | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 | Business Processes | Preventive | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Communicate | Preventive | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Business Processes | Preventive | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Business Processes | Preventive | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Business Processes | Preventive | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Establish/Maintain Documentation | Preventive | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Business Processes | Preventive | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Configuration | Preventive | |
Protect the integrity of application service transactions. CC ID 12017 | Business Processes | Preventive | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Data and Information Management | Preventive | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Business Processes | Preventive | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Communicate | Preventive | |
Bill and settle electronic commerce transactions. CC ID 08622 | Business Processes | Preventive | |
Notify affected parties after successful card-not-present transactions. CC ID 13668 | Communicate | Preventive | |
Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 | Business Processes | Preventive | |
Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 | Business Processes | Corrective | |
Disseminate and communicate transaction exceptions to consumers. CC ID 08619 | Business Processes | Preventive | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 | Data and Information Management | Preventive | |
Correct billing and settlement errors. CC ID 08623 | Business Processes | Corrective | |
Withhold payment and settlement functions, as necessary. CC ID 15460 | Business Processes | Preventive | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 | Behavior | Preventive | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition/Sale of Assets or Services | Preventive | |
Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Establish/Maintain Documentation | Preventive | |
Include security requirements in system acquisition contracts. CC ID 01124 | Establish/Maintain Documentation | Preventive | |
Include operational requirements in system acquisition contracts. CC ID 00825 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)] | Establish/Maintain Documentation | Preventive | |
Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)] | Establish/Maintain Documentation | Preventive | |
Install software that originates from approved third parties. CC ID 12184 | Technical Security | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Audits and risk management CC ID 00677 | IT Impact Zone | IT Impact Zone | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Establish Roles | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Establish Roles | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97] | Audits and Risk Management | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Establish/Maintain Documentation | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Establish/Maintain Documentation | Preventive | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)] | Testing | Detective | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Establish/Maintain Documentation | Preventive | |
Review the external auditor's qualifications. CC ID 01197 [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)] | Audits and Risk Management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Establish/Maintain Documentation | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 | Establish Roles | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and Risk Management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and Risk Management | Detective | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96] | Behavior | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Establish/Maintain Documentation | Preventive | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and Risk Management | Preventive | |
Establish and maintain audit terms. CC ID 13880 [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)] | Establish/Maintain Documentation | Preventive | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Process or Activity | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Establish/Maintain Documentation | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Establish/Maintain Documentation | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and Risk Management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and Risk Management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and Risk Management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and Risk Management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and Risk Management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and Risk Management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and Risk Management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Establish/Maintain Documentation | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Establish/Maintain Documentation | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Establish/Maintain Documentation | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and Risk Management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Establish/Maintain Documentation | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Establish/Maintain Documentation | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Establish/Maintain Documentation | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Establish/Maintain Documentation | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Establish/Maintain Documentation | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Establish/Maintain Documentation | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Establish/Maintain Documentation | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Establish/Maintain Documentation | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Establish/Maintain Documentation | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Establish/Maintain Documentation | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Establish/Maintain Documentation | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Establish/Maintain Documentation | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Establish/Maintain Documentation | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Establish/Maintain Documentation | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Establish/Maintain Documentation | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Establish/Maintain Documentation | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Establish/Maintain Documentation | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Establish/Maintain Documentation | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Establish/Maintain Documentation | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Establish/Maintain Documentation | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and Risk Management | Detective | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Establish/Maintain Documentation | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Establish/Maintain Documentation | Preventive | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and Risk Management | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Business Processes | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and Risk Management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and Risk Management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d) {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Establish/Maintain Documentation | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Establish/Maintain Documentation | Preventive | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Investigate | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Establish/Maintain Documentation | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Establish/Maintain Documentation | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Establish/Maintain Documentation | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Establish/Maintain Documentation | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and Risk Management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Establish/Maintain Documentation | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and Risk Management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Establish/Maintain Documentation | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Establish/Maintain Documentation | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Establish/Maintain Documentation | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and Risk Management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Establish/Maintain Documentation | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Establish/Maintain Documentation | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Establish/Maintain Documentation | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Establish/Maintain Documentation | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Establish/Maintain Documentation | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Establish/Maintain Documentation | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Establish/Maintain Documentation | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Establish/Maintain Documentation | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Establish/Maintain Documentation | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Establish/Maintain Documentation | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Establish/Maintain Documentation | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Establish/Maintain Documentation | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Establish/Maintain Documentation | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Establish/Maintain Documentation | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Establish/Maintain Documentation | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Establish/Maintain Documentation | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Establish/Maintain Documentation | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Establish/Maintain Documentation | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Establish/Maintain Documentation | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Establish/Maintain Documentation | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Establish/Maintain Documentation | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Establish/Maintain Documentation | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Establish/Maintain Documentation | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Establish/Maintain Documentation | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Establish/Maintain Documentation | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Establish/Maintain Documentation | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Establish/Maintain Documentation | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Establish/Maintain Documentation | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Establish/Maintain Documentation | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Communicate | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Establish/Maintain Documentation | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Establish/Maintain Documentation | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Establish/Maintain Documentation | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Establish/Maintain Documentation | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Establish/Maintain Documentation | Corrective | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Communicate | Preventive | |
Include materiality levels in the audit terms. CC ID 01238 | Establish/Maintain Documentation | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Establish/Maintain Documentation | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Establish/Maintain Documentation | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Business Processes | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and Risk Management | Detective | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Business Processes | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Behavior | Preventive | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and Risk Management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Business Processes | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and Risk Management | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Actionable Reports or Measurements | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Establish/Maintain Documentation | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Establish/Maintain Documentation | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Establish/Maintain Documentation | Preventive | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Records Management | Preventive | |
Conduct onsite inspections, as necessary. CC ID 16199 | Testing | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and Risk Management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and Risk Management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)] | Audits and Risk Management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Investigate | Detective | |
Audit information systems, as necessary. CC ID 13010 [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)] | Investigate | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Investigate | Detective | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Testing | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Testing | Detective | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and Risk Management | Detective | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Process or Activity | Detective | |
Edit the audit assertion for accuracy. CC ID 07030 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Establish/Maintain Documentation | Preventive | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Testing | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Process or Activity | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Testing | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Testing | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Testing | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and Risk Management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and Risk Management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and Risk Management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and Risk Management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Process or Activity | Preventive | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and Risk Management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and Risk Management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and Risk Management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Testing | Detective | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Establish/Maintain Documentation | Preventive | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Testing | Preventive | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and Risk Management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and Risk Management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and Risk Management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and Risk Management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Communicate | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Testing | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Human Resources Management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Process or Activity | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Process or Activity | Preventive | |
Identify interviewees. CC ID 16290 | Process or Activity | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Testing | Detective | |
Verify statements made by interviewees are correct. CC ID 16299 | Behavior | Detective | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Process or Activity | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Process or Activity | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Process or Activity | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Behavior | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Process or Activity | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Process or Activity | Corrective | |
Establish and maintain work papers, as necessary. CC ID 13891 | Establish/Maintain Documentation | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Establish/Maintain Documentation | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Establish/Maintain Documentation | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Establish/Maintain Documentation | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Establish/Maintain Documentation | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Establish/Maintain Documentation | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and Risk Management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Establish/Maintain Documentation | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Establish/Maintain Documentation | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Establish/Maintain Documentation | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Establish/Maintain Documentation | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and Risk Management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and Risk Management | Preventive | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Testing | Detective | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Establish/Maintain Documentation | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Establish/Maintain Documentation | Preventive | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Testing | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Monitor and Evaluate Occurrences | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Establish Roles | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Business Processes | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Monitor and Evaluate Occurrences | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Business Processes | Preventive | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Process or Activity | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Establish/Maintain Documentation | Preventive | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Audits and Risk Management | Preventive | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Investigate | Detective | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Business Processes | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and Risk Management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and Risk Management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Establish/Maintain Documentation | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Establish/Maintain Documentation | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Establish/Maintain Documentation | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Establish/Maintain Documentation | Detective | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and Risk Management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and Risk Management | Preventive | |
Include audit subject matter in the audit report. CC ID 14882 | Establish/Maintain Documentation | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Establish/Maintain Documentation | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Human Resources Management | Detective | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Establish/Maintain Documentation | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Establish/Maintain Documentation | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Establish/Maintain Documentation | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Establish/Maintain Documentation | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Establish/Maintain Documentation | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Establish/Maintain Documentation | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Establish/Maintain Documentation | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Establish/Maintain Documentation | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Establish/Maintain Documentation | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Establish/Maintain Documentation | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Establish/Maintain Documentation | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Actionable Reports or Measurements | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Actionable Reports or Measurements | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Establish/Maintain Documentation | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Actionable Reports or Measurements | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Establish/Maintain Documentation | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Establish/Maintain Documentation | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Establish/Maintain Documentation | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Establish/Maintain Documentation | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Actionable Reports or Measurements | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Establish/Maintain Documentation | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Establish/Maintain Documentation | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Establish/Maintain Documentation | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Establish/Maintain Documentation | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Establish/Maintain Documentation | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Establish/Maintain Documentation | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Establish/Maintain Documentation | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Establish/Maintain Documentation | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Establish/Maintain Documentation | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Establish/Maintain Documentation | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Establish/Maintain Documentation | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Establish/Maintain Documentation | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Establish/Maintain Documentation | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Establish/Maintain Documentation | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Establish/Maintain Documentation | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Establish/Maintain Documentation | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Establish/Maintain Documentation | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and Risk Management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Establish/Maintain Documentation | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Establish/Maintain Documentation | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and Risk Management | Detective | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Establish/Maintain Documentation | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Establish/Maintain Documentation | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Establish/Maintain Documentation | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Establish/Maintain Documentation | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Establish/Maintain Documentation | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Establish/Maintain Documentation | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Establish/Maintain Documentation | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Establish/Maintain Documentation | Preventive | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and Risk Management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Establish/Maintain Documentation | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Establish/Maintain Documentation | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Actionable Reports or Measurements | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Establish/Maintain Documentation | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Establish/Maintain Documentation | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Establish/Maintain Documentation | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Establish/Maintain Documentation | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Establish/Maintain Documentation | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and Risk Management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Establish/Maintain Documentation | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Establish/Maintain Documentation | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and Risk Management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and Risk Management | Detective | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Establish/Maintain Documentation | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and Risk Management | Detective | |
Review past audit reports. CC ID 01155 | Establish/Maintain Documentation | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Establish/Maintain Documentation | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Establish/Maintain Documentation | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Behavior | Preventive | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Establish/Maintain Documentation | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Establish/Maintain Documentation | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Establish/Maintain Documentation | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Establish/Maintain Documentation | Corrective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Investigate | Detective | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Process or Activity | Detective | |
Include an audit opinion in the audit report. CC ID 07017 | Establish/Maintain Documentation | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Establish/Maintain Documentation | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Establish/Maintain Documentation | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Establish/Maintain Documentation | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Establish/Maintain Documentation | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Business Processes | Corrective | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Establish/Maintain Documentation | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Establish/Maintain Documentation | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Establish/Maintain Documentation | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Establish/Maintain Documentation | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Establish/Maintain Documentation | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Establish/Maintain Documentation | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Establish/Maintain Documentation | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Establish/Maintain Documentation | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Establish/Maintain Documentation | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Establish/Maintain Documentation | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Establish/Maintain Documentation | Corrective | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Actionable Reports or Measurements | Preventive | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Establish/Maintain Documentation | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Establish/Maintain Documentation | Preventive | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Human Resources Management | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Log Management | Detective | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Communicate | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Communicate | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Behavior | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Establish/Maintain Documentation | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Establish/Maintain Documentation | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Establish/Maintain Documentation | Detective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Business Processes | Preventive | |
Submit an audit report that is complete. CC ID 01145 | Testing | Detective | |
Accept the audit report. CC ID 07025 | Establish/Maintain Documentation | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Establish/Maintain Documentation | Corrective | |
Assign responsibility for remediation actions. CC ID 13622 | Human Resources Management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Actionable Reports or Measurements | Corrective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)] | Audits and Risk Management | Detective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Establish/Maintain Documentation | Preventive | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Testing | Detective | |
Evaluate the competency of auditors. CC ID 15253 | Human Resources Management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and Risk Management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain the audit plan. CC ID 01156 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)] | Testing | Detective | |
Include the audit criteria in the audit plan. CC ID 15262 | Establish/Maintain Documentation | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Establish/Maintain Documentation | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Establish/Maintain Documentation | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Establish/Maintain Documentation | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Establish/Maintain Documentation | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Establish/Maintain Documentation | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Establish/Maintain Documentation | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Establish/Maintain Documentation | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Establish/Maintain Documentation | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Establish/Maintain Documentation | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Establish/Maintain Documentation | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Communicate | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Establish/Maintain Documentation | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Establish/Maintain Documentation | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Business Processes | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Business Processes | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 | Business Processes | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Establish/Maintain Documentation | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and Risk Management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Business Processes | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Establish/Maintain Documentation | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Establish/Maintain Documentation | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Data and Information Management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i) {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)] | Establish/Maintain Documentation | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Establish/Maintain Documentation | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Establish/Maintain Documentation | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and Risk Management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and Risk Management | Detective | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Establish Roles | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Establish/Maintain Documentation | Preventive | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and Risk Management | Preventive | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Human Resources Management | Detective | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Establish/Maintain Documentation | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Establish/Maintain Documentation | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Communicate | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Communicate | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Acquisition/Sale of Assets or Services | Corrective | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Business Processes | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Business Processes | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Business Processes | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Process or Activity | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Establish/Maintain Documentation | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Establish/Maintain Documentation | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Communicate | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Establish/Maintain Documentation | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Establish/Maintain Documentation | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Establish/Maintain Documentation | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Behavior | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Establish/Maintain Documentation | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Communicate | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Establish/Maintain Documentation | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Technical Security | Preventive | |
Document cybersecurity risks. CC ID 12281 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Establish/Maintain Documentation | Preventive | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Human Resources Management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and Risk Management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Establish/Maintain Documentation | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Establish/Maintain Documentation | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Establish/Maintain Documentation | Preventive | |
Document organizational risk criteria. CC ID 12277 | Establish/Maintain Documentation | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Technical Security | Preventive | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Investigate | Detective | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)] | Audits and Risk Management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and Risk Management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and Risk Management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Establish/Maintain Documentation | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and Risk Management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Business Processes | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and Risk Management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Establish/Maintain Documentation | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Establish/Maintain Documentation | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Establish/Maintain Documentation | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Establish/Maintain Documentation | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Establish/Maintain Documentation | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and Risk Management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Communicate | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Establish/Maintain Documentation | Preventive | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 | Testing | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Establish/Maintain Documentation | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Establish/Maintain Documentation | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Establish/Maintain Documentation | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and Risk Management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Establish/Maintain Documentation | Detective | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and Risk Management | Preventive | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Establish/Maintain Documentation | Detective | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and Risk Management | Preventive | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Establish/Maintain Documentation | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Communicate | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and Risk Management | Detective | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Communicate | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Business Processes | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Behavior | Preventive | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Investigate | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and Risk Management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)] | Audits and Risk Management | Detective | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Establish/Maintain Documentation | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Establish/Maintain Documentation | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Establish/Maintain Documentation | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Establish/Maintain Documentation | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Establish/Maintain Documentation | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Communicate | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Establish/Maintain Documentation | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Establish/Maintain Documentation | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Business Processes | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Business Processes | Preventive | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)] | Audits and Risk Management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and Risk Management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and Risk Management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and Risk Management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Investigate | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Audits and Risk Management | Detective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Actionable Reports or Measurements | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and Risk Management | Detective | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Establish/Maintain Documentation | Preventive | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Investigate | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Behavior | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Establish/Maintain Documentation | Detective | |
Document the results of the gap analysis. CC ID 16271 | Establish/Maintain Documentation | Preventive | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and Risk Management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Process or Activity | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Process or Activity | Detective | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and Risk Management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Testing | Detective | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Establish/Maintain Documentation | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Establish/Maintain Documentation | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and Risk Management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and Risk Management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and Risk Management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Establish/Maintain Documentation | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Establish/Maintain Documentation | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Establish/Maintain Documentation | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Establish/Maintain Documentation | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Establish/Maintain Documentation | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Establish/Maintain Documentation | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Establish/Maintain Documentation | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Establish/Maintain Documentation | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Establish/Maintain Documentation | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Communicate | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and Risk Management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Establish/Maintain Documentation | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Establish/Maintain Documentation | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 | Establish/Maintain Documentation | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Establish/Maintain Documentation | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Establish/Maintain Documentation | Corrective | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Business Processes | Preventive | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Establish/Maintain Documentation | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Establish/Maintain Documentation | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Business Processes | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and Risk Management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and Risk Management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and Risk Management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Communicate | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Communicate | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Establish/Maintain Documentation | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Establish/Maintain Documentation | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Communicate | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Business Processes | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Business Processes | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Business Processes | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Establish/Maintain Documentation | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Establish/Maintain Documentation | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Establish/Maintain Documentation | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Establish/Maintain Documentation | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Establish/Maintain Documentation | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Communicate | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Establish/Maintain Documentation | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Establish/Maintain Documentation | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Establish/Maintain Documentation | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Establish/Maintain Documentation | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103 When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Communicate | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Human Resources Management | Preventive | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Process or Activity | Detective | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Human Resources management CC ID 00763 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)] | Establish Roles | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Establish Roles | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources Management | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Establish/Maintain Documentation | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources Management | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Behavior | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources Management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Establish Roles | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources Management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Establish/Maintain Documentation | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources Management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Establish/Maintain Documentation | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Establish/Maintain Documentation | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources Management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources Management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Establish Roles | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources Management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources Management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources Management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources Management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources Management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources Management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Establish/Maintain Documentation | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources Management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources Management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources Management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Establish Roles | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources Management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Establish Roles | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources Management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Establish Roles | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Establish Roles | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources Management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Establish Roles | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Establish/Maintain Documentation | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources Management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Establish Roles | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Establish Roles | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Establish Roles | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Establish Roles | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Establish/Maintain Documentation | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Establish Roles | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources Management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources Management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources Management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources Management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Establish Roles | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Business Processes | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources Management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources Management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources Management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources Management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Human Resources Management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Establish/Maintain Documentation | Preventive | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97 Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37] | Testing | Detective | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources Management | Detective | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Establish Roles | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Establish Roles | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Establish/Maintain Documentation | Preventive | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources Management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources Management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Establish/Maintain Documentation | Preventive | |
Include all residences in the criminal records check. CC ID 13306 | Process or Activity | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Establish/Maintain Documentation | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources Management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources Management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Establish/Maintain Documentation | Preventive | |
Perform a drug test during personnel screening. CC ID 06648 | Testing | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources Management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources Management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources Management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Communicate | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources Management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Establish/Maintain Documentation | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources Management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources Management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources Management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Establish/Maintain Documentation | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
Analyze organizational objectives, functions, and activities. CC ID 00598 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Monitor and Evaluate Occurrences | Preventive | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Establish/Maintain Documentation | Preventive | |
Analyze the business environment in which the organization operates. CC ID 12798 | Business Processes | Preventive | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Process or Activity | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Process or Activity | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Process or Activity | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 | Process or Activity | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Process or Activity | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Process or Activity | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Process or Activity | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Process or Activity | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Process or Activity | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Business Processes | Preventive | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Communicate | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Monitor and Evaluate Occurrences | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Monitor and Evaluate Occurrences | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Business Processes | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Process or Activity | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Monitor and Evaluate Occurrences | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Business Processes | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Monitor and Evaluate Occurrences | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Business Processes | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Business Processes | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Business Processes | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Business Processes | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Business Processes | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Business Processes | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Business Processes | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Business Processes | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Business Processes | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Business Processes | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Business Processes | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)] | Establish/Maintain Documentation | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Process or Activity | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Process or Activity | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45] | Process or Activity | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Business Processes | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Business Processes | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Business Processes | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Business Processes | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Communicate | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Establish/Maintain Documentation | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Establish/Maintain Documentation | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Establish/Maintain Documentation | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Establish/Maintain Documentation | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Establish/Maintain Documentation | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Establish/Maintain Documentation | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Establish/Maintain Documentation | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Establish/Maintain Documentation | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Establish/Maintain Documentation | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Communicate | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Communicate | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)] | Establish/Maintain Documentation | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Business Processes | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Process or Activity | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Process or Activity | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Business Processes | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 | Process or Activity | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Process or Activity | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Business Processes | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Establish/Maintain Documentation | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Establish/Maintain Documentation | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Establish/Maintain Documentation | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Establish/Maintain Documentation | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Establish/Maintain Documentation | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Establish/Maintain Documentation | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Establish/Maintain Documentation | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Establish/Maintain Documentation | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Establish/Maintain Documentation | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Establish/Maintain Documentation | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Establish/Maintain Documentation | Preventive | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Data and Information Management | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Data and Information Management | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Data and Information Management | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Data and Information Management | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Data and Information Management | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Data and Information Management | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Data and Information Management | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Data and Information Management | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Data and Information Management | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Establish/Maintain Documentation | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Data and Information Management | Preventive | |
Approve the data classification scheme. CC ID 13858 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Communicate | Preventive | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Establish/Maintain Documentation | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Establish/Maintain Documentation | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Establish/Maintain Documentation | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Establish/Maintain Documentation | Preventive | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Investigate | Detective | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Establish/Maintain Documentation | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Establish/Maintain Documentation | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Establish/Maintain Documentation | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Establish/Maintain Documentation | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Establish/Maintain Documentation | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Establish/Maintain Documentation | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Establish/Maintain Documentation | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Communicate | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Establish/Maintain Documentation | Preventive | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Behavior | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Establish/Maintain Documentation | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Monitor and Evaluate Occurrences | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Monitor and Evaluate Occurrences | Detective | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Technical Security | Detective | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Communicate | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Communicate | Corrective | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Establish/Maintain Documentation | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Establish/Maintain Documentation | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Communicate | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Communicate | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Establish/Maintain Documentation | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104] | Business Processes | Detective | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Testing | Detective | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Establish/Maintain Documentation | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Communicate | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Communicate | Preventive | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Establish/Maintain Documentation | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Establish/Maintain Documentation | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
Include system testing standards in the Quality Management program. CC ID 01018 | Establish/Maintain Documentation | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39] | Establish/Maintain Documentation | Preventive | |
Define the scope of the security policy. CC ID 07145 | Data and Information Management | Preventive | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Business Processes | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Establish/Maintain Documentation | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)] | Establish/Maintain Documentation | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41] | Establish/Maintain Documentation | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Establish/Maintain Documentation | Preventive | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Establish/Maintain Documentation | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Establish/Maintain Documentation | Detective | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Business Processes | Preventive | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Establish/Maintain Documentation | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Establish/Maintain Documentation | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Establish/Maintain Documentation | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Communicate | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Establish/Maintain Documentation | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Establish/Maintain Documentation | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Establish/Maintain Documentation | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Establish/Maintain Documentation | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Establish/Maintain Documentation | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Establish/Maintain Documentation | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Establish/Maintain Documentation | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Establish/Maintain Documentation | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Establish/Maintain Documentation | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Establish/Maintain Documentation | Detective | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Establish Roles | Preventive | |
Approve all compliance documents. CC ID 06286 | Establish/Maintain Documentation | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 | Establish/Maintain Documentation | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Establish Roles | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Establish/Maintain Documentation | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Establish/Maintain Documentation | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Establish/Maintain Documentation | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Establish/Maintain Documentation | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Business Processes | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Establish/Maintain Documentation | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Establish Roles | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Behavior | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Behavior | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Business Processes | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Establish Roles | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Establish Roles | Detective | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Establish/Maintain Documentation | Detective | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Establish/Maintain Documentation | Preventive | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Establish/Maintain Documentation | Detective | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Establish Roles | Preventive | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Establish Roles | Preventive | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Establish Roles | Preventive | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Establish Roles | Preventive | |
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Human Resources Management | Preventive | |
Address Information Security during the business planning processes. CC ID 06495 | Data and Information Management | Preventive | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Establish/Maintain Documentation | Preventive | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Establish Roles | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Establish/Maintain Documentation | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Establish/Maintain Documentation | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Business Processes | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Establish/Maintain Documentation | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Establish/Maintain Documentation | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20] | Establish/Maintain Documentation | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)] | Establish/Maintain Documentation | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Establish/Maintain Documentation | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Establish/Maintain Documentation | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Process or Activity | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Process or Activity | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Process or Activity | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Establish/Maintain Documentation | Detective | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Process or Activity | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Behavior | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Process or Activity | Preventive | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Monitoring and measurement CC ID 00636 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103] | Establish/Maintain Documentation | Preventive | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitor and Evaluate Occurrences | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitor and Evaluate Occurrences | Detective | |
Implement a fraud detection system. CC ID 13081 | Business Processes | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Process or Activity | Corrective | |
Monitor for new vulnerabilities. CC ID 06843 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Testing | Preventive | |
Test compliance controls for proper functionality. CC ID 00660 | Testing | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 | Testing | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Establish/Maintain Documentation | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Establish/Maintain Documentation | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Establish/Maintain Documentation | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Establish/Maintain Documentation | Preventive | |
Include threats in the system security plan. CC ID 14693 | Establish/Maintain Documentation | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Establish/Maintain Documentation | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Establish/Maintain Documentation | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Communicate | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Establish/Maintain Documentation | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Establish/Maintain Documentation | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Establish/Maintain Documentation | Preventive | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Process or Activity | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Establish/Maintain Documentation | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Establish/Maintain Documentation | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Establish/Maintain Documentation | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Establish/Maintain Documentation | Preventive | |
Include the scope in the test plans. CC ID 14293 | Establish/Maintain Documentation | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Establish/Maintain Documentation | Preventive | |
Approve the system security plan. CC ID 14241 | Business Processes | Preventive | |
Adhere to the system security plan. CC ID 11640 | Testing | Detective | |
Review the test plans for each system component. CC ID 00662 | Establish/Maintain Documentation | Preventive | |
Validate all testing assumptions in the test plans. CC ID 00663 | Testing | Detective | |
Document validated testing processes in the testing procedures. CC ID 06200 | Establish/Maintain Documentation | Preventive | |
Require testing procedures to be complete. CC ID 00664 | Testing | Detective | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Establish/Maintain Documentation | Preventive | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Testing | Preventive | |
Implement automated audit tools. CC ID 04882 | Acquisition/Sale of Assets or Services | Preventive | |
Assign senior management to approve test plans. CC ID 13071 | Human Resources Management | Preventive | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Testing | Detective | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitor and Evaluate Occurrences | Detective | |
Establish, implement, and maintain a testing program. CC ID 00654 | Behavior | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Behavior | Preventive | |
Perform penetration tests, as necessary. CC ID 00655 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Testing | Detective | |
Perform internal penetration tests, as necessary. CC ID 12471 | Technical Security | Detective | |
Perform external penetration tests, as necessary. CC ID 12470 | Technical Security | Detective | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Testing | Detective | |
Test the system for broken access controls. CC ID 01319 | Testing | Detective | |
Test the system for broken authentication and session management. CC ID 01320 | Testing | Detective | |
Test the system for insecure communications. CC ID 00535 | Testing | Detective | |
Test the system for cross-site scripting attacks. CC ID 01321 | Testing | Detective | |
Test the system for buffer overflows. CC ID 01322 | Testing | Detective | |
Test the system for injection flaws. CC ID 01323 | Testing | Detective | |
Ensure protocols are free from injection flaws. CC ID 16401 | Process or Activity | Preventive | |
Test the system for Denial of Service. CC ID 01326 | Testing | Detective | |
Test the system for insecure configuration management. CC ID 01327 | Testing | Detective | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Testing | Detective | |
Test the system for cross-site request forgery. CC ID 06296 | Testing | Detective | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Technical Security | Detective | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Technical Security | Detective | |
Verify segmentation controls are operational and effective. CC ID 12545 | Audits and Risk Management | Detective | |
Repeat penetration testing, as necessary. CC ID 06860 | Testing | Detective | |
Test the system for covert channels. CC ID 10652 | Testing | Detective | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Technical Security | Detective | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Technical Security | Corrective | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Testing | Detective | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Actionable Reports or Measurements | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Actionable Reports or Measurements | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Actionable Reports or Measurements | Detective | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Business Processes | Preventive | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Audits and Risk Management | Preventive | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitor and Evaluate Occurrences | Detective | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Establish/Maintain Documentation | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Business Processes | Detective | |
Determine the causes of compliance violations. CC ID 12401 | Investigate | Corrective | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Establish/Maintain Documentation | Preventive | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Investigate | Detective | |
Correct compliance violations. CC ID 13515 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Process or Activity | Corrective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Investigate | Detective | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Behavior | Corrective | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Human Resources Management | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Establish/Maintain Documentation | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Establish/Maintain Documentation | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Establish/Maintain Documentation | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Establish/Maintain Documentation | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Establish/Maintain Documentation | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Establish/Maintain Documentation | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Communicate | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Establish/Maintain Documentation | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Establish/Maintain Documentation | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Establish/Maintain Documentation | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Establish/Maintain Documentation | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Establish/Maintain Documentation | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Establish/Maintain Documentation | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Establish/Maintain Documentation | Preventive | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Actionable Reports or Measurements | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Actionable Reports or Measurements | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Actionable Reports or Measurements | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Actionable Reports or Measurements | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Actionable Reports or Measurements | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Establish/Maintain Documentation | Preventive | |
Convert data into standard units before reporting metrics. CC ID 15507 | Process or Activity | Corrective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Actionable Reports or Measurements | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Actionable Reports or Measurements | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Actionable Reports or Measurements | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Actionable Reports or Measurements | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Actionable Reports or Measurements | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Actionable Reports or Measurements | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Actionable Reports or Measurements | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Actionable Reports or Measurements | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Actionable Reports or Measurements | Detective | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Actionable Reports or Measurements | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Actionable Reports or Measurements | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Business Processes | Preventive | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Actionable Reports or Measurements | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Actionable Reports or Measurements | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Business Processes | Preventive | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Business Processes | Preventive | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Actionable Reports or Measurements | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Business Processes | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Actionable Reports or Measurements | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Business Processes | Preventive | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Actionable Reports or Measurements | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Actionable Reports or Measurements | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Actionable Reports or Measurements | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Business Processes | Preventive | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Actionable Reports or Measurements | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Log Management | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Log Management | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Log Management | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Log Management | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Business Processes | Preventive | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Actionable Reports or Measurements | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Actionable Reports or Measurements | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Business Processes | Preventive | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Actionable Reports or Measurements | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Business Processes | Preventive | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Actionable Reports or Measurements | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Actionable Reports or Measurements | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Business Processes | Preventive | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Technical Security | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Actionable Reports or Measurements | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Business Processes | Preventive | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Actionable Reports or Measurements | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Actionable Reports or Measurements | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Actionable Reports or Measurements | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Business Processes | Preventive | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Actionable Reports or Measurements | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Actionable Reports or Measurements | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Actionable Reports or Measurements | Detective | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Business Processes | Preventive | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Actionable Reports or Measurements | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Actionable Reports or Measurements | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Actionable Reports or Measurements | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Actionable Reports or Measurements | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Actionable Reports or Measurements | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Actionable Reports or Measurements | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Actionable Reports or Measurements | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Actionable Reports or Measurements | Detective | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Communicate | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Establish/Maintain Documentation | Preventive | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Actionable Reports or Measurements | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Actionable Reports or Measurements | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Establish/Maintain Documentation | Preventive | |
Deploy log normalization tools, as necessary. CC ID 12141 | Technical Security | Preventive | |
Restrict access to logs to authorized individuals. CC ID 01342 | Log Management | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Technical Security | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Log Management | Preventive | |
Back up audit trails according to backup procedures. CC ID 11642 | Systems Continuity | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Log Management | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Log Management | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Log Management | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Log Management | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Log Management | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Log Management | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Log Management | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Log Management | Preventive | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Configuration | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Log Management | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Establish/Maintain Documentation | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Monitor and Evaluate Occurrences | Detective | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Business Processes | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Establish/Maintain Documentation | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Establish/Maintain Documentation | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Establish/Maintain Documentation | Preventive | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitor and Evaluate Occurrences | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational and Systems Continuity CC ID 00731 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Establish/Maintain Documentation | Preventive | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106] | Establish/Maintain Documentation | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d) {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Establish/Maintain Documentation | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48 {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Establish/Maintain Documentation | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Establish/Maintain Documentation | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Establish/Maintain Documentation | Preventive | |
Define and prioritize critical business functions. CC ID 00736 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii) The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a) If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Establish/Maintain Documentation | Detective | |
Review and prioritize the importance of each business unit. CC ID 01165 | Systems Continuity | Preventive | |
Review and prioritize the importance of each business process. CC ID 11689 | Establish/Maintain Documentation | Preventive | |
Document the mean time to failure for system components. CC ID 10684 | Systems Continuity | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Audits and Risk Management | Preventive | |
Establish, implement, and maintain a critical third party list. CC ID 06815 [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Behavior | Preventive | |
Validate information security continuity controls regularly. CC ID 12008 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Systems Continuity | Preventive | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Testing | Preventive | |
Establish, implement, and maintain a continuity test plan. CC ID 04896 [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)] | Establish/Maintain Documentation | Preventive | |
Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Establish/Maintain Documentation | Preventive | |
Include recovery procedures in the continuity test plan. CC ID 14876 | Establish/Maintain Documentation | Preventive | |
Include test scripts in the continuity test plan. CC ID 14875 | Establish/Maintain Documentation | Preventive | |
Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Establish/Maintain Documentation | Preventive | |
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Establish/Maintain Documentation | Preventive | |
Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Establish/Maintain Documentation | Preventive | |
Include contact information in the continuity test plan. CC ID 14399 | Establish/Maintain Documentation | Preventive | |
Include testing all system components in the continuity test plan. CC ID 13508 | Establish/Maintain Documentation | Preventive | |
Include test scenarios in the continuity test plan. CC ID 13506 | Establish/Maintain Documentation | Preventive | |
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Establish/Maintain Documentation | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)] | Testing | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Testing | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Testing | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Testing | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48] | Testing | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Testing | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Testing | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Testing | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Testing | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Testing | Detective | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Establish/Maintain Documentation | Preventive | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Testing | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)] | Testing | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Testing | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Actionable Reports or Measurements | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Systems Continuity | Preventive | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Testing | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Testing | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Operational management CC ID 00805 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Establish/Maintain Documentation | Preventive | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)] | Acquisition/Sale of Assets or Services | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)] | Human Resources Management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Establish/Maintain Documentation | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Business Processes | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Actionable Reports or Measurements | Corrective | |
Review the relevance of information supporting internal controls. CC ID 12420 | Business Processes | Detective | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Establish Roles | Preventive | |
Assign resources to implement the internal control framework. CC ID 00816 | Business Processes | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Establish Roles | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Business Processes | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Establish/Maintain Documentation | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Establish/Maintain Documentation | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Business Processes | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Establish/Maintain Documentation | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Establish/Maintain Documentation | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Establish/Maintain Documentation | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Configuration | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Establish/Maintain Documentation | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Configuration | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Establish/Maintain Documentation | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Establish/Maintain Documentation | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Establish/Maintain Documentation | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Establish/Maintain Documentation | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Communicate | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Process or Activity | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Establish/Maintain Documentation | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Establish/Maintain Documentation | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Establish/Maintain Documentation | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Establish/Maintain Documentation | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Communicate | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21] | Business Processes | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Process or Activity | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Process or Activity | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Process or Activity | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Process or Activity | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Process or Activity | Preventive | |
Analyze the organizational culture. CC ID 12899 | Process or Activity | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Process or Activity | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Process or Activity | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Process or Activity | Detective | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Behavior | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Business Processes | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Business Processes | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Business Processes | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Behavior | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Behavior | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Business Processes | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Behavior | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Behavior | Preventive | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Process or Activity | Corrective | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25 Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18 {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)] | Establish/Maintain Documentation | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Communicate | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Business Processes | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Behavior | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Business Processes | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 | Establish/Maintain Documentation | Preventive | |
Include the change management policy in the service management program. CC ID 13923 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)] | Establish/Maintain Documentation | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Establish/Maintain Documentation | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)] | Establish/Maintain Documentation | Preventive | |
Include service management procedures in the service management program. CC ID 11396 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)] | Establish/Maintain Documentation | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)] | Establish/Maintain Documentation | Preventive | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 | Establish/Maintain Documentation | Preventive | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 | Establish/Maintain Documentation | Detective | |
Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)] | Establish/Maintain Documentation | Preventive | |
Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 | Establish/Maintain Documentation | Preventive | |
Include capacity planning in Service Level Agreements. CC ID 13096 | Establish/Maintain Documentation | Preventive | |
Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 | Establish/Maintain Documentation | Preventive | |
Include funding sources in Service Level Agreements, as necessary. CC ID 13632 | Establish/Maintain Documentation | Preventive | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)] | Establish/Maintain Documentation | Preventive | |
Include the management requirements for network services in the Service Level Agreement. CC ID 12025 | Establish/Maintain Documentation | Preventive | |
Include notification requirements in the service level agreement. CC ID 16675 | Establish/Maintain Documentation | Preventive | |
Include performance requirements in the Service Level Agreement. CC ID 00841 | Establish/Maintain Documentation | Preventive | |
Include the service levels for network services in the Service Level Agreement. CC ID 12024 | Establish/Maintain Documentation | Preventive | |
Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 | Establish/Maintain Documentation | Preventive | |
Include availability requirements in Service Level Agreements. CC ID 13095 | Establish/Maintain Documentation | Preventive | |
Establish and maintain a service catalog. CC ID 13634 | Establish/Maintain Documentation | Preventive | |
Include a service description in the service catalog. CC ID 13917 | Establish/Maintain Documentation | Preventive | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)] | Establish/Maintain Documentation | Preventive | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)] | Establish/Maintain Documentation | Preventive | |
Categorize services in the service catalog. CC ID 14419 | Establish/Maintain Documentation | Preventive | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c) As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f) As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g) As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d) As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)] | Establish/Maintain Documentation | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
Notify the supervisory authority. CC ID 00472 [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58 Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59] | Behavior | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57] | Process or Activity | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Establish, implement, and maintain a data handling program. CC ID 13427 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Establish/Maintain Documentation | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Data and Information Management | Preventive | |
Protect electronic messaging information. CC ID 12022 | Technical Security | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Data and Information Management | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Configuration | Preventive | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Testing | Detective | |
Store payment card data in secure chips, if possible. CC ID 13065 | Configuration | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Configuration | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Technical Security | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Data and Information Management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Log Management | Preventive | |
Log the modification of personal data. CC ID 11844 | Log Management | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Technical Security | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Technical Security | Preventive | |
Implement physical controls to protect personal data. CC ID 00355 | Testing | Preventive | |
Limit data leakage. CC ID 00356 | Data and Information Management | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Testing | Detective | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Monitor and Evaluate Occurrences | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Business Processes | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Establish/Maintain Documentation | Detective | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Data and Information Management | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Data and Information Management | Detective | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Monitor and Evaluate Occurrences | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Investigate | Detective | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Behavior | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Data and Information Management | Detective | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Log Management | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Monitor and Evaluate Occurrences | Corrective | |
Log dates for account name changes or address changes. CC ID 04876 | Log Management | Detective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Monitor and Evaluate Occurrences | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Data and Information Management | Detective | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Acquisition/Sale of Assets or Services | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Process or Activity | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Process or Activity | Preventive | |
Review monitored websites for data leakage. CC ID 10593 | Monitor and Evaluate Occurrences | Detective | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Process or Activity | Corrective | |
Include text about data ownership in the data handling policy. CC ID 15720 | Data and Information Management | Preventive | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Data and Information Management | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Data and Information Management | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Data and Information Management | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Data and Information Management | Preventive | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Communicate | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Establish/Maintain Documentation | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Establish/Maintain Documentation | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Data and Information Management | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Data and Information Management | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Data and Information Management | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Data and Information Management | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Data and Information Management | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Data and Information Management | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Data and Information Management | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Data and Information Management | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Data and Information Management | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Data and Information Management | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Data and Information Management | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Data and Information Management | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Data and Information Management | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Data and Information Management | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Data and Information Management | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Data and Information Management | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Data and Information Management | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Data and Information Management | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Data and Information Management | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Data and Information Management | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Data and Information Management | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Establish/Maintain Documentation | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Business Processes | Preventive | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Monitor and Evaluate Occurrences | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Monitor and Evaluate Occurrences | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Monitor and Evaluate Occurrences | Preventive | |
Conduct internal data processing audits. CC ID 00374 | Testing | Detective | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Communicate | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53] | Records Management | Preventive | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Establish/Maintain Documentation | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)] | Records Management | Detective | |
Establish, implement, and maintain authorization records. CC ID 14367 | Establish/Maintain Documentation | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Establish/Maintain Documentation | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Establish/Maintain Documentation | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)] | Establish/Maintain Documentation | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Data and Information Management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Data and Information Management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Data and Information Management | Preventive | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records Management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Process or Activity | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Establish/Maintain Documentation | Preventive | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Actionable Reports or Measurements | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Process or Activity | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Data and Information Management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Data and Information Management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Process or Activity | Detective | |
Establish and maintain an implantable device list. CC ID 14444 | Records Management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Data and Information Management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Business Processes | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Data and Information Management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records Management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records Management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records Management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records Management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records Management | Preventive | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Log Management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Log Management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Establish/Maintain Documentation | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Log Management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Log Management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Log Management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Log Management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Log Management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Log Management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Log Management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Log Management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Log Management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Log Management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Log Management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Log Management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Log Management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records Management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Log Management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Log Management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Log Management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Log Management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records Management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Log Management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Log Management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Log Management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Data and Information Management | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
---|---|---|---|
Third Party and supply chain oversight CC ID 08807 | IT Impact Zone | IT Impact Zone | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42 {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Establish/Maintain Documentation | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Establish/Maintain Documentation | Preventive | |
Terminate supplier relationships, as necessary. CC ID 13489 [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)] | Business Processes | Corrective | |
Document and maintain supply chain processes. CC ID 08816 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Establish/Maintain Documentation | Preventive | |
Test the exit plan, as necessary. CC ID 15495 | Testing | Preventive | |
Include contingency plans in the third party management plan. CC ID 10030 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi) develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)] | Establish/Maintain Documentation | Preventive | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Systems Continuity | Preventive | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Process or Activity | Detective | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Establish/Maintain Documentation | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)] | Establish/Maintain Documentation | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Establish/Maintain Documentation | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)] | Establish/Maintain Documentation | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Establish/Maintain Documentation | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Establish/Maintain Documentation | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Establish/Maintain Documentation | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27] | Establish/Maintain Documentation | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Establish/Maintain Documentation | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Establish/Maintain Documentation | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Establish/Maintain Documentation | Preventive | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g) {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i) {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)] | Business Processes | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Establish/Maintain Documentation | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Establish/Maintain Documentation | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Establish/Maintain Documentation | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Establish/Maintain Documentation | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Establish/Maintain Documentation | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Establish/Maintain Documentation | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Establish/Maintain Documentation | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Establish/Maintain Documentation | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)] | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Establish/Maintain Documentation | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Establish/Maintain Documentation | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)] | Establish/Maintain Documentation | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Establish/Maintain Documentation | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Establish/Maintain Documentation | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l) {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)] | Establish/Maintain Documentation | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p) The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h) Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85 {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g) {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)] | Establish/Maintain Documentation | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)] | Establish/Maintain Documentation | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Acquisition/Sale of Assets or Services | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Establish/Maintain Documentation | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76 The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)] | Establish/Maintain Documentation | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)] | Establish/Maintain Documentation | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c) Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Establish/Maintain Documentation | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c) {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)] | Establish/Maintain Documentation | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Establish/Maintain Documentation | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Establish/Maintain Documentation | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)] | Establish/Maintain Documentation | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Establish/Maintain Documentation | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Establish/Maintain Documentation | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Establish/Maintain Documentation | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)] | Establish/Maintain Documentation | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g) The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c) {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107] | Establish/Maintain Documentation | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99 identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)] | Establish/Maintain Documentation | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)] | Establish/Maintain Documentation | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Establish/Maintain Documentation | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)] | Establish/Maintain Documentation | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)] | Establish/Maintain Documentation | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Establish/Maintain Documentation | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Establish/Maintain Documentation | Preventive | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Testing | Detective | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Establish/Maintain Documentation | Preventive | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)] | Testing | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81 (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)] | Testing | Detective | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Establish/Maintain Documentation | Preventive | |
Establish the third party's service continuity. CC ID 00797 [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Testing | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Testing | Detective | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Data and Information Management | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Testing | Detective | |
Include disclosure requirements in third party contracts. CC ID 08825 [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Business Processes | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Establish/Maintain Documentation | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Establish/Maintain Documentation | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii) In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30] | Establish/Maintain Documentation | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Establish/Maintain Documentation | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Establish/Maintain Documentation | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)] | Establish/Maintain Documentation | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56 {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56] | Communicate | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)] | Establish/Maintain Documentation | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)] | Establish/Maintain Documentation | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Establish/Maintain Documentation | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Establish/Maintain Documentation | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Establish/Maintain Documentation | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Establish/Maintain Documentation | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Business Processes | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Establish/Maintain Documentation | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Establish/Maintain Documentation | Preventive | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Physical and Environmental Protection | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Establish/Maintain Documentation | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i) The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74] | Process or Activity | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)] | Establish/Maintain Documentation | Detective | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Establish Roles | Preventive | |
Approve all Service Level Agreements. CC ID 00843 | Establish/Maintain Documentation | Detective | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Business Processes | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Establish/Maintain Documentation | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Business Processes | Corrective | |
Categorize all suppliers in the supply chain management program. CC ID 00792 [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c) The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d) Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26 When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52 {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b) The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)] | Establish/Maintain Documentation | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)] | Establish/Maintain Documentation | Preventive | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Testing | Detective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Business Processes | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66 {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)] | Establish/Maintain Documentation | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Establish/Maintain Documentation | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Business Processes | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Establish/Maintain Documentation | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Establish/Maintain Documentation | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Audits and Risk Management | Detective | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)] | Establish/Maintain Documentation | Preventive | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Business Processes | Preventive | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Human Resources Management | Preventive | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Establish/Maintain Documentation | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Establish/Maintain Documentation | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Establish/Maintain Documentation | Preventive | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47] | Establish/Maintain Documentation | Preventive | |
Include a clear management process in the supply chain management policy. CC ID 08810 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Establish/Maintain Documentation | Preventive | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Establish/Maintain Documentation | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101] | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Communicate | Preventive | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Establish/Maintain Documentation | Preventive | |
Support third parties in building their capabilities. CC ID 08814 | Business Processes | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Business Processes | Preventive | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Business Processes | Preventive | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Business Processes | Preventive | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Establish/Maintain Documentation | Preventive | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Establish/Maintain Documentation | Preventive | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Establish/Maintain Documentation | Preventive | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Establish/Maintain Documentation | Preventive | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Establish/Maintain Documentation | Preventive | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Establish/Maintain Documentation | Preventive | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Data and Information Management | Preventive | |
Establish and maintain a conflict materials report. CC ID 08823 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Establish/Maintain Documentation | Preventive | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Establish/Maintain Documentation | Preventive | |
Identify supply sources for secondary materials. CC ID 08822 | Business Processes | Preventive | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Business Processes | Preventive | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Business Processes | Preventive | |
Provide management support for third party due diligence. CC ID 08847 | Business Processes | Preventive | |
Commit to the supply chain due diligence process. CC ID 08849 | Business Processes | Preventive | |
Structure the organization to support supply chain due diligence. CC ID 08850 | Business Processes | Preventive | |
Schedule supply chain audits, as necessary. CC ID 10015 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)] | Audits and Risk Management | Preventive | |
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Business Processes | Preventive | |
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Business Processes | Preventive | |
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Establish/Maintain Documentation | Preventive | |
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Business Processes | Preventive | |
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Business Processes | Preventive | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Business Processes | Preventive | |
Develop and implement supply chain due diligence capability training program. CC ID 08862 | Business Processes | Preventive | |
Determine if additional supply chain due diligence processes are required. CC ID 08863 | Business Processes | Preventive | |
Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Establish/Maintain Documentation | Preventive | |
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Establish/Maintain Documentation | Preventive | |
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Business Processes | Preventive | |
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Business Processes | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv) Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d) {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)] | Business Processes | Preventive | |
Identify all service providers in the supply chain. CC ID 12213 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)] | Business Processes | Preventive | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Business Processes | Detective | |
Assess third parties' relevant experience during due diligence. CC ID 12070 [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Business Processes | Detective | |
Assess third parties' legal risks to the organization during due diligence. CC ID 12078 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Business Processes | Detective | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii) {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Business Processes | Detective | |
Review third parties' backup policies. CC ID 13043 | Systems Continuity | Detective | |
Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)] | Business Processes | Detective | |
Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)] | Business Processes | Detective | |
Assess third parties' financial stability during due diligence. CC ID 12066 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)] | Business Processes | Detective | |
Assess third parties' use of subcontractors during due diligence. CC ID 12073 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a) Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Business Processes | Detective | |
Assess third parties' insurance coverage during due diligence. CC ID 12072 | Business Processes | Detective | |
Assess the third parties' reputation during due diligence. CC ID 12068 [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)] | Business Processes | Detective | |
Assess any litigation case files against third parties during due diligence. CC ID 12071 | Business Processes | Detective | |
Assess complaints against third parties during due diligence. CC ID 12069 | Business Processes | Detective | |
Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Business Processes | Preventive | |
Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Business Processes | Preventive | |
Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Business Processes | Preventive | |
Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Business Processes | Preventive | |
Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Business Processes | Preventive | |
Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Business Processes | Preventive | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Testing | Detective | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)] | Establish/Maintain Documentation | Preventive | |
Assess third parties' compliance environment during due diligence. CC ID 13134 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)] | Process or Activity | Detective | |
Document that supply chain members investigate security events. CC ID 13348 | Investigate | Detective | |
Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)] | Process or Activity | Detective | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Establish/Maintain Documentation | Detective | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Communicate | Preventive | |
Include the audit scope in the third party external audit report. CC ID 13138 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Establish/Maintain Documentation | Preventive | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Establish/Maintain Documentation | Detective | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)] | Establish/Maintain Documentation | Detective | |
Request attestation of compliance from third parties. CC ID 12067 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Establish/Maintain Documentation | Detective | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Business Processes | Detective | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Business Processes | Preventive | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Business Processes | Detective | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Technical Security | Detective | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b) {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)] | Business Processes | Preventive | |
Determine third party compliance with third party contracts. CC ID 08866 | Business Processes | Preventive | |
Quarantine non-compliant material. CC ID 08867 | Business Processes | Preventive | |
Refrain from quarantining conflict-free materials. CC ID 08868 | Business Processes | Preventive | |
Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Business Processes | Preventive | |
Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Business Processes | Preventive | |
Establish and maintain a supply chain due diligence report. CC ID 08824 | Business Processes | Preventive | |
Submit the supply chain due diligence report. CC ID 08828 | Business Processes | Preventive | |
Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Business Processes | Preventive | |
Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)] | Business Processes | Preventive | |
Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845 [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Business Processes | Preventive | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) ensuring that they receive appropriate reports from service providers; 4.14 104(a)] | Establish/Maintain Documentation | Preventive | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Establish/Maintain Documentation | Preventive | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i) evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b) {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104 {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)] | Business Processes | Detective | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b) where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101 Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60] | Monitor and Evaluate Occurrences | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Monitor and Evaluate Occurrences | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Business Processes | Preventive | |
Identify red flags in the supply chain. CC ID 08873 | Business Processes | Preventive | |
Detect red flags in the supply chain. CC ID 08874 | Business Processes | Preventive | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Business Processes | Preventive | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Business Processes | Preventive | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Business Processes | Preventive | |
Collect information on red-flagged supply chains. CC ID 08877 | Business Processes | Preventive | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Establish/Maintain Documentation | Preventive | |
Include performance standards in outsourcing contracts. CC ID 13140 [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)] | Establish/Maintain Documentation | Preventive | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d) If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f) If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)] | Establish/Maintain Documentation | Preventive | |
Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)] | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Business Processes | Preventive | |
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Business Processes | Preventive | |
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919 [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95] | Business Processes | Preventive | |
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 | Behavior | Preventive | |
Create an on-site mine visit report. CC ID 08921 | Establish/Maintain Documentation | Preventive | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Establish/Maintain Documentation | Preventive |
Each Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Preventive | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Corrective | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)] | Operational management | Preventive | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Preventive | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Preventive | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Detective | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Detective | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Detective | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Detective | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Detective | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Detective | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Detective | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Preventive | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Detective | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Detective | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Detective | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Detective | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Detective | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Detective | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Detective | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Detective | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Preventive | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Preventive | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Preventive | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Detective | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Detective | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Detective | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Detective | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Detective | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Detective | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Detective | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Detective | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Detective | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Detective | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Detective | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Detective | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Detective | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Detective | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Detective | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Detective | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Detective | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Detective | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Detective | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Detective | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Detective | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Detective | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Detective | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Detective | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Detective | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Preventive | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Detective | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Detective | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Detective | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Detective | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Detective | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Preventive | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Detective | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Detective | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Detective | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Detective | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Detective | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Detective | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Detective | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Detective | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Detective | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Detective | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Detective | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Detective | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Detective | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Detective | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Detective | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Detective | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Detective | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Detective | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Detective | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Detective | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Detective | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Detective | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Detective | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Detective | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Detective | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Detective | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Detective | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Detective | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Detective | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Detective | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Detective | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Detective | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Detective | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Detective | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Detective | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Preventive | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Preventive | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Preventive | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Preventive | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Preventive | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Preventive | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Preventive | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Preventive | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Preventive | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Preventive | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Preventive | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Preventive | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Preventive | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Preventive | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Preventive | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Corrective | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Detective | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Preventive | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Corrective | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Detective | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Preventive | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Preventive | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97] | Audits and risk management | Preventive | |
Review the external auditor's qualifications. CC ID 01197 [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)] | Audits and risk management | Preventive | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Preventive | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Detective | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Preventive | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Preventive | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Preventive | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Preventive | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Preventive | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Preventive | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Preventive | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Preventive | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Detective | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Preventive | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Detective | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Preventive | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Preventive | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Preventive | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Preventive | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Preventive | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Preventive | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Detective | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Preventive | |
Audit in scope audit items and compliance documents. CC ID 06730 [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and risk management | Preventive | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Detective | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Detective | |
Audit policies, standards, and procedures. CC ID 12927 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)] | Audits and risk management | Preventive | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Detective | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Detective | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Detective | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Detective | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Detective | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Detective | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Detective | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Detective | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Preventive | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Preventive | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Preventive | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Preventive | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Preventive | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Detective | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Preventive | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Detective | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Audits and risk management | Preventive | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Preventive | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Preventive | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Preventive | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Preventive | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Detective | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Preventive | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Preventive | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Preventive | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Detective | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Detective | |
Review management's response to issues raised in past audit reports. CC ID 01149 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)] | Audits and risk management | Detective | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Preventive | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Preventive | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Detective | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Detective | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Preventive | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Preventive | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)] | Audits and risk management | Preventive | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Detective | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Preventive | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Preventive | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Preventive | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Preventive | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Preventive | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Preventive | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Detective | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Preventive | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)] | Audits and risk management | Detective | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)] | Audits and risk management | Preventive | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Preventive | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Preventive | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Detective | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Detective | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Audits and risk management | Detective | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Detective | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Preventive | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Preventive | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Preventive | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Preventive | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Preventive | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Preventive | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Detective | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Detective | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Preventive | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Preventive | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Third Party and supply chain oversight | Detective | |
Schedule supply chain audits, as necessary. CC ID 10015 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Preventive | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Preventive | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Preventive | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Preventive | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Corrective | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96] | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Preventive | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Detective | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Detective | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Preventive | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Preventive | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Preventive | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Preventive | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Preventive | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Preventive | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Preventive | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Preventive | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Preventive | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Preventive | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Preventive | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Preventive | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Preventive | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 | Acquisition or sale of facilities, technology, and services | Preventive | |
Notify the supervisory authority. CC ID 00472 [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58 Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59] | Privacy protection for information and data | Preventive | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Detective | |
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze the business environment in which the organization operates. CC ID 12798 | Leadership and high level objectives | Preventive | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Preventive | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Preventive | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Preventive | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Preventive | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Preventive | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Preventive | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Preventive | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Preventive | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Preventive | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Preventive | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Preventive | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Preventive | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Preventive | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Preventive | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Preventive | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Preventive | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Preventive | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Preventive | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Preventive | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Preventive | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Leadership and high level objectives | Preventive | |
Enforce a continuous Quality Control system. CC ID 01005 [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104] | Leadership and high level objectives | Detective | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Preventive | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Preventive | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Preventive | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Preventive | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Preventive | |
Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Preventive | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Preventive | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Preventive | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Detective | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Preventive | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Preventive | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Preventive | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Preventive | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Preventive | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Preventive | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Preventive | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Preventive | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Preventive | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Corrective | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Preventive | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Detective | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Preventive | |
Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Preventive | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Preventive | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Preventive | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Preventive | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Preventive | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Preventive | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Preventive | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Preventive | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Preventive | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Preventive | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Preventive | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Preventive | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Preventive | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Preventive | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Preventive | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Detective | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Preventive | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Preventive | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Preventive | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21] | Operational management | Preventive | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Preventive | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Preventive | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Preventive | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Preventive | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Preventive | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Preventive | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Preventive | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a) {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain payment systems. CC ID 13539 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Preventive | |
Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 | Acquisition or sale of facilities, technology, and services | Preventive | |
Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 | Acquisition or sale of facilities, technology, and services | Preventive | |
Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 | Acquisition or sale of facilities, technology, and services | Corrective | |
Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 | Acquisition or sale of facilities, technology, and services | Corrective | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Preventive | |
Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Preventive | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Preventive | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Preventive | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Preventive | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Preventive | |
Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Preventive | |
Bill and settle electronic commerce transactions. CC ID 08622 | Acquisition or sale of facilities, technology, and services | Preventive | |
Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 | Acquisition or sale of facilities, technology, and services | Preventive | |
Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 | Acquisition or sale of facilities, technology, and services | Corrective | |
Disseminate and communicate transaction exceptions to consumers. CC ID 08619 | Acquisition or sale of facilities, technology, and services | Preventive | |
Correct billing and settlement errors. CC ID 08623 | Acquisition or sale of facilities, technology, and services | Corrective | |
Withhold payment and settlement functions, as necessary. CC ID 15460 | Acquisition or sale of facilities, technology, and services | Preventive | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Preventive | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Preventive | |
Terminate supplier relationships, as necessary. CC ID 13489 [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)] | Third Party and supply chain oversight | Corrective | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g) {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i) {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)] | Third Party and supply chain oversight | Preventive | |
Include disclosure requirements in third party contracts. CC ID 08825 [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Third Party and supply chain oversight | Preventive | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Preventive | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Detective | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Corrective | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Preventive | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Preventive | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Third Party and supply chain oversight | Preventive | |
Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Preventive | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Preventive | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Preventive | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Preventive | |
Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Preventive | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Third Party and supply chain oversight | Preventive | |
Provide management support for third party due diligence. CC ID 08847 | Third Party and supply chain oversight | Preventive | |
Commit to the supply chain due diligence process. CC ID 08849 | Third Party and supply chain oversight | Preventive | |
Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Third Party and supply chain oversight | Preventive | |
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Third Party and supply chain oversight | Preventive | |
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Third Party and supply chain oversight | Preventive | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Third Party and supply chain oversight | Preventive | |
Develop and implement supply chain due diligence capability training program. CC ID 08862 | Third Party and supply chain oversight | Preventive | |
Determine if additional supply chain due diligence processes are required. CC ID 08863 | Third Party and supply chain oversight | Preventive | |
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Third Party and supply chain oversight | Preventive | |
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Third Party and supply chain oversight | Preventive | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv) Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d) {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)] | Third Party and supply chain oversight | Preventive | |
Identify all service providers in the supply chain. CC ID 12213 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Detective | |
Assess third parties' relevant experience during due diligence. CC ID 12070 [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Detective | |
Assess third parties' legal risks to the organization during due diligence. CC ID 12078 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Third Party and supply chain oversight | Detective | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii) {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Third Party and supply chain oversight | Detective | |
Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)] | Third Party and supply chain oversight | Detective | |
Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)] | Third Party and supply chain oversight | Detective | |
Assess third parties' financial stability during due diligence. CC ID 12066 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)] | Third Party and supply chain oversight | Detective | |
Assess third parties' use of subcontractors during due diligence. CC ID 12073 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a) Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Third Party and supply chain oversight | Detective | |
Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Detective | |
Assess the third parties' reputation during due diligence. CC ID 12068 [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)] | Third Party and supply chain oversight | Detective | |
Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Detective | |
Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Detective | |
Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Preventive | |
Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Preventive | |
Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Preventive | |
Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Preventive | |
Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Preventive | |
Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Preventive | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Detective | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Preventive | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Detective | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b) {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)] | Third Party and supply chain oversight | Preventive | |
Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Preventive | |
Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Preventive | |
Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Preventive | |
Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Third Party and supply chain oversight | Preventive | |
Establish and maintain a supply chain due diligence report. CC ID 08824 | Third Party and supply chain oversight | Preventive | |
Submit the supply chain due diligence report. CC ID 08828 | Third Party and supply chain oversight | Preventive | |
Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Third Party and supply chain oversight | Preventive | |
Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)] | Third Party and supply chain oversight | Preventive | |
Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845 [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Third Party and supply chain oversight | Preventive | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i) evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b) {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104 {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)] | Third Party and supply chain oversight | Detective | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Preventive | |
Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Preventive | |
Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Preventive | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Preventive | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Preventive | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Preventive | |
Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919 [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Preventive | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Preventive | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Preventive | |
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Corrective | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Preventive | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Preventive | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Preventive | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Preventive | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Preventive | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Preventive | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Preventive | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Preventive | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Preventive | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Preventive | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Preventive | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Preventive | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Preventive | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Preventive | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Preventive | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Preventive | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Preventive | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Preventive | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Preventive | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Preventive | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Preventive | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Preventive | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Preventive | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Preventive | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Preventive | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Preventive | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Preventive | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Preventive | |
Notify affected parties after successful card-not-present transactions. CC ID 13668 | Acquisition or sale of facilities, technology, and services | Preventive | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Preventive | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56 {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56] | Third Party and supply chain oversight | Preventive | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Preventive | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Preventive | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Preventive | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Preventive | |
Employ Remote Deposit Capture systems, as necessary. CC ID 13570 | Acquisition or sale of facilities, technology, and services | Preventive | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Preventive | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Preventive | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Preventive | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Preventive | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Preventive | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Preventive | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Preventive | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Preventive | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Preventive | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Preventive | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Preventive | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Preventive | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Preventive | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Preventive | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Preventive | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Detective | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Preventive | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Preventive | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Preventive | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Preventive | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Preventive | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Preventive | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Detective | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Preventive | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 | Acquisition or sale of facilities, technology, and services | Preventive | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Preventive | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Preventive | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Detective | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Detective | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Detective | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Detective | |
Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Preventive | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Preventive | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Preventive | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Preventive | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Preventive | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Preventive | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Detective | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Preventive | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Preventive | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Preventive | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Preventive | |
Establish and maintain a compliance oversight committee. CC ID 00765 [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Leadership and high level objectives | Detective | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Preventive | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Preventive | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Preventive | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Preventive | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Preventive | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Preventive | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Preventive | |
Assign the audit to impartial auditors. CC ID 07118 | Audits and risk management | Preventive | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Preventive | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Audits and risk management | Preventive | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)] | Human Resources management | Preventive | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Preventive | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Human Resources management | Preventive | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Preventive | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Preventive | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Preventive | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Preventive | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Preventive | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Preventive | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Preventive | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Preventive | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Preventive | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Preventive | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Preventive | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Preventive | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Preventive | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Preventive | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Preventive | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Preventive | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Preventive | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Preventive | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Preventive | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Preventive | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Preventive | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Preventive | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Preventive | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Preventive | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Preventive | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Preventive | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Preventive | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Preventive | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Preventive | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Preventive | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Preventive | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Preventive | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Preventive | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Preventive | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Preventive | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Preventive | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Preventive | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Preventive | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Preventive | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Detective | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Preventive | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Preventive | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Preventive | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Preventive | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Preventive | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Preventive | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Preventive | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Preventive | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Preventive | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Preventive | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Preventive | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Preventive | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Preventive | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Preventive | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Preventive | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Preventive | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Preventive | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Preventive | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Preventive | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39] | Leadership and high level objectives | Preventive | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Preventive | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)] | Leadership and high level objectives | Preventive | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41] | Leadership and high level objectives | Preventive | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Preventive | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Detective | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Preventive | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Preventive | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Preventive | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Detective | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Leadership and high level objectives | Preventive | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Preventive | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Preventive | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Preventive | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Preventive | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Corrective | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Preventive | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Preventive | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Preventive | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Preventive | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Preventive | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Detective | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Preventive | |
Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Preventive | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Preventive | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Preventive | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Detective | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Preventive | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Preventive | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Preventive | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Leadership and high level objectives | Detective | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Preventive | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Detective | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Preventive | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)] | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Leadership and high level objectives | Preventive | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Preventive | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Preventive | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20] | Leadership and high level objectives | Preventive | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)] | Leadership and high level objectives | Preventive | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Preventive | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Preventive | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Detective | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Preventive | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Preventive | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Preventive | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Preventive | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Preventive | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Preventive | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Preventive | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Preventive | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Preventive | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Preventive | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Preventive | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Preventive | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Preventive | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Preventive | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Preventive | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Preventive | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Preventive | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Preventive | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Preventive | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Preventive | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Preventive | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Preventive | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Preventive | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Preventive | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Preventive | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Preventive | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Preventive | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Preventive | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Preventive | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Preventive | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Preventive | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Preventive | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Preventive | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Preventive | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Preventive | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Preventive | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Preventive | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Preventive | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Preventive | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Preventive | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Preventive | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Preventive | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Preventive | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Preventive | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Preventive | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92] | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit program. CC ID 00684 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50] | Audits and risk management | Preventive | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Preventive | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Preventive | |
Establish and maintain audit terms. CC ID 13880 [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)] | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Preventive | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Preventive | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Preventive | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Preventive | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Preventive | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Preventive | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Preventive | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Preventive | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Preventive | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Preventive | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Preventive | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Preventive | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Preventive | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Preventive | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Preventive | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Preventive | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Preventive | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Preventive | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Preventive | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Preventive | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Preventive | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Preventive | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Preventive | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Preventive | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Preventive | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Detective | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Preventive | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Preventive | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Preventive | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Preventive | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Preventive | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Preventive | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d) {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Preventive | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Preventive | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Preventive | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Preventive | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Preventive | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Preventive | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Preventive | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Preventive | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Preventive | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Preventive | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Preventive | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Preventive | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Preventive | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Preventive | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Preventive | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Preventive | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Preventive | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Preventive | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Preventive | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Preventive | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Preventive | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Preventive | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Preventive | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Detective | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Preventive | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Preventive | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Preventive | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Preventive | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Preventive | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Preventive | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Preventive | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Preventive | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Preventive | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Preventive | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Preventive | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Preventive | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Preventive | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Preventive | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Preventive | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Preventive | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Preventive | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Preventive | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Preventive | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Preventive | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Preventive | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Preventive | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Preventive | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Corrective | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Preventive | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Preventive | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Preventive | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Preventive | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Preventive | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Preventive | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Preventive | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Preventive | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Preventive | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Preventive | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Preventive | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Preventive | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Preventive | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Preventive | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Preventive | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Preventive | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Preventive | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Preventive | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Preventive | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Preventive | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Preventive | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Preventive | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Preventive | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Preventive | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Preventive | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Preventive | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Preventive | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Detective | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Preventive | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Preventive | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Preventive | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Preventive | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Preventive | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Preventive | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Preventive | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Preventive | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Preventive | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Preventive | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Preventive | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Preventive | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Preventive | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Preventive | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Preventive | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Preventive | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Preventive | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Preventive | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Preventive | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Preventive | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Preventive | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Preventive | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Preventive | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Preventive | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Preventive | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Preventive | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Preventive | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Preventive | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Preventive | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Preventive | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Preventive | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Preventive | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Preventive | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Preventive | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Preventive | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Preventive | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Preventive | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Preventive | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Preventive | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Preventive | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Preventive | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Preventive | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Preventive | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Preventive | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Preventive | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Preventive | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Preventive | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Preventive | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Preventive | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Preventive | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Preventive | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Preventive | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Preventive | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Preventive | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Preventive | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Detective | |
Review past audit reports. CC ID 01155 | Audits and risk management | Detective | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Detective | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Detective | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Preventive | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Preventive | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Preventive | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Corrective | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Preventive | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Preventive | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Preventive | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Corrective | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Preventive | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Preventive | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Preventive | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Preventive | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Preventive | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Preventive | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Preventive | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Preventive | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Preventive | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Preventive | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Preventive | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Corrective | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Preventive | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Preventive | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Preventive | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Preventive | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Preventive | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Detective | |
Accept the audit report. CC ID 07025 | Audits and risk management | Preventive | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Corrective | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Preventive | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Preventive | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Preventive | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Preventive | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Preventive | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Preventive | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Preventive | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Preventive | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Preventive | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Preventive | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Preventive | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Preventive | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Preventive | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Preventive | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk management program. CC ID 12051 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Preventive | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Preventive | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Preventive | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Preventive | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i) {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)] | Audits and risk management | Preventive | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Preventive | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Preventive | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Preventive | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Preventive | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Preventive | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Preventive | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Preventive | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Preventive | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Preventive | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Preventive | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Preventive | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Preventive | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Preventive | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Preventive | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Preventive | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Preventive | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Preventive | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Preventive | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Preventive | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Preventive | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Preventive | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Preventive | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Preventive | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Preventive | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Preventive | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Preventive | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Preventive | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Preventive | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Preventive | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Preventive | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Preventive | |
Document organizational risk criteria. CC ID 12277 | Audits and risk management | Preventive | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Preventive | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Preventive | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Preventive | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Preventive | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Preventive | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Preventive | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Preventive | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Preventive | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Preventive | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Preventive | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Preventive | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Detective | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Detective | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Preventive | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Preventive | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Preventive | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Preventive | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Preventive | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Preventive | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Preventive | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Preventive | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Preventive | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Audits and risk management | Preventive | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Preventive | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Detective | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Preventive | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Preventive | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Preventive | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Preventive | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Corrective | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Preventive | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Preventive | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Preventive | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Preventive | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Preventive | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Preventive | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Preventive | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Preventive | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Preventive | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Corrective | |
Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Preventive | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Preventive | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Corrective | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Preventive | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Preventive | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Preventive | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Preventive | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Preventive | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Preventive | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Preventive | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Preventive | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Preventive | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Preventive | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Preventive | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Preventive | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Preventive | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Preventive | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Preventive | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Preventive | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Preventive | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103 When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Preventive | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Preventive | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48 {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Operational and Systems Continuity | Preventive | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Preventive | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Preventive | |
Define and prioritize critical business functions. CC ID 00736 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii) The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a) If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Operational and Systems Continuity | Detective | |
Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a critical third party list. CC ID 06815 [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77] | Operational and Systems Continuity | Preventive | |
Establish, implement, and maintain a continuity test plan. CC ID 04896 [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)] | Operational and Systems Continuity | Preventive | |
Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Preventive | |
Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Preventive | |
Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Preventive | |
Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Preventive | |
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Preventive | |
Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Preventive | |
Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Preventive | |
Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Preventive | |
Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Preventive | |
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Preventive | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Preventive | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Preventive | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Preventive | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Preventive | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Preventive | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Preventive | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Preventive | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Preventive | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Preventive | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Preventive | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Preventive | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Preventive | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Preventive | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Detective | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Preventive | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Detective | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Preventive | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Operational management | Preventive | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Preventive | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Preventive | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Preventive | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Preventive | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Preventive | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Preventive | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Preventive | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Preventive | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Preventive | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Preventive | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Preventive | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Preventive | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Preventive | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Detective | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Preventive | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25 Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18 {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)] | Operational management | Preventive | |
Establish, implement, and maintain a service management program. CC ID 11388 | Operational management | Preventive | |
Include the change management policy in the service management program. CC ID 13923 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)] | Operational management | Preventive | |
Assign roles and responsibilities in the service management program. CC ID 11393 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Operational management | Preventive | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)] | Operational management | Preventive | |
Include service management procedures in the service management program. CC ID 11396 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)] | Operational management | Preventive | |
Include continuity plans in the Service Management program. CC ID 13919 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational management | Preventive | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)] | Operational management | Preventive | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 | Operational management | Preventive | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 | Operational management | Detective | |
Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)] | Operational management | Preventive | |
Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 | Operational management | Preventive | |
Include capacity planning in Service Level Agreements. CC ID 13096 | Operational management | Preventive | |
Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 | Operational management | Preventive | |
Include funding sources in Service Level Agreements, as necessary. CC ID 13632 | Operational management | Preventive | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)] | Operational management | Preventive | |
Include the management requirements for network services in the Service Level Agreement. CC ID 12025 | Operational management | Preventive | |
Include notification requirements in the service level agreement. CC ID 16675 | Operational management | Preventive | |
Include performance requirements in the Service Level Agreement. CC ID 00841 | Operational management | Preventive | |
Include the service levels for network services in the Service Level Agreement. CC ID 12024 | Operational management | Preventive | |
Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 | Operational management | Preventive | |
Include availability requirements in Service Level Agreements. CC ID 13095 | Operational management | Preventive | |
Establish and maintain a service catalog. CC ID 13634 | Operational management | Preventive | |
Include a service description in the service catalog. CC ID 13917 | Operational management | Preventive | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)] | Operational management | Preventive | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)] | Operational management | Preventive | |
Categorize services in the service catalog. CC ID 14419 | Operational management | Preventive | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c) As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f) As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g) As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d) As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)] | Operational management | Preventive | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Preventive | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Preventive | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Preventive | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Preventive | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)] | Records management | Preventive | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Preventive | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Preventive | |
Establish, implement, and maintain expedited recredit procedures. CC ID 13574 | Acquisition or sale of facilities, technology, and services | Preventive | |
Document the business need justification for payment page scripts. CC ID 15480 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include security requirements in system acquisition contracts. CC ID 01124 | Acquisition or sale of facilities, technology, and services | Preventive | |
Include operational requirements in system acquisition contracts. CC ID 00825 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)] | Acquisition or sale of facilities, technology, and services | Preventive | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a data handling program. CC ID 13427 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Detective | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Preventive | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Preventive | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42 {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Third Party and supply chain oversight | Preventive | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Preventive | |
Document and maintain supply chain processes. CC ID 08816 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Preventive | |
Include contingency plans in the third party management plan. CC ID 10030 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi) develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)] | Third Party and supply chain oversight | Preventive | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Preventive | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)] | Third Party and supply chain oversight | Preventive | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Preventive | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)] | Third Party and supply chain oversight | Preventive | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Preventive | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Preventive | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Preventive | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27] | Third Party and supply chain oversight | Preventive | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Preventive | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Preventive | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Preventive | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Preventive | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Preventive | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Preventive | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Third Party and supply chain oversight | Preventive | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Preventive | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Preventive | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Preventive | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Preventive | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)] | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Preventive | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Third Party and supply chain oversight | Preventive | |
Include a reporting structure in third party contracts. CC ID 06532 [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)] | Third Party and supply chain oversight | Preventive | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Preventive | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Preventive | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l) {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)] | Third Party and supply chain oversight | Preventive | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p) The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h) Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85 {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g) {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)] | Third Party and supply chain oversight | Preventive | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)] | Third Party and supply chain oversight | Preventive | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Preventive | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76 The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)] | Third Party and supply chain oversight | Preventive | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)] | Third Party and supply chain oversight | Preventive | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c) Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Third Party and supply chain oversight | Preventive | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c) {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)] | Third Party and supply chain oversight | Preventive | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Third Party and supply chain oversight | Preventive | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Preventive | |
Include change control notification processes in third party contracts. CC ID 06524 [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)] | Third Party and supply chain oversight | Preventive | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Preventive | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Preventive | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Third Party and supply chain oversight | Preventive | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)] | Third Party and supply chain oversight | Preventive | |
Include a termination provision clause in third party contracts. CC ID 01367 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g) The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c) {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107] | Third Party and supply chain oversight | Detective | |
Include early termination contingency plans in the third party contracts. CC ID 06526 [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99 identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)] | Third Party and supply chain oversight | Preventive | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)] | Third Party and supply chain oversight | Preventive | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Preventive | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)] | Third Party and supply chain oversight | Preventive | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)] | Third Party and supply chain oversight | Preventive | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Preventive | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Preventive | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Preventive | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Third Party and supply chain oversight | Preventive | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Preventive | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii) In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30] | Third Party and supply chain oversight | Detective | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Third Party and supply chain oversight | Preventive | |
Include required information in the Third Party Service Provider list. CC ID 14429 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Third Party and supply chain oversight | Preventive | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)] | Third Party and supply chain oversight | Preventive | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)] | Third Party and supply chain oversight | Preventive | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)] | Third Party and supply chain oversight | Preventive | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)] | Third Party and supply chain oversight | Preventive | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Preventive | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Third Party and supply chain oversight | Preventive | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Preventive | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Preventive | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Preventive | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Preventive | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Preventive | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)] | Third Party and supply chain oversight | Detective | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Detective | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Detective | |
Categorize all suppliers in the supply chain management program. CC ID 00792 [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c) The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d) Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26 When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52 {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b) The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)] | Third Party and supply chain oversight | Preventive | |
Include risk management procedures in the supply chain management policy. CC ID 08811 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)] | Third Party and supply chain oversight | Preventive | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66 {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)] | Third Party and supply chain oversight | Preventive | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Preventive | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Preventive | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)] | Third Party and supply chain oversight | Preventive | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Preventive | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Preventive | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Preventive | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47] | Third Party and supply chain oversight | Preventive | |
Include a clear management process in the supply chain management policy. CC ID 08810 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Third Party and supply chain oversight | Preventive | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Preventive | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101] | Third Party and supply chain oversight | Preventive | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Preventive | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Preventive | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Preventive | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Preventive | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Preventive | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Preventive | |
Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Preventive | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Preventive | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Preventive | |
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Third Party and supply chain oversight | Preventive | |
Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Third Party and supply chain oversight | Preventive | |
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Third Party and supply chain oversight | Preventive | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)] | Third Party and supply chain oversight | Preventive | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Detective | |
Include the audit scope in the third party external audit report. CC ID 13138 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Third Party and supply chain oversight | Preventive | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Detective | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)] | Third Party and supply chain oversight | Detective | |
Request attestation of compliance from third parties. CC ID 12067 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) ensuring that they receive appropriate reports from service providers; 4.14 104(a)] | Third Party and supply chain oversight | Preventive | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Preventive | |
Include performance standards in outsourcing contracts. CC ID 13140 [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)] | Third Party and supply chain oversight | Preventive | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d) If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f) If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)] | Third Party and supply chain oversight | Preventive | |
Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)] | Third Party and supply chain oversight | Preventive | |
Create an on-site mine visit report. CC ID 08921 | Third Party and supply chain oversight | Preventive | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Preventive | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Preventive | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Preventive | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Preventive | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Detective | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Preventive | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Preventive | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Detective | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Detective | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Preventive | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Audits and risk management | Preventive | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Preventive | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Preventive | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Preventive | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Preventive | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Preventive | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Preventive | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Preventive | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Preventive | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Preventive | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Preventive | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Corrective | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Preventive | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Preventive | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Preventive | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Preventive | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Preventive | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Preventive | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Preventive | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Preventive | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Preventive | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Preventive | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Preventive | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Preventive | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Preventive | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Preventive | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Preventive | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Preventive | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Preventive | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Human Resources management | Preventive | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Detective | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Detective | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Preventive | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Preventive | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Preventive | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Preventive | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Preventive | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Preventive | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Preventive | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Detective | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Preventive | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Preventive | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)] | Operational management | Preventive | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Detective | |
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Corrective | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Detective | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Detective | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Preventive | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Detective | |
Audit information systems, as necessary. CC ID 13010 [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)] | Audits and risk management | Detective | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Detective | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Detective | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Detective | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Detective | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Detective | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Detective | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Preventive | |
Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 | Acquisition or sale of facilities, technology, and services | Detective | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Detective | |
Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Preventive | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Detective | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Detective | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Preventive | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Preventive | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Preventive | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Preventive | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Preventive | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Preventive | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Preventive | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Preventive | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Preventive | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Preventive | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Detective | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Preventive | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Preventive | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Preventive | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Preventive | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Preventive | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Preventive | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Preventive | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Preventive | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Preventive | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Preventive | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Preventive | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Preventive | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Preventive | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Preventive | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Preventive | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Preventive | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Preventive | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Preventive | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Preventive | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Preventive | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Preventive | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Preventive | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Preventive | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Preventive | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Detective | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Preventive | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Preventive | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Detective | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Detective | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Preventive | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Detective | |
Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Preventive | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Detective | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Detective | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Preventive | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Monitoring and measurement | Detective | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Detective | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Preventive | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Preventive | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Preventive | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Preventive | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Detective | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Corrective | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Detective | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Detective | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Preventive | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Preventive | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Preventive | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b) where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101 Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60] | Third Party and supply chain oversight | Detective | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Preventive | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Preventive | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Preventive | |
Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Preventive | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Preventive | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Preventive | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Preventive | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Preventive | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Preventive | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Preventive | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Leadership and high level objectives | Preventive | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Preventive | |
Identify conditions that may affect organizational objectives. CC ID 12958 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45] | Leadership and high level objectives | Preventive | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Preventive | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Leadership and high level objectives | Preventive | |
Identify all interested personnel and affected parties. CC ID 12845 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Preventive | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Preventive | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Preventive | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Preventive | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Preventive | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Preventive | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Corrective | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Preventive | |
Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Preventive | |
Correct compliance violations. CC ID 13515 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Monitoring and measurement | Corrective | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Corrective | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Detective | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Detective | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Preventive | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Preventive | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Preventive | |
Identify interviewees. CC ID 16290 | Audits and risk management | Preventive | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Detective | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Detective | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Detective | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Preventive | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Corrective | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Preventive | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Detective | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Preventive | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Detective | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Detective | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Detective | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Preventive | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Preventive | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Preventive | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Preventive | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Preventive | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Preventive | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Preventive | |
Analyze the organizational culture. CC ID 12899 | Operational management | Preventive | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Detective | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Detective | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Detective | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Corrective | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Preventive | |
Create export summaries, as necessary. CC ID 14446 | Records management | Preventive | |
Identify patient-specific education resources. CC ID 14439 | Records management | Detective | |
Include liquidity plans in the payment and settlement functions. CC ID 16722 | Acquisition or sale of facilities, technology, and services | Preventive | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57] | Privacy protection for information and data | Preventive | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Detective | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Preventive | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Corrective | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Detective | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i) The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74] | Third Party and supply chain oversight | Preventive | |
Assess third parties' compliance environment during due diligence. CC ID 13134 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)] | Third Party and supply chain oversight | Detective | |
Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)] | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Preventive | |
Retain records in accordance with applicable requirements. CC ID 00968 [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53] | Records management | Preventive | |
Capture the records required by organizational compliance requirements. CC ID 00912 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)] | Records management | Detective | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Preventive | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Preventive | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Preventive | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Preventive | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Preventive | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Preventive | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Preventive | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Preventive | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Preventive | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d) {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Detective | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Preventive | |
Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Preventive | |
Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Preventive | |
Validate information security continuity controls regularly. CC ID 12008 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Operational and Systems Continuity | Preventive | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Preventive | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Preventive | |
Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Detective | |
Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Detective | |
Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Detective | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Detective | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Detective | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Detective | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Corrective | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Detective | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Preventive | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Preventive | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Preventive | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Preventive | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Acquisition or sale of facilities, technology, and services | Preventive | |
Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Preventive | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Preventive | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Preventive | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Preventive | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Preventive | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Detective |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
---|---|---|---|
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Detective | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Preventive | |
Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Detective | |
Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Preventive | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Detective | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Detective | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Detective | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Preventive | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Detective | |
Perform penetration tests, as necessary. CC ID 00655 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Monitoring and measurement | Detective | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Detective | |
Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Detective | |
Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Detective | |
Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Detective | |
Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Detective | |
Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Detective | |
Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Detective | |
Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Detective | |
Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Detective | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Detective | |
Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Detective | |
Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Detective | |
Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Detective | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Detective | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)] | Audits and risk management | Detective | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Preventive | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Detective | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Detective | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Audits and risk management | Detective | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Detective | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Detective | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Detective | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Detective | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Preventive | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Preventive | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Detective | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Detective | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Detective | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Detective | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Detective | |
Establish, implement, and maintain the audit plan. CC ID 01156 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)] | Audits and risk management | Detective | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 | Audits and risk management | Preventive | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Detective | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Preventive | |
Test the continuity plan, as necessary. CC ID 00755 [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)] | Operational and Systems Continuity | Detective | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Preventive | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Preventive | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Preventive | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48] | Operational and Systems Continuity | Preventive | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Detective | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Detective | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Detective | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Preventive | |
Test the continuity plan at the alternate facility. CC ID 01174 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational and Systems Continuity | Detective | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Preventive | |
Review all third party's continuity plan test results. CC ID 01365 [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)] | Operational and Systems Continuity | Detective | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Detective | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Detective | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Detective | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97 Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37] | Human Resources management | Detective | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Preventive | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Detective | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Preventive | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Detective | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Detective | |
Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Preventive | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Detective | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)] | Third Party and supply chain oversight | Detective | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81 (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)] | Third Party and supply chain oversight | Detective | |
Establish the third party's service continuity. CC ID 00797 [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Third Party and supply chain oversight | Detective | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Detective | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Detective | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Third Party and supply chain oversight | Detective | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Third Party and supply chain oversight | Detective |
There are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 | Leadership and high level objectives | Communicate | |
Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 | Leadership and high level objectives | Establish/Maintain Documentation | |
Update or adjust fraud detection systems, as necessary. CC ID 13684 | Monitoring and measurement | Process or Activity | |
Reduce the maximum bandwidth of covert channels. CC ID 10655 | Monitoring and measurement | Technical Security | |
Determine the causes of compliance violations. CC ID 12401 | Monitoring and measurement | Investigate | |
Correct compliance violations. CC ID 13515 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Monitoring and measurement | Process or Activity | |
Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 | Monitoring and measurement | Behavior | |
Convert data into standard units before reporting metrics. CC ID 15507 | Monitoring and measurement | Process or Activity | |
Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 | Audits and risk management | Establish/Maintain Documentation | |
Withdraw from the audit, when defined conditions exist. CC ID 13885 | Audits and risk management | Process or Activity | |
Solve any access problems auditors encounter during the audit. CC ID 08959 | Audits and risk management | Audits and Risk Management | |
Include deficiencies and non-compliance in the audit report. CC ID 14879 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 | Audits and risk management | Establish/Maintain Documentation | |
Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 | Audits and risk management | Business Processes | |
Modify the audit opinion in the audit report under defined conditions. CC ID 13937 | Audits and risk management | Establish/Maintain Documentation | |
Implement a corrective action plan in response to the audit report. CC ID 06777 | Audits and risk management | Establish/Maintain Documentation | |
Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 | Audits and risk management | Actionable Reports or Measurements | |
Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 | Audits and risk management | Acquisition/Sale of Assets or Services | |
Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 | Audits and risk management | Establish/Maintain Documentation | |
Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705 | Audits and risk management | Establish/Maintain Documentation | |
Document residual risk in a residual risk report. CC ID 13664 | Audits and risk management | Establish/Maintain Documentation | |
Rotate members of the board of directors, as necessary. CC ID 14803 | Human Resources management | Human Resources Management | |
Measure policy compliance when reviewing the internal control framework. CC ID 06442 | Operational management | Actionable Reports or Measurements | |
Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework. CC ID 11747 | Operational management | Process or Activity | |
Adjust the originator's activity levels to match Automated Clearing House exposure limits, as necessary. CC ID 13565 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Adjust the originator's credit rating to match Automated Clearing House exposure limits, as necessary. CC ID 13564 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Use a risk-based approach to following up situations where customer notifications regarding electronic commerce transactions cannot be delivered. CC ID 13663 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Correct billing and settlement errors. CC ID 08623 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Report fraudulent account activity, unauthorized transactions, or discrepancies with current accounts. CC ID 04875 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Take appropriate action when a data leakage is discovered. CC ID 14716 | Privacy protection for information and data | Process or Activity | |
Terminate supplier relationships, as necessary. CC ID 13489 [{be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: discontinue the business activities that are depending on the function. 4.6 40(f)(iii)] | Third Party and supply chain oversight | Business Processes | |
Enforce third party Service Level Agreements, as necessary. CC ID 07098 | Third Party and supply chain oversight | Business Processes |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Identify all interested personnel and affected parties. CC ID 12845 | Leadership and high level objectives | Process or Activity | |
Approve the data classification scheme. CC ID 13858 | Leadership and high level objectives | Establish/Maintain Documentation | |
Ensure the data dictionary is complete and accurate. CC ID 13527 | Leadership and high level objectives | Investigate | |
Monitor regulatory trends to maintain compliance. CC ID 00604 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for new Information Security solutions. CC ID 07078 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135 | Leadership and high level objectives | Technical Security | |
Enforce a continuous Quality Control system. CC ID 01005 [{performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104] | Leadership and high level objectives | Business Processes | |
Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures. CC ID 01008 | Leadership and high level objectives | Testing | |
Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
Analyze organizational policies, as necessary. CC ID 14037 | Leadership and high level objectives | Establish/Maintain Documentation | |
Map in scope assets and in scope records to external requirements. CC ID 12189 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include all compliance exceptions in the compliance exception standard. CC ID 01630 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a compliance oversight committee. CC ID 00765 [meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Leadership and high level objectives | Establish Roles | |
Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151 | Leadership and high level objectives | Establish/Maintain Documentation | |
Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify and document the events that initiate the decision management strategy. CC ID 06914 | Leadership and high level objectives | Establish/Maintain Documentation | |
Monitor and evaluate environmental threats. CC ID 13481 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Test compliance controls for proper functionality. CC ID 00660 | Monitoring and measurement | Testing | |
Adhere to the system security plan. CC ID 11640 | Monitoring and measurement | Testing | |
Validate all testing assumptions in the test plans. CC ID 00663 | Monitoring and measurement | Testing | |
Require testing procedures to be complete. CC ID 00664 | Monitoring and measurement | Testing | |
Analyze system audit reports and determine the need to perform more tests. CC ID 00666 | Monitoring and measurement | Testing | |
Monitor devices continuously for conformance with production specifications. CC ID 06201 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Perform penetration tests, as necessary. CC ID 00655 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Monitoring and measurement | Testing | |
Perform internal penetration tests, as necessary. CC ID 12471 | Monitoring and measurement | Technical Security | |
Perform external penetration tests, as necessary. CC ID 12470 | Monitoring and measurement | Technical Security | |
Include coverage of all in scope systems during penetration testing. CC ID 11957 | Monitoring and measurement | Testing | |
Test the system for broken access controls. CC ID 01319 | Monitoring and measurement | Testing | |
Test the system for broken authentication and session management. CC ID 01320 | Monitoring and measurement | Testing | |
Test the system for insecure communications. CC ID 00535 | Monitoring and measurement | Testing | |
Test the system for cross-site scripting attacks. CC ID 01321 | Monitoring and measurement | Testing | |
Test the system for buffer overflows. CC ID 01322 | Monitoring and measurement | Testing | |
Test the system for injection flaws. CC ID 01323 | Monitoring and measurement | Testing | |
Test the system for Denial of Service. CC ID 01326 | Monitoring and measurement | Testing | |
Test the system for insecure configuration management. CC ID 01327 | Monitoring and measurement | Testing | |
Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 | Monitoring and measurement | Testing | |
Test the system for cross-site request forgery. CC ID 06296 | Monitoring and measurement | Testing | |
Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 | Monitoring and measurement | Technical Security | |
Perform penetration testing on segmentation controls, as necessary. CC ID 12498 | Monitoring and measurement | Technical Security | |
Verify segmentation controls are operational and effective. CC ID 12545 | Monitoring and measurement | Audits and Risk Management | |
Repeat penetration testing, as necessary. CC ID 06860 | Monitoring and measurement | Testing | |
Test the system for covert channels. CC ID 10652 | Monitoring and measurement | Testing | |
Estimate the maximum bandwidth of any covert channels. CC ID 10653 | Monitoring and measurement | Technical Security | |
Test systems to determine which covert channels might be exploited. CC ID 10654 | Monitoring and measurement | Testing | |
Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 | Monitoring and measurement | Actionable Reports or Measurements | |
Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 | Monitoring and measurement | Business Processes | |
Determine if multiple compliance violations of the same type could occur. CC ID 12402 | Monitoring and measurement | Investigate | |
Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 | Monitoring and measurement | Investigate | |
Report on the policies and controls that have been implemented by management. CC ID 01670 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security management roles that have been assigned. CC ID 01671 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of total controls for which policies, standards, and procedures exist and for which approval has been granted. CC ID 01679 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who are assigned and acknowledged responsibilities for approved policies, standards, and procedures. CC ID 01680 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of policy compliance reviews for which no compliance violations were noted. CC ID 01681 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of senior management or business unit heads who have implemented operational compliance procedures. CC ID 01682 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the Information Awareness roles for Security Managers and administrators. CC ID 01685 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for interested personnel. CC ID 01686 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of role descriptions that define the information awareness roles for end users. CC ID 01687 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of performance reviews that include the evaluation of Information Assurance responsibilities and policy compliance. CC ID 01688 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who have access to security software, are trained, and authorized Security Administrators. CC ID 01691 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals who are able to assign security privileges, are trained, and authorized Security Administrators. CC ID 01692 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of new hires who completed training ahead of being granted network access or system access. CC ID 01683 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of personnel who have completed periodic Information Assurance refresher training. CC ID 01684 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of user roles, systems, and applications that comply with the segregation of duties principle. CC ID 01689 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of individuals whose access rights have been reviewed. CC ID 01690 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users who have access to restricted data or restricted information and have undergone a background check. CC ID 01693 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets and information-dependent functions. CC ID 02040 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets and functions for which the cost of compromise has been quantified. CC ID 02041 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of identified risks that have a defined risk mitigation plan. CC ID 02042 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with approved System Security Plans. CC ID 02145 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of known Information Security risks that are related to supply chain relationships. CC ID 02044 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or critical functions for which access by supply chain personnel is disallowed. CC ID 02045 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain personnel who have current information asset user privileges. CC ID 02046 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or functions for which electronic connection by supply chain assets is disallowed. CC ID 02047 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that involved supply chain personnel. CC ID 02048 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of third party contracts that include a requirement to externally verify policies and procedures. CC ID 02049 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of supply chain relationships that have been reviewed for compliance with information security requirements. CC ID 02050 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets that have been reviewed and classified. CC ID 02053 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of information assets with defined user privileges that have been assigned based on role and according to policy. CC ID 02054 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of scheduled Information Technology inventory processes that occurred on time. CC ID 02055 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of recently identified information security risks related to systems architecture that have been adequately mitigated. CC ID 02060 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system architecture changes that were approved through appropriate change requests. CC ID 02061 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets or functions residing on systems that are currently in compliance with the approved systems architecture. CC ID 02062 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have been recertified if security controls were updated after the system was developed. CC ID 02142 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that have completed Certification and Accreditation. CC ID 02143 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions that have been reviewed from the risk to physical security perspective. CC ID 02064 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical organizational information assets and functions exposed to physical risks for which risk mitigation actions have been implemented. CC ID 02065 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical assets that have been reviewed from the environmental risk perspective. CC ID 02066 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers located in controlled access areas. CC ID 02067 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique active user identifiers. CC ID 02074 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that perform authenticator policy verification. CC ID 02086 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active user passwords that are set to expire. CC ID 02087 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets that use stronger authentication than user identifiers and passwords. CC ID 02088 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which default accounts and default passwords have been disabled or reset. CC ID 02089 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that are assigned to personnel who have left or no longer need access. CC ID 02090 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with account lockout thresholds set. CC ID 02091 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of inactive user accounts that have been disabled. CC ID 02092 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations with session timeout or automatic logoff controls set. CC ID 02093 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of users with access to shared accounts. CC ID 04573 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of active computer accounts that have had the current user privileges reviewed. CC ID 02094 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where permission to install nonstandard software is limited. CC ID 02095 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems and applications that have user privileges and administrator privileges assigned in compliance with Role-Based Access Controls. CC ID 02096 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which approved configuration settings have been implemented. CC ID 02097 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with configurations that do not deviate from approved standards. CC ID 02098 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems that are continuously monitored for compliance with the configuration standard with out-of-compliance alarms or out-of-compliance reports. CC ID 02099 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems whose configuration is compared with a previously established trusted configuration baseline. CC ID 02100 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems where the authority to make configuration changes are limited. CC ID 02101 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of system components that undergo maintenance as scheduled. CC ID 04562 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems for which event logging has been implemented. CC ID 02102 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which event logs are monitored and reviewed. CC ID 02103 | Monitoring and measurement | Log Management | |
Report on the percentage of systems for which log capacity and log retention schedules have been implemented. CC ID 02104 | Monitoring and measurement | Log Management | |
Report on the percentage of systems that generate warnings about anomalous activity or potentially unauthorized activity. CC ID 02105 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of laptops and mobile devices that are needing to be in compliance with the approved configuration standard before granting network access. CC ID 02106 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of organizationally controlled communications channels that have been secured. CC ID 02107 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of host servers that are protected from becoming relay hosts. CC ID 02108 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile users who access organizational facilities using secure communications methods. CC ID 02109 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of workstations and laptops that employ automated system security tools. CC ID 02110 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of servers that employ automated system security tools. CC ID 02111 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that employ automated system security tools. CC ID 02112 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that have been documented and approved through change request forms. CC ID 02152 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with all approved patches installed. CC ID 02113 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the mean time from patch availability to patch installation. CC ID 02114 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of software changes that were reviewed for security impacts before the software configuration is updated. CC ID 02115 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a network activity baseline. CC ID 13188 | Monitoring and measurement | Technical Security | |
Report on the percentage of systems configured according to the configuration standard. CC ID 02116 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of network access controls used to gain unauthorized access. CC ID 04572 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of critical information assets stored on network accessible devices that are encrypted with widely tested and published cryptographic algorithms. CC ID 02117 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of mobile devices that use encryption for critical information assets. CC ID 02118 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of passwords and Personal Identification Numbers that are encrypted. CC ID 02119 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of media that passes sanitization procedure testing. CC ID 04574 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical business functions that have been backed up in accordance with the backup policy and the system's continuity plan. CC ID 02120 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions where restoration from a backup has been successfully demonstrated. CC ID 02121 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of backup media stored off site in secure storage. CC ID 02122 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of used backup media or archive media sanitized prior to reuse or disposal. CC ID 02123 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the estimated damage or loss resulting from all security incidents. CC ID 01674 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that did not cause confidentiality, integrity, or availability losses beyond the Service Level Agreement thresholds. CC ID 01673 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of operational time that critical services were unavailable due to security incidents. CC ID 02124 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02125 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds. CC ID 02126 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of security incidents that were managed according to established policies, procedures, and processes. CC ID 02127 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the number of security incidents reported to FedCIRC, NIPC, the Payment Card Industry, or local law enforcement. CC ID 02154 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of systems with critical information assets or critical functions that have been assessed for security vulnerabilities. CC ID 02128 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of vulnerability assessment findings that have been addressed since the last reporting period. CC ID 02129 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the average elapsed time between the discovery of a new vulnerability and implementing corrective action. CC ID 02140 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of physical security incidents that involved entry into a facility containing Information Systems. CC ID 04564 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a corrective action plan. CC ID 00675 [{not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105] | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Include monitoring in the corrective action plan. CC ID 11645 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Review the risk assessments as compared to the in scope controls. CC ID 06978 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c)] | Audits and risk management | Testing | |
Determine if requested services create a threat to independence. CC ID 16823 | Audits and risk management | Audits and Risk Management | |
Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 | Audits and risk management | Audits and Risk Management | |
Confirm audit requirements during the opening meeting. CC ID 15255 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit assertions, as necessary. CC ID 14871 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from performing an attestation engagement under defined conditions. CC ID 13952 | Audits and risk management | Audits and Risk Management | |
Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 | Audits and risk management | Audits and Risk Management | |
Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 | Audits and risk management | Audits and Risk Management | |
Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 | Audits and risk management | Investigate | |
Audit information systems, as necessary. CC ID 13010 [Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; 4.13.3 91(a)] | Audits and risk management | Investigate | |
Audit the potential costs of compromise to information systems. CC ID 13012 | Audits and risk management | Investigate | |
Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 | Audits and risk management | Testing | |
Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 | Audits and risk management | Testing | |
Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 | Audits and risk management | Audits and Risk Management | |
Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 | Audits and risk management | Process or Activity | |
Determine if the audit assertion's in scope controls are reasonable. CC ID 06980 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Audits and risk management | Testing | |
Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 | Audits and risk management | Process or Activity | |
Document test plans for auditing in scope controls. CC ID 06985 | Audits and risk management | Testing | |
Determine the implementation status of the audit assertion's in scope controls. CC ID 06981 | Audits and risk management | Testing | |
Determine the effectiveness of in scope controls. CC ID 06984 | Audits and risk management | Testing | |
Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 | Audits and risk management | Audits and Risk Management | |
Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 | Audits and risk management | Audits and Risk Management | |
Observe processes to determine the effectiveness of in scope controls. CC ID 12155 | Audits and risk management | Audits and Risk Management | |
Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 | Audits and risk management | Audits and Risk Management | |
Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 | Audits and risk management | Audits and Risk Management | |
Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 | Audits and risk management | Audits and Risk Management | |
Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 | Audits and risk management | Audits and Risk Management | |
Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 | Audits and risk management | Testing | |
Conduct interviews, as necessary. CC ID 07188 | Audits and risk management | Testing | |
Verify statements made by interviewees are correct. CC ID 16299 | Audits and risk management | Behavior | |
Discuss unsolved questions with the interviewee. CC ID 16298 | Audits and risk management | Process or Activity | |
Allow interviewee to respond to explanations. CC ID 16296 | Audits and risk management | Process or Activity | |
Explain the requirements being discussed to the interviewee. CC ID 16294 | Audits and risk management | Process or Activity | |
Explain the goals of the interview to the interviewee. CC ID 07189 | Audits and risk management | Behavior | |
Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 | Audits and risk management | Audits and Risk Management | |
Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 | Audits and risk management | Testing | |
Investigate the nature and causes of identified in scope control deviations. CC ID 06986 | Audits and risk management | Testing | |
Review the subject matter expert's findings. CC ID 16559 | Audits and risk management | Audits and Risk Management | |
Permit assessment teams to conduct audits, as necessary. CC ID 16430 | Audits and risk management | Investigate | |
Determine what disclosures are required in the audit report. CC ID 14888 | Audits and risk management | Establish/Maintain Documentation | |
Identify the audit team members in the audit report. CC ID 15259 | Audits and risk management | Human Resources Management | |
Identify the participants from the organization being audited in the audit report. CC ID 15258 | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the internal auditor's work papers. CC ID 01146 | Audits and risk management | Audits and Risk Management | |
Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 | Audits and risk management | Establish/Maintain Documentation | |
Review the adequacy of the internal auditor's audit reports. CC ID 11620 | Audits and risk management | Audits and Risk Management | |
Review past audit reports. CC ID 01155 | Audits and risk management | Establish/Maintain Documentation | |
Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 | Audits and risk management | Establish/Maintain Documentation | |
Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161 | Audits and risk management | Establish/Maintain Documentation | |
Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 | Audits and risk management | Investigate | |
Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 | Audits and risk management | Process or Activity | |
Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 | Audits and risk management | Log Management | |
Review the issues of non-compliance from past audit reports. CC ID 01148 | Audits and risk management | Establish/Maintain Documentation | |
Submit an audit report that is complete. CC ID 01145 | Audits and risk management | Testing | |
Review management's response to issues raised in past audit reports. CC ID 01149 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate involvement of governance bodies; and 4.10 51(d)] | Audits and risk management | Audits and Risk Management | |
Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150 | Audits and risk management | Testing | |
Evaluate the competency of auditors. CC ID 15253 | Audits and risk management | Human Resources Management | |
Review the audit program scope as it relates to the organization's profile. CC ID 01159 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain the audit plan. CC ID 01156 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the audit plan for the outsourced function; 4.13.3 93(a)] | Audits and risk management | Testing | |
Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 | Audits and risk management | Business Processes | |
Analyze the risk management strategy for addressing requirements. CC ID 12926 [With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the risk assessment for outsourcing arrangements and that the risks remain in line with the institution's risk strategy; 4.10 51(c) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing threats. CC ID 12925 | Audits and risk management | Audits and Risk Management | |
Analyze the risk management strategy for addressing opportunities. CC ID 12924 | Audits and risk management | Audits and Risk Management | |
Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 | Audits and risk management | Human Resources Management | |
Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 | Audits and risk management | Investigate | |
Review the risk profiles, as necessary. CC ID 16561 | Audits and risk management | Audits and Risk Management | |
Update the risk assessment upon discovery of a new threat. CC ID 00708 | Audits and risk management | Establish/Maintain Documentation | |
Update the risk assessment upon changes to the risk profile. CC ID 11627 | Audits and risk management | Establish/Maintain Documentation | |
Conduct external audits of risk assessments, as necessary. CC ID 13308 | Audits and risk management | Audits and Risk Management | |
Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 | Audits and risk management | Investigate | |
Conduct a Business Impact Analysis, as necessary. CC ID 01147 [{outsourced services} {outsourced activities} When developing exit strategies, institutions and payment institutions should: perform a business impact analysis that is commensurate with the risk of the outsourced processes, services or activities, with the aim of identifying what human and financial resources would be required to implement the exit plan and how much time it would take; 4.15 108(b)] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with each business process. CC ID 06463 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with the business environment. CC ID 06464 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the consequences of where the service provider is located (within or outside the EU); 4.12.2 68(c)] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 | Audits and risk management | Audits and Risk Management | |
Identify changes to in scope systems that could threaten communication between business units. CC ID 13173 | Audits and risk management | Investigate | |
Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with insider threats. CC ID 06468 | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with external entities. CC ID 06469 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: 4.12.2 66(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the size and complexity of any business area affected; 4.4 31(f) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: 4.12.2 68(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Audits and risk management | Audits and Risk Management | |
Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 | Audits and risk management | Actionable Reports or Measurements | |
Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 | Audits and risk management | Audits and Risk Management | |
Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 | Audits and risk management | Process or Activity | |
Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 | Audits and risk management | Process or Activity | |
Determine the effectiveness of risk control measures. CC ID 06601 | Audits and risk management | Testing | |
Analyze the impact of artificial intelligence systems on society. CC ID 16317 | Audits and risk management | Audits and Risk Management | |
Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 | Audits and risk management | Audits and Risk Management | |
Analyze supply chain risk management procedures, as necessary. CC ID 13198 | Audits and risk management | Process or Activity | |
Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: material risks arising for the appropriate and continuous application of the function. 4.15 106(d) {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Systems Continuity | |
Define and prioritize critical business functions. CC ID 00736 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii) The outsourcing policy should differentiate between the following: outsourcing of critical or important functions and other outsourcing arrangements; 4.7 43(a) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the outsourcing arrangement concerns a critical or important function, as set out in Title II; 4.12 61(a) If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Test the continuity plan, as necessary. CC ID 00755 [develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a)] | Operational and Systems Continuity | Testing | |
Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 | Operational and Systems Continuity | Testing | |
Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 | Operational and Systems Continuity | Testing | |
Analyze system interdependence during continuity plan tests. CC ID 13082 | Operational and Systems Continuity | Testing | |
Test the continuity plan at the alternate facility. CC ID 01174 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational and Systems Continuity | Testing | |
Review all third party's continuity plan test results. CC ID 01365 [{business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c)] | Operational and Systems Continuity | Testing | |
Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 | Operational and Systems Continuity | Testing | |
Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 | Operational and Systems Continuity | Testing | |
Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 | Operational and Systems Continuity | Testing | |
Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97 Outsourcing should not lower the suitability requirements applied to the members of an institution's management body, directors and persons responsible for the management of the payment institution and key function holders. Institutions and payment institutions should have adequate competence and sufficient and appropriately skilled resources to ensure appropriate management and oversight of outsourcing arrangements. 4.6 37] | Human Resources management | Testing | |
Perform security skills assessments for all critical employees. CC ID 12102 | Human Resources management | Human Resources Management | |
Perform a background check during personnel screening. CC ID 11758 | Human Resources management | Human Resources Management | |
Document the personnel risk assessment results. CC ID 11764 | Human Resources management | Establish/Maintain Documentation | |
Perform periodic background checks on designated roles, as necessary. CC ID 11759 | Human Resources management | Human Resources Management | |
Document the security clearance procedure results. CC ID 01635 | Human Resources management | Establish/Maintain Documentation | |
Review the relevance of information supporting internal controls. CC ID 12420 | Operational management | Business Processes | |
Include emergency response procedures in the internal control framework. CC ID 06779 | Operational management | Establish/Maintain Documentation | |
Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture. CC ID 12922 | Operational management | Process or Activity | |
Include the organizational climate in the analysis of the organizational culture. CC ID 12921 | Operational management | Process or Activity | |
Include consistency of leadership actions to mission, vision, and values in the analysis of the organizational culture. CC ID 12920 | Operational management | Process or Activity | |
Include the appropriate aspects of the Quality Management program in the Service Level Agreement. CC ID 00845 | Operational management | Establish/Maintain Documentation | |
Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
Capture the records required by organizational compliance requirements. CC ID 00912 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e)] | Records management | Records Management | |
Assign the appropriate information classification to records imported into the Records Management system. CC ID 04555 | Records management | Data and Information Management | |
Identify patient-specific education resources. CC ID 14439 | Records management | Process or Activity | |
Classify restricted data or restricted information in Records Management systems according to the data or information's sensitivity. CC ID 04720 | Records management | Data and Information Management | |
Determine whether the financial institution uses positive pay for electronic check presentment. CC ID 13562 | Acquisition or sale of facilities, technology, and services | Investigate | |
Refrain from storing data elements containing payment card full magnetic stripe data. CC ID 04757 | Privacy protection for information and data | Testing | |
Conduct personal data risk assessments. CC ID 00357 | Privacy protection for information and data | Testing | |
Establish, implement, and maintain suspicious document procedures. CC ID 04852 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain suspicious personal data procedures. CC ID 04853 | Privacy protection for information and data | Data and Information Management | |
Compare certain personal data such as name, date of birth, address, driver's license, or other identification against personal data on file for the applicant. CC ID 04855 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain suspicious user account activity procedures. CC ID 04854 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Perform an identity check prior to approving an account change request. CC ID 13670 | Privacy protection for information and data | Investigate | |
Use the contact information on file to contact the individual identified in an account change request. CC ID 04857 | Privacy protection for information and data | Behavior | |
Match consumer reports with current accounts on file to ensure account misuse or information misuse has not occurred. CC ID 04873 | Privacy protection for information and data | Data and Information Management | |
Log account access dates and report when dormant accounts suddenly exhibit unusual activity. CC ID 04874 | Privacy protection for information and data | Log Management | |
Log dates for account name changes or address changes. CC ID 04876 | Privacy protection for information and data | Log Management | |
Review accounts that are changed for additional user requests. CC ID 11846 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Send change notices for change of address requests to the old address and the new address. CC ID 04877 | Privacy protection for information and data | Data and Information Management | |
Search the Internet for evidence of data leakage. CC ID 10419 | Privacy protection for information and data | Process or Activity | |
Review monitored websites for data leakage. CC ID 10593 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Conduct internal data processing audits. CC ID 00374 | Privacy protection for information and data | Testing | |
Formalize client and third party relationships with contracts or nondisclosure agreements. CC ID 00794 | Third Party and supply chain oversight | Process or Activity | |
Include a termination provision clause in third party contracts. CC ID 01367 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure that the institution or payment institution has the contractual right to terminate the agreement in the case of undue sub-outsourcing, e.g. where the sub-outsourcing materially increases the risks for the institution or payment institution or where the service provider sub-outsources without notifying the institution or payment institution. 4.13.1 78(g) The outsourcing agreement for critical or important functions should set out at least: termination rights, as specified in Section 13.4. 4.13 75(q) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: 4.13.4 98 Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the termination of outsourcing arrangements; 4.15 106(a) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where instructions are given by the institution's or payment institution's competent authority, e.g. in the case that the competent authority is, caused by the outsourcing arrangement, no longer in a position to effectively supervise the institution or payment institution. 4.13.4 98(e) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: include an obligation of the service provider to support the institution or payment institution in the orderly transfer of the function in the event of the termination of the outsourcing agreement. 4.13.4 99(c) {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107 {ability} {refrain from disrupting} {refrain from limiting} {avoiding} Institutions and payment institutions should ensure that they are able to exit outsourcing arrangements without undue disruption to their business activities, without limiting their compliance with regulatory requirements and without any detriment to the continuity and quality of its provision of services to clients. To achieve this, they should: 4.15 107] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party requirements for personnel security in third party contracts. CC ID 00790 | Third Party and supply chain oversight | Testing | |
Include third party acknowledgment of their data protection responsibilities in third party contracts. CC ID 01364 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g)] | Third Party and supply chain oversight | Testing | |
Include auditing third party security controls and compliance controls in third party contracts. CC ID 01366 [Institutions and payment institutions should ensure that service providers, where relevant, comply with appropriate IT security standards. 4.13.2 81 (ensure} {technical measure} Where outsourcing involves the processing of personal or confidential data, institutions and payment institutions should be satisfied that the service provider implements appropriate technical and organisational measures to protect the data. 4.12.3 72 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: retain the contractual right to perform individual audits at their discretion with regard to the outsourcing of critical or important functions. 4.13.3 93(h)] | Third Party and supply chain oversight | Testing | |
Establish the third party's service continuity. CC ID 00797 [{outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Third Party and supply chain oversight | Testing | |
Determine the adequacy of a third party's alternate site preparations. CC ID 06879 | Third Party and supply chain oversight | Testing | |
Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data. CC ID 04264 | Third Party and supply chain oversight | Data and Information Management | |
Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements. CC ID 06087 | Third Party and supply chain oversight | Testing | |
Document supply chain dependencies in the supply chain management program. CC ID 08900 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: the soundness or continuity of their banking and payment services and activities; 4.4 29(a)(iii) In the case of institutions, particular attention should be given to the assessment of the criticality or importance of functions if the outsourcing concerns functions related to core business lines and critical functions as defined in Article 2(1)(35) and 2(1)(36) of Directive 2014/59/EU and identified by institutions using the criteria set out in Articles 6 and 7 of Commission Delegated Regulation (EU) 2016/778. Functions that are necessary to perform activities of core business lines or critical functions should be considered as critical or important functions for the purpose of these guidelines, unless the institution's assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the operational continuity of the core business line or critical function. 4.4 30] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent. CC ID 00842 [When developing exit strategies, institutions and payment institutions should: define the indicators to be used for the monitoring of the outsourcing arrangement (as outlined under Section 14), including indicators based on unacceptable service levels that should trigger the exit. 4.15 108(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Approve all Service Level Agreements. CC ID 00843 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Track all chargeable items in Service Level Agreements. CC ID 11616 | Third Party and supply chain oversight | Business Processes | |
Document all chargeable items in Service Level Agreements. CC ID 00844 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Perform risk assessments of third parties, as necessary. CC ID 06454 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the institution's risk profile; 4.7 44(a) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: 4.4 31 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: all outsourcing arrangements, the institution's or payment institution's aggregated exposure to the same service provider and the potential cumulative impact of outsourcing arrangements in the same business area; 4.4 31(e) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Third Party and supply chain oversight | Testing | |
Re-evaluate risk assessments of third parties, as necessary. CC ID 12158 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Third Party and supply chain oversight | Audits and Risk Management | |
Establish, implement, and maintain deduplication procedures for third party services. CC ID 13915 | Third Party and supply chain oversight | Business Processes | |
Assess third parties' relevant experience during due diligence. CC ID 12070 [{be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' legal risks to the organization during due diligence. CC ID 12078 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) {legal requirement} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: comply with all legal and regulatory requirements; 4.4 31(c)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the laws in force, including laws on data protection; 4.12.2 68(d)(i) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the law enforcement provisions in place; and 4.12.2 68(d)(ii) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' business continuity capabilities during due diligence. CC ID 12077 [{takeover} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: in the case of significant institutions, the step-in risk, i.e. the risk that may result from the need to provide financial support to a service provider in distress or to take over its business operations; and 4.12.2 66(c) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: business continuity and operational resilience; 4.4 31(b)(ii) {recovery planning} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: where applicable, recovery and resolution planning, resolvability and operational continuity in an early intervention, recovery or resolution situation; 4.4 31(b)(v) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider the political stability and security situation of the jurisdictions in question, including: the insolvency law provisions that would apply in the event of a service provider's failure and any constraints that would arise in respect of the urgent recovery of the institution's or payment institution's data in particular; 4.12.2 68(d)(iii)] | Third Party and supply chain oversight | Business Processes | |
Review third parties' backup policies. CC ID 13043 | Third Party and supply chain oversight | Systems Continuity | |
Assess third parties' breach remediation status, as necessary, during due diligence. CC ID 12076 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the protection of data and the potential impact of a confidentiality breach or failure to ensure data availability and integrity on the institution or payment institution and its clients, including but not limited to compliance with Regulation (EU) 2016/679. 4.4 31(j)] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' abilities to provide services during due diligence. CC ID 12074 [{be the same} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: multiple outsourcing arrangements with the same service provider or closely connected service providers; 4.12.2 66(a)(ii) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact on the services provided to its clients; 4.4 31(d) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is otherwise allowed to carry out those banking activities or payment services in accordance with the relevant national legal framework. 4.12.1 62(b)] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' financial stability during due diligence. CC ID 12066 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether the service provider is a parent undertaking or subsidiary of the institution or payment institution, is part of the accounting scope of consolidation of the institution or is a member of or is owned by institutions that are members of the same institutional protection scheme to which the institution belongs; 4.12.3 71(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: short- and long-term financial resilience and viability, including, if applicable, its assets, capital, costs, funding, liquidity, profits and losses; 4.4 31(b)(i)] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' use of subcontractors during due diligence. CC ID 12073 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risks associated with sub-outsourcing, including the additional risks that may arise if the sub-contractor is located in a third country or a different country from the service provider; 4.12.2 67(a) Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Third Party and supply chain oversight | Business Processes | |
Assess third parties' insurance coverage during due diligence. CC ID 12072 | Third Party and supply chain oversight | Business Processes | |
Assess the third parties' reputation during due diligence. CC ID 12068 [Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: the long-term relationships with service providers that have already been assessed and perform services for the institution or payment institution; 4.12.3 71(b) {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: reputational risks; 4.4 31(b)(iv)] | Third Party and supply chain oversight | Business Processes | |
Assess any litigation case files against third parties during due diligence. CC ID 12071 | Third Party and supply chain oversight | Business Processes | |
Assess complaints against third parties during due diligence. CC ID 12069 | Third Party and supply chain oversight | Business Processes | |
Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements. CC ID 00359 [{confidential information} {personal information} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are weaknesses regarding the management and security of confidential, personal or otherwise sensitive data or information; and 4.13.4 98(d) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Third Party and supply chain oversight | Testing | |
Assess third parties' compliance environment during due diligence. CC ID 13134 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: assess if the supervisory conditions for outsourcing set out in Section 12.1 are met; 4.12 61(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f) Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: whether or not the service provider is supervised by competent authorities. 4.12.3 71(d)] | Third Party and supply chain oversight | Process or Activity | |
Document that supply chain members investigate security events. CC ID 13348 | Third Party and supply chain oversight | Investigate | |
Engage third parties to scope third party services' applicability to the organization's compliance requirements, as necessary. CC ID 12064 [{outsourcing policy} {independent audit} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the independent review and audit of compliance with legal and regulatory requirements and policies; 4.7 42(d)(iii) {be responsible} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: there is an appropriate cooperation agreement, e.g. in the form of a memorandum of understanding or college agreement, between the competent authorities responsible for the supervision of the institution and the supervisory authorities responsible for the supervision of the service provider; and 4.12.1 63(b)] | Third Party and supply chain oversight | Process or Activity | |
Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members. CC ID 11888 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document whether the third party transmits, processes, or stores restricted data on behalf of the organization. CC ID 12063 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document whether engaging the third party will impact the organization's compliance risk. CC ID 12065 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their continuing compliance with the conditions of their authorisation or its other obligations under Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive 2014/65/EU, Directive (EU) 2015/2366 and Directive 2009/110/EC and their regulatory obligations; 4.4 29(a)(i)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Request attestation of compliance from third parties. CC ID 12067 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied that the certifications are issued and the audits are performed against widely recognised relevant professional standards and include a test of the operational effectiveness of the key controls in place; 4.13.3 93(f)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Allow third parties to provide Self-Assessment Reports, as necessary. CC ID 12229 | Third Party and supply chain oversight | Business Processes | |
Assess third parties' compliance with the organization's third party security policies during due diligence. CC ID 12075 | Third Party and supply chain oversight | Business Processes | |
Document the third parties compliance with the organization's system hardening framework. CC ID 04263 | Third Party and supply chain oversight | Technical Security | |
Assess the effectiveness of third party services provided to the organization. CC ID 13142 [{outsourcing policy} {ongoing basis} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the ongoing assessment of the service provider's performance in line with Section 14; 4.7 42(d)(i) evaluating the performance of service providers using tools such as key performance indicators, key control indicators, service delivery reports, self-certification and independent reviews; and 4.14 104(b) {performance standards} Institutions and payment institutions should ensure, on an ongoing basis, that outsourcing arrangements, with the main focus being on outsourced critical or important functions, meet appropriate performance and quality standards in line with their policies by: 4.14 104 {audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: 4.4 31(b)] | Third Party and supply chain oversight | Business Processes | |
Monitor third parties for performance and effectiveness, as necessary. CC ID 00799 [where those institutions or payment institutions outsource the operational tasks of internal control functions to a service provider within the group or the institutional protection scheme, for the monitoring and auditing of outsourcing arrangements, institutions should ensure that, also for these outsourcing arrangements, those operational tasks are effectively performed, including through the receiving of appropriate reports. 4.2 22(b) where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101 Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 Institutions and payment institutions should appropriately document the assessments made under Title IV and the results of their ongoing monitoring (e.g. performance of the service provider, compliance with agreed service levels, other contractual and regulatory requirements, updates to the risk assessment). 4.11 60] | Third Party and supply chain oversight | Monitor and Evaluate Occurrences | |
Monitor third parties' financial conditions. CC ID 13170 | Third Party and supply chain oversight | Monitor and Evaluate Occurrences |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
Monitoring and measurement CC ID 00636 | Monitoring and measurement | IT Impact Zone | |
Audits and risk management CC ID 00677 | Audits and risk management | IT Impact Zone | |
Operational and Systems Continuity CC ID 00731 | Operational and Systems Continuity | IT Impact Zone | |
Human Resources management CC ID 00763 | Human Resources management | IT Impact Zone | |
Operational management CC ID 00805 | Operational management | IT Impact Zone | |
Records management CC ID 00902 | Records management | IT Impact Zone | |
Acquisition or sale of facilities, technology, and services CC ID 01123 | Acquisition or sale of facilities, technology, and services | IT Impact Zone | |
Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Third Party and supply chain oversight CC ID 08807 | Third Party and supply chain oversight | IT Impact Zone |
KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
---|---|---|---|
Analyze organizational objectives, functions, and activities. CC ID 00598 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Develop instructions for setting organizational objectives and strategies. CC ID 12931 | Leadership and high level objectives | Establish/Maintain Documentation | |
Analyze the business environment in which the organization operates. CC ID 12798 | Leadership and high level objectives | Business Processes | |
Identify the internal factors that may affect organizational objectives. CC ID 12957 | Leadership and high level objectives | Process or Activity | |
Include key processes in the analysis of the internal business environment. CC ID 12947 | Leadership and high level objectives | Process or Activity | |
Include existing information in the analysis of the internal business environment. CC ID 12943 | Leadership and high level objectives | Process or Activity | |
Include resources in the analysis of the internal business environment. CC ID 12942 | Leadership and high level objectives | Process or Activity | |
Include the operating plan in the analysis of the internal business environment. CC ID 12941 | Leadership and high level objectives | Process or Activity | |
Include incentives in the analysis of the internal business environment. CC ID 12940 | Leadership and high level objectives | Process or Activity | |
Include organizational structures in the analysis of the internal business environment. CC ID 12939 | Leadership and high level objectives | Process or Activity | |
Include the strategic plan in the analysis of the internal business environment. CC ID 12937 | Leadership and high level objectives | Process or Activity | |
Include strengths and weaknesses in the analysis of the internal business environment. CC ID 12936 | Leadership and high level objectives | Process or Activity | |
Align assets with business functions and the business environment. CC ID 13681 | Leadership and high level objectives | Business Processes | |
Disseminate and communicate the organization's business environment and place in its industry sector. CC ID 13200 | Leadership and high level objectives | Communicate | |
Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Monitor for changes which affect organizational objectives in the internal business environment. CC ID 12862 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Analyze the external environment in which the organization operates. CC ID 12799 | Leadership and high level objectives | Business Processes | |
Identify the external forces that may affect organizational objectives. CC ID 12960 | Leadership and high level objectives | Process or Activity | |
Monitor for changes which affect organizational strategies in the external environment. CC ID 12880 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include environmental requirements in the analysis of the external environment. CC ID 12965 | Leadership and high level objectives | Business Processes | |
Monitor for changes which affect organizational objectives in the external environment. CC ID 12879 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
Include regulatory requirements in the analysis of the external environment. CC ID 12964 | Leadership and high level objectives | Business Processes | |
Include society in the analysis of the external environment. CC ID 12963 | Leadership and high level objectives | Business Processes | |
Include opportunities in the analysis of the external environment. CC ID 12954 | Leadership and high level objectives | Business Processes | |
Include third party relationships in the analysis of the external environment. CC ID 12952 | Leadership and high level objectives | Business Processes | |
Include industry forces in the analysis of the external environment. CC ID 12904 | Leadership and high level objectives | Business Processes | |
Include threats in the analysis of the external environment. CC ID 12898 | Leadership and high level objectives | Business Processes | |
Include geopolitics in the analysis of the external environment. CC ID 12897 | Leadership and high level objectives | Business Processes | |
Include legal requirements in the analysis of the external environment. CC ID 12896 | Leadership and high level objectives | Business Processes | |
Include technology in the analysis of the external environment. CC ID 12837 | Leadership and high level objectives | Business Processes | |
Include analyzing the market in the analysis of the external environment. CC ID 12836 | Leadership and high level objectives | Business Processes | |
Conduct a context analysis to define objectives and strategies. CC ID 12864 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain organizational objectives. CC ID 09959 [When developing exit strategies, institutions and payment institutions should: define the objectives of the exit strategy; 4.15 108(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Leadership and high level objectives | Process or Activity | |
Identify events that may affect organizational objectives. CC ID 12961 | Leadership and high level objectives | Process or Activity | |
Identify conditions that may affect organizational objectives. CC ID 12958 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45] | Leadership and high level objectives | Process or Activity | |
Identify requirements that could affect achieving organizational objectives. CC ID 12828 | Leadership and high level objectives | Business Processes | |
Identify opportunities that could affect achieving organizational objectives. CC ID 12826 | Leadership and high level objectives | Business Processes | |
Prioritize organizational objectives. CC ID 09960 | Leadership and high level objectives | Business Processes | |
Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain a value generation model. CC ID 15591 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 | Leadership and high level objectives | Communicate | |
Include value distribution in the value generation model. CC ID 15603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value retention in the value generation model. CC ID 15600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include value generation procedures in the value generation model. CC ID 15599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain value generation objectives. CC ID 15583 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain social responsibility objectives. CC ID 15611 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 | Leadership and high level objectives | Communicate | |
Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties. CC ID 13191 | Leadership and high level objectives | Communicate | |
Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Identify threats that could affect achieving organizational objectives. CC ID 12827 | Leadership and high level objectives | Business Processes | |
Identify how opportunities, threats, and external requirements are trending. CC ID 12829 | Leadership and high level objectives | Process or Activity | |
Identify relationships between opportunities, threats, and external requirements. CC ID 12805 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Leadership and high level objectives | Process or Activity | |
Review the organization's approach to managing information security, as necessary. CC ID 12005 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain criteria for grouping stakeholders. CC ID 15584 | Leadership and high level objectives | Process or Activity | |
Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796 | Leadership and high level objectives | Business Processes | |
Establish, implement, and maintain data governance and management practices. CC ID 14998 | Leadership and high level objectives | Establish/Maintain Documentation | |
Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include bias for data sets in the data governance and management practices. CC ID 15085 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a data strategy in the data governance and management practices. CC ID 15304 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data monitoring in the data governance and management practices. CC ID 15303 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assessment of the data sets in the data governance and management practices. CC ID 15084 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data collection for data sets in the data governance and management practices. CC ID 15082 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data preparations for data sets in the data governance and management practices. CC ID 15081 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include design choices for data sets in the data governance and management practices. CC ID 15080 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain an information classification standard. CC ID 00601 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 | Leadership and high level objectives | Data and Information Management | |
Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 | Leadership and high level objectives | Data and Information Management | |
Take into account the context of use for data or information when establishing information impact levels. CC ID 04785 | Leadership and high level objectives | Data and Information Management | |
Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 | Leadership and high level objectives | Data and Information Management | |
Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997 | Leadership and high level objectives | Data and Information Management | |
Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 | Leadership and high level objectives | Data and Information Management | |
Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996 | Leadership and high level objectives | Data and Information Management | |
Classify the value of information in the information classification standard. CC ID 11995 | Leadership and high level objectives | Data and Information Management | |
Classify the legal requirements of information in the information classification standard. CC ID 11994 | Leadership and high level objectives | Data and Information Management | |
Establish, implement, and maintain a data classification scheme. CC ID 11628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 | Leadership and high level objectives | Data and Information Management | |
Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 | Leadership and high level objectives | Communicate | |
Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from including metadata in the data dictionary. CC ID 13529 | Leadership and high level objectives | Establish/Maintain Documentation | |
Refrain from allowing incompatible data elements in the data dictionary. CC ID 13624 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include information needed to understand each data element and population in the data dictionary. CC ID 13528 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the factors to determine what is included or excluded from the data element in the data dictionary. CC ID 13525 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the date or time period the data was observed in the data dictionary. CC ID 13524 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty in the population of each data element in the data dictionary. CC ID 13522 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the uncertainty of each data element in the data dictionary. CC ID 13521 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the measurement units for each data element in the data dictionary. CC ID 13534 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the precision of the measurement in the data dictionary. CC ID 13520 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the data source in the data dictionary. CC ID 13519 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the nature of each element in the data dictionary. CC ID 13518 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the population of events or instances in the data dictionary. CC ID 13517 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the data dictionary to interested personnel and affected parties. CC ID 13516 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603 | Leadership and high level objectives | Establish/Maintain Documentation | |
Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 | Leadership and high level objectives | Behavior | |
Establish, implement, and maintain an organizational structure. CC ID 16310 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include supply chain management standards in the Quality Management framework. CC ID 13701 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the deterioration of the quality of the function provided and actual or potential business disruptions caused by the inappropriate or failed provision of the function; 4.15 106(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management policy. CC ID 13694 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 | Leadership and high level objectives | Establish/Maintain Documentation | |
Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include critical Information Technology processes in the Quality Management framework. CC ID 13645 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the Quality Management policy to all interested personnel and affected parties. CC ID 13695 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the Quality Management framework to all stakeholders. CC ID 13680 | Leadership and high level objectives | Communicate | |
Align the quality objectives with the Quality Management policy. CC ID 13697 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a Quality Management program. CC ID 07201 | Leadership and high level objectives | Establish/Maintain Documentation | |
Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 | Leadership and high level objectives | Communicate | |
Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 | Leadership and high level objectives | Communicate | |
Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include risk management in the quality management system. CC ID 15054 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include system testing standards in the Quality Management program. CC ID 01018 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241 [Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: 4.6 39] | Leadership and high level objectives | Establish/Maintain Documentation | |
Define the scope of the security policy. CC ID 07145 | Leadership and high level objectives | Data and Information Management | |
Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688 | Leadership and high level objectives | Business Processes | |
Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 | Leadership and high level objectives | Establish/Maintain Documentation | |
Correlate Information Systems with applicable controls. CC ID 01621 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a policy and procedure management program. CC ID 06285 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); 4.6 36(d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the effective date on all organizational policies. CC ID 06820 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include threats in the organization’s policies, standards, and procedures. CC ID 12953 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 | Leadership and high level objectives | Business Processes | |
Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish and maintain an Authority Document list. CC ID 07113 | Leadership and high level objectives | Establish/Maintain Documentation | |
Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the documentation and record-keeping, taking into account the requirements in Section 11; 4.7 42(e) allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 | Leadership and high level objectives | Communicate | |
Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 | Leadership and high level objectives | Establish/Maintain Documentation | |
Classify controls according to their preventive, detective, or corrective status. CC ID 06436 | Leadership and high level objectives | Establish/Maintain Documentation | |
Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 | Leadership and high level objectives | Establish Roles | |
Approve all compliance documents. CC ID 06286 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the Authority Document list with external requirements. CC ID 06288 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the appropriate roles to all applicable compliance documents. CC ID 06284 | Leadership and high level objectives | Establish Roles | |
Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a compliance exception standard. CC ID 01628 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631 | Leadership and high level objectives | Establish/Maintain Documentation | |
Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 | Leadership and high level objectives | Business Processes | |
Include when exemptions expire in the compliance exception standard. CC ID 14330 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 | Leadership and high level objectives | Establish Roles | |
Include management of the exemption register in the compliance exception standard. CC ID 14328 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 | Leadership and high level objectives | Behavior | |
Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 | Leadership and high level objectives | Behavior | |
Estimate the costs of implementing the compliance framework. CC ID 07191 | Leadership and high level objectives | Business Processes | |
Define the Information Assurance strategic roles and responsibilities. CC ID 00608 | Leadership and high level objectives | Establish Roles | |
Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 | Leadership and high level objectives | Establish Roles | |
Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 | Leadership and high level objectives | Establish Roles | |
Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 | Leadership and high level objectives | Establish Roles | |
Involve the Board of Directors or senior management in Information Governance. CC ID 00609 | Leadership and high level objectives | Establish Roles | |
Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 | Leadership and high level objectives | Human Resources Management | |
Address Information Security during the business planning processes. CC ID 06495 | Leadership and high level objectives | Data and Information Management | |
Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 | Leadership and high level objectives | Establish/Maintain Documentation | |
Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 | Leadership and high level objectives | Establish Roles | |
Establish, implement, and maintain a strategic plan. CC ID 12784 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include the outsource partners in the strategic plan, as necessary. CC ID 13960 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: 4.7 42(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Establish, implement, and maintain a decision management strategy. CC ID 06913 [When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Align the reporting methodology with the decision management strategy. CC ID 15659 | Leadership and high level objectives | Business Processes | |
Include an economic impact analysis in the decision management strategy. CC ID 14015 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include cost benefit analysis in the decision management strategy. CC ID 14014 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for compliance in the decision-making criteria. CC ID 12951 [{Authority Document} When applying the principle of proportionality, institutions, payment institutions 31 and competent authorities should take into account the criteria specified in Title I of the EBA Guidelines on internal governance in line with Article 74(2) of Directive 2013/36/EU. 4.1 20] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b)] | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 | Leadership and high level objectives | Establish/Maintain Documentation | |
Include criteria for setting priorities in the decision-making criteria. CC ID 12938 | Leadership and high level objectives | Establish/Maintain Documentation | |
Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 | Leadership and high level objectives | Process or Activity | |
Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 | Leadership and high level objectives | Process or Activity | |
Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 | Leadership and high level objectives | Process or Activity | |
Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 | Leadership and high level objectives | Behavior | |
Take actions in accordance with the decision-making criteria. CC ID 12909 | Leadership and high level objectives | Process or Activity | |
Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 | Leadership and high level objectives | Establish/Maintain Documentation | |
Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 | Leadership and high level objectives | Communicate | |
Establish, implement, and maintain a risk monitoring program. CC ID 00658 [Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103] | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the organization's exposure to threats, as necessary. CC ID 06494 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Implement a fraud detection system. CC ID 13081 | Monitoring and measurement | Business Processes | |
Monitor for new vulnerabilities. CC ID 06843 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a compliance testing strategy. CC ID 00659 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833 | Monitoring and measurement | Testing | |
Establish, implement, and maintain a system security plan. CC ID 01922 | Monitoring and measurement | Testing | |
Include a system description in the system security plan. CC ID 16467 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the operational context in the system security plan. CC ID 14301 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the security categorization in the system security plan. CC ID 14281 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the information types in the system security plan. CC ID 14696 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security requirements in the system security plan. CC ID 14274 | Monitoring and measurement | Establish/Maintain Documentation | |
Include threats in the system security plan. CC ID 14693 | Monitoring and measurement | Establish/Maintain Documentation | |
Include network diagrams in the system security plan. CC ID 14273 | Monitoring and measurement | Establish/Maintain Documentation | |
Include roles and responsibilities in the system security plan. CC ID 14682 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the results of the privacy risk assessment in the system security plan. CC ID 14676 | Monitoring and measurement | Establish/Maintain Documentation | |
Include remote access methods in the system security plan. CC ID 16441 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 | Monitoring and measurement | Communicate | |
Include a description of the operational environment in the system security plan. CC ID 14272 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the security categorizations and rationale in the system security plan. CC ID 14270 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the authorization boundary in the system security plan. CC ID 14257 | Monitoring and measurement | Establish/Maintain Documentation | |
Align the enterprise architecture with the system security plan. CC ID 14255 | Monitoring and measurement | Process or Activity | |
Include security controls in the system security plan. CC ID 14239 | Monitoring and measurement | Establish/Maintain Documentation | |
Create specific test plans to test each system component. CC ID 00661 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the roles and responsibilities in the test plan. CC ID 14299 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment team in the test plan. CC ID 14297 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the scope in the test plans. CC ID 14293 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the assessment environment in the test plan. CC ID 14271 | Monitoring and measurement | Establish/Maintain Documentation | |
Approve the system security plan. CC ID 14241 | Monitoring and measurement | Business Processes | |
Review the test plans for each system component. CC ID 00662 | Monitoring and measurement | Establish/Maintain Documentation | |
Document validated testing processes in the testing procedures. CC ID 06200 | Monitoring and measurement | Establish/Maintain Documentation | |
Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 | Monitoring and measurement | Establish/Maintain Documentation | |
Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 | Monitoring and measurement | Testing | |
Implement automated audit tools. CC ID 04882 | Monitoring and measurement | Acquisition/Sale of Assets or Services | |
Assign senior management to approve test plans. CC ID 13071 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain a testing program. CC ID 00654 | Monitoring and measurement | Behavior | |
Establish, implement, and maintain a penetration test program. CC ID 01105 | Monitoring and measurement | Behavior | |
Ensure protocols are free from injection flaws. CC ID 16401 | Monitoring and measurement | Process or Activity | |
Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. 4.6 36(f)] | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics policy. CC ID 01654 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain risk management metrics. CC ID 01656 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 | Monitoring and measurement | Business Processes | |
Identify information being used to support performance reviews for risk optimization. CC ID 12865 | Monitoring and measurement | Audits and Risk Management | |
Identify and document instances of non-compliance with the compliance framework. CC ID 06499 | Monitoring and measurement | Establish/Maintain Documentation | |
Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 | Monitoring and measurement | Establish/Maintain Documentation | |
Align disciplinary actions with the level of compliance violation. CC ID 12404 | Monitoring and measurement | Human Resources Management | |
Establish, implement, and maintain disciplinary action notices. CC ID 16577 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a copy of the order in the disciplinary action notice. CC ID 16606 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the sanctions imposed in the disciplinary action notice. CC ID 16599 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the requirements that were violated in the disciplinary action notice. CC ID 16588 | Monitoring and measurement | Establish/Maintain Documentation | |
Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 | Monitoring and measurement | Establish/Maintain Documentation | |
Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 | Monitoring and measurement | Communicate | |
Include required information in the disciplinary action notice. CC ID 16584 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a justification for actions taken in the disciplinary action notice. CC ID 16583 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the investigation results in the disciplinary action notice. CC ID 16581 | Monitoring and measurement | Establish/Maintain Documentation | |
Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 | Monitoring and measurement | Establish/Maintain Documentation | |
Include contact information in the disciplinary action notice. CC ID 16578 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain compliance program metrics. CC ID 11625 | Monitoring and measurement | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a security program metrics program. CC ID 01660 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the Service Level Agreement performance of supply chain members. CC ID 06838 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit metrics program. CC ID 01664 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an Information Security metrics program. CC ID 01665 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a metrics standard and template. CC ID 02157 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor compliance with the Quality Control system. CC ID 01023 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of complaints received about products or delivered services. CC ID 07199 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain occupational health and safety management metrics program. CC ID 15915 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a policies and controls metrics program. CC ID 01666 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a security roles and responsibilities metrics program. CC ID 01667 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a role-based information access metrics program. CC ID 01668 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an information risk threshold metrics program. CC ID 01694 | Monitoring and measurement | Establish/Maintain Documentation | |
Monitor the supply chain for Information Assurance effectiveness. CC ID 02043 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain an identification and classification of information assets metrics program. CC ID 02052 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an Information Systems architecture metrics program. CC ID 02059 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a physical environment metrics program. CC ID 02063 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a privacy metrics program. CC ID 15494 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain environmental management system performance metrics. CC ID 15191 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain waste management metrics. CC ID 16152 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain emissions management metrics. CC ID 16145 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain financial management metrics. CC ID 16749 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a technical measurement metrics policy. CC ID 01655 | Monitoring and measurement | Establish/Maintain Documentation | |
Establish, implement, and maintain a user identification and authentication metrics program. CC ID 02073 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user account management metrics program. CC ID 02075 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a user and administrator privilege management metrics program. CC ID 02076 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a Configuration Management metrics program. CC ID 02077 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a Security Information and Event Management metrics program. CC ID 02078 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a communications, e-mail, and remote access security management metrics program. CC ID 02079 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a malicious code protection management metrics program. CC ID 02080 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a software change management metrics program. CC ID 02081 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a network management and firewall management metrics program. CC ID 02082 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a data encryption management metrics program. CC ID 02083 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain a backup management and recovery management metrics program. CC ID 02084 | Monitoring and measurement | Business Processes | |
Establish, implement, and maintain an incident management and vulnerability management metrics program. CC ID 02085 | Monitoring and measurement | Business Processes | |
Delay the reporting of incident management metrics, as necessary. CC ID 15501 | Monitoring and measurement | Communicate | |
Establish, implement, and maintain an Electronic Health Records measurement metrics program. CC ID 06221 | Monitoring and measurement | Establish/Maintain Documentation | |
Report on the percentage of unique patients who had at least one medication entered using the Computerized Provider Order Entry system. CC ID 06222 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have diagnoses recorded as structured data into the current and active diagnoses problem list. CC ID 06223 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of permissible prescriptions that are transmitted electronically. CC ID 06224 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication list. CC ID 06225 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have at least one entry recorded as structured data into the active medication allergy list. CC ID 06226 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who have demographics recorded as structured data. CC ID 06227 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 2 who have their height, weight, and blood pressure recorded as structured data. CC ID 06228 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients over the age of 13 who have their smoking status recorded as structured data. CC ID 06229 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given an electronic copy of their Individually Identifiable Health Information not later than three business days after Individually Identifiable Health Information is requested. CC ID 06230 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who are given clinical summaries not later than three business days after a physician office visit. CC ID 06231 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of lab test results that are incorporated into the Electronic Health Records as structured data. CC ID 06232 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients sixty-five years of age or older or five years of age or younger who were sent a reminder. CC ID 06233 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given electronic access to their Individually Identifiable Health Information not later than four business days after their Individually Identifiable Health Information is updated. CC ID 06234 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of unique patients who are given patient-specific education resources. CC ID 06235 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of medication reconciliations that are performed if a patient is received from another setting or healthcare provider. CC ID 06236 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of summary of care records that are provided for transitions of care or referrals for patients who are transitioned or referred to another setting or healthcare provider. CC ID 06237 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients who receive their discharge instructions if discharge instructions are requested. CC ID 06238 | Monitoring and measurement | Actionable Reports or Measurements | |
Report on the percentage of patients 65 years of age or older who have an indication of advance directive status recorded as structured data. CC ID 06239 | Monitoring and measurement | Actionable Reports or Measurements | |
Establish, implement, and maintain a log management program. CC ID 00673 | Monitoring and measurement | Establish/Maintain Documentation | |
Deploy log normalization tools, as necessary. CC ID 12141 | Monitoring and measurement | Technical Security | |
Restrict access to logs to authorized individuals. CC ID 01342 | Monitoring and measurement | Log Management | |
Restrict access to audit trails to a need to know basis. CC ID 11641 | Monitoring and measurement | Technical Security | |
Refrain from recording unnecessary restricted data in logs. CC ID 06318 | Monitoring and measurement | Log Management | |
Back up audit trails according to backup procedures. CC ID 11642 | Monitoring and measurement | Systems Continuity | |
Back up logs according to backup procedures. CC ID 01344 | Monitoring and measurement | Log Management | |
Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are not being stored. CC ID 06314 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the system level only. CC ID 06315 | Monitoring and measurement | Log Management | |
Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 | Monitoring and measurement | Log Management | |
Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 | Monitoring and measurement | Log Management | |
Protect logs from unauthorized activity. CC ID 01345 | Monitoring and measurement | Log Management | |
Perform testing and validating activities on all logs. CC ID 06322 | Monitoring and measurement | Log Management | |
Archive the audit trail in accordance with compliance requirements. CC ID 00674 | Monitoring and measurement | Log Management | |
Enforce dual authorization as a part of information flow control for logs. CC ID 10098 | Monitoring and measurement | Configuration | |
Preserve the identity of individuals in audit trails. CC ID 10594 | Monitoring and measurement | Log Management | |
Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 | Monitoring and measurement | Establish/Maintain Documentation | |
Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 | Monitoring and measurement | Audits and Risk Management | |
Align corrective actions with the level of environmental impact. CC ID 15193 | Monitoring and measurement | Business Processes | |
Include risks and opportunities in the corrective action plan. CC ID 15178 | Monitoring and measurement | Establish/Maintain Documentation | |
Include environmental aspects in the corrective action plan. CC ID 15177 | Monitoring and measurement | Establish/Maintain Documentation | |
Include the completion date in the corrective action plan. CC ID 13272 | Monitoring and measurement | Establish/Maintain Documentation | |
Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 | Audits and risk management | Establish Roles | |
Define and assign the external auditor's roles and responsibilities. CC ID 00683 | Audits and risk management | Establish Roles | |
Engage auditors who have adequate knowledge of the subject matter. CC ID 07102 [Where the outsourcing arrangement carries a high level of technical complexity, for instance in the case of cloud outsourcing, the institution or payment institution should verify that whoever is performing the audit – whether it is its internal auditors, the pool of auditors or external auditors acting on its behalf – has appropriate and relevant skills and knowledge to perform relevant audits and/or assessments effectively. The same applies to any staff of the institution or payment institution reviewing third-party certifications or audits carried out by service providers. 4.13.3 97] | Audits and risk management | Audits and Risk Management | |
Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 | Audits and risk management | Establish/Maintain Documentation | |
Review external auditor outsourcing contracts and engagement letters. CC ID 01189 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 | Audits and risk management | Establish/Maintain Documentation | |
Review the external auditor's qualifications. CC ID 01197 [{third-party certifications} {third-party audit report}Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: are satisfied with the aptitude of the certifying or auditing party (e.g. with regard to rotation of the certifying or auditing company, qualifications, expertise, reperformance/verification of the evidence in the underlying audit file); 4.13.3 93(e)] | Audits and risk management | Audits and Risk Management | |
Review the adequacy of the external auditor's work papers and audit reports. CC ID 01199 [{third party audit report} {are sufficient} For the outsourcing of critical or important functions, institutions and payment institutions should assess whether third-party certifications and reports as referred to in paragraph 91(b) are adequate and sufficient to comply with their regulatory obligations and should not rely solely on these reports over time. 4.13.3 92] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an audit program. CC ID 00684 [{audit program} The internal audit function's activities should cover, following a risk-based approach, the independent review of outsourced activities. The audit plan and programme should include, in particular, the outsourcing arrangements of critical or important functions. 4.10 50] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain audit policies. CC ID 13166 | Audits and risk management | Establish/Maintain Documentation | |
Assign the audit to impartial auditors. CC ID 07118 | Audits and risk management | Establish Roles | |
Define what constitutes a threat to independence. CC ID 16824 | Audits and risk management | Audits and Risk Management | |
Exercise due professional care during the planning and performance of the audit. CC ID 07119 [When performing audits in multi-client environments, care should be taken to ensure that risks to another client's environment (e.g. impact on service levels, availability of data, confidentiality aspects) are avoided or mitigated. 4.13.3 96] | Audits and risk management | Behavior | |
Include resource requirements in the audit program. CC ID 15237 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit program. CC ID 15236 | Audits and risk management | Establish/Maintain Documentation | |
Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 | Audits and risk management | Audits and Risk Management | |
Establish and maintain audit terms. CC ID 13880 [{third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g)] | Audits and risk management | Establish/Maintain Documentation | |
Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 | Audits and risk management | Process or Activity | |
Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain an in scope system description. CC ID 14873 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 | Audits and risk management | Audits and Risk Management | |
Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 | Audits and risk management | Audits and Risk Management | |
Include third party data in the audit assertion's in scope system description. CC ID 16554 | Audits and risk management | Audits and Risk Management | |
Include third party personnel in the audit assertion's in scope system description. CC ID 16552 | Audits and risk management | Audits and Risk Management | |
Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 | Audits and risk management | Audits and Risk Management | |
Include third party assets in the audit assertion's in scope system description. CC ID 16550 | Audits and risk management | Audits and Risk Management | |
Include third party services in the audit assertion's in scope system description. CC ID 16503 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 | Audits and risk management | Establish/Maintain Documentation | |
Include availability commitments in the audit assertion's in scope system description. CC ID 14914 | Audits and risk management | Establish/Maintain Documentation | |
Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 | Audits and risk management | Audits and Risk Management | |
Include changes in the audit assertion's in scope system description. CC ID 14894 | Audits and risk management | Establish/Maintain Documentation | |
Include external communications in the audit assertion's in scope system description. CC ID 14913 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 | Audits and risk management | Establish/Maintain Documentation | |
Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 | Audits and risk management | Establish/Maintain Documentation | |
Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 | Audits and risk management | Establish/Maintain Documentation | |
Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 | Audits and risk management | Establish/Maintain Documentation | |
Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 | Audits and risk management | Establish/Maintain Documentation | |
Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 | Audits and risk management | Establish/Maintain Documentation | |
Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 | Audits and risk management | Establish/Maintain Documentation | |
Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 | Audits and risk management | Establish/Maintain Documentation | |
Include commitments to third parties in the audit assertion. CC ID 14899 | Audits and risk management | Establish/Maintain Documentation | |
Determine the completeness of the audit assertion's in scope system description. CC ID 14883 | Audits and risk management | Establish/Maintain Documentation | |
Include system requirements in the audit assertion's in scope system description. CC ID 14881 | Audits and risk management | Establish/Maintain Documentation | |
Include third party controls in the audit assertion's in scope system description. CC ID 14880 | Audits and risk management | Establish/Maintain Documentation | |
Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 | Audits and risk management | Audits and Risk Management | |
Identify personnel who should attend the closing meeting. CC ID 15261 | Audits and risk management | Business Processes | |
Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 | Audits and risk management | Audits and Risk Management | |
Include agreement to the audit scope and audit terms in the audit program. CC ID 06965 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that key systems and controls are covered in future versions of the certification or audit report; 4.13.3 93(d) {access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Establish/Maintain Documentation | |
Include third party assets in the audit scope. CC ID 16504 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit program. CC ID 07103 | Audits and risk management | Establish/Maintain Documentation | |
Examine the availability of the audit criteria in the audit program. CC ID 16520 | Audits and risk management | Investigate | |
Examine the objectivity of the audit criteria in the audit program. CC ID 07104 | Audits and risk management | Establish/Maintain Documentation | |
Examine the measurability of the audit criteria in the audit program. CC ID 07105 | Audits and risk management | Establish/Maintain Documentation | |
Examine the completeness of the audit criteria in the audit program. CC ID 07106 | Audits and risk management | Establish/Maintain Documentation | |
Examine the relevance of the audit criteria in the audit program. CC ID 07107 | Audits and risk management | Establish/Maintain Documentation | |
Determine the appropriateness of the audit subject matter. CC ID 16505 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope material or in scope products in the audit program. CC ID 08961 | Audits and risk management | Audits and Risk Management | |
Include in scope information in the audit program. CC ID 16198 | Audits and risk management | Establish/Maintain Documentation | |
Include the out of scope material or out of scope products in the audit program. CC ID 08962 | Audits and risk management | Establish/Maintain Documentation | |
Provide a representation letter in support of the audit assertion. CC ID 07158 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the audit in the representation letter. CC ID 16517 | Audits and risk management | Audits and Risk Management | |
Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 | Audits and risk management | Establish/Maintain Documentation | |
Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 | Audits and risk management | Establish/Maintain Documentation | |
Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 | Audits and risk management | Establish/Maintain Documentation | |
Include an in scope system description in the audit assertion. CC ID 14872 | Audits and risk management | Establish/Maintain Documentation | |
Include any assumptions that are improbable in the audit assertion. CC ID 13950 | Audits and risk management | Establish/Maintain Documentation | |
Include investigations and legal proceedings in the audit assertion. CC ID 16846 | Audits and risk management | Establish/Maintain Documentation | |
Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 | Audits and risk management | Establish/Maintain Documentation | |
Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 | Audits and risk management | Establish/Maintain Documentation | |
Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 | Audits and risk management | Establish/Maintain Documentation | |
Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 | Audits and risk management | Establish/Maintain Documentation | |
Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope procedures in the audit assertion. CC ID 06972 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records produced in the audit assertion. CC ID 06968 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope risk assessment processes in the audit assertion. CC ID 06975 | Audits and risk management | Establish/Maintain Documentation | |
Include in scope change controls in the audit assertion. CC ID 06976 | Audits and risk management | Establish/Maintain Documentation | |
Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope for the desired level of assurance in the audit program. CC ID 12793 | Audits and risk management | Communicate | |
Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 | Audits and risk management | Establish/Maintain Documentation | |
Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 | Audits and risk management | Establish/Maintain Documentation | |
Include the expectations for the audit report in the audit terms. CC ID 07148 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 | Audits and risk management | Establish/Maintain Documentation | |
Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 | Audits and risk management | Communicate | |
Include materiality levels in the audit terms. CC ID 01238 | Audits and risk management | Establish/Maintain Documentation | |
Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239 | Audits and risk management | Establish/Maintain Documentation | |
Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 | Audits and risk management | Establish/Maintain Documentation | |
Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 | Audits and risk management | Business Processes | |
Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 | Audits and risk management | Behavior | |
Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 | Audits and risk management | Audits and Risk Management | |
Accept the attestation engagement when all preconditions are met. CC ID 13933 | Audits and risk management | Business Processes | |
Audit in scope audit items and compliance documents. CC ID 06730 [With regard to the outsourcing process, the internal audit function should at least ascertain: that the institution's or payment institution's framework for outsourcing, including the outsourcing policy, is correctly and effectively implemented and is in line with the applicable laws and regulation, the risk strategy and the decisions of the management body; 4.10 51(a)] | Audits and risk management | Audits and Risk Management | |
Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 | Audits and risk management | Actionable Reports or Measurements | |
Document any after the fact changes to the engagement file. CC ID 07002 | Audits and risk management | Establish/Maintain Documentation | |
Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 | Audits and risk management | Establish/Maintain Documentation | |
Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 | Audits and risk management | Establish/Maintain Documentation | |
Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 | Audits and risk management | Records Management | |
Conduct onsite inspections, as necessary. CC ID 16199 | Audits and risk management | Testing | |
Audit policies, standards, and procedures. CC ID 12927 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 With regard to the outsourcing process, the internal audit function should at least ascertain: the adequacy, quality and effectiveness of the assessment of the criticality or importance of functions; 4.10 51(b)] | Audits and risk management | Audits and Risk Management | |
Edit the audit assertion for accuracy. CC ID 07030 | Audits and risk management | Establish/Maintain Documentation | |
Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 | Audits and risk management | Establish/Maintain Documentation | |
Review documentation to determine the effectiveness of in scope controls. CC ID 16522 | Audits and risk management | Process or Activity | |
Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 | Audits and risk management | Establish/Maintain Documentation | |
Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Testing | |
Implement procedures that collect sufficient audit evidence. CC ID 07153 | Audits and risk management | Audits and Risk Management | |
Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to avoid misstatements. CC ID 07155 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 | Audits and risk management | Audits and Risk Management | |
Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 | Audits and risk management | Audits and Risk Management | |
Report that audit evidence collected was not sufficient to the proper authorities. CC ID 16847 | Audits and risk management | Communicate | |
Provide transactional walkthrough procedures for external auditors. CC ID 00672 | Audits and risk management | Testing | |
Establish, implement, and maintain interview procedures. CC ID 16282 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the interview procedures. CC ID 16297 | Audits and risk management | Human Resources Management | |
Coordinate the scheduling of interviews. CC ID 16293 | Audits and risk management | Process or Activity | |
Create a schedule for the interviews. CC ID 16292 | Audits and risk management | Process or Activity | |
Identify interviewees. CC ID 16290 | Audits and risk management | Process or Activity | |
Explain the testing results to the interviewee. CC ID 16291 | Audits and risk management | Process or Activity | |
Establish and maintain work papers, as necessary. CC ID 13891 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 | Audits and risk management | Establish/Maintain Documentation | |
Include audit irregularities in the work papers. CC ID 16774 | Audits and risk management | Establish/Maintain Documentation | |
Include corrective actions in the work papers. CC ID 16771 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 | Audits and risk management | Establish/Maintain Documentation | |
Include justification for departing from mandatory requirements in the work papers. CC ID 13935 | Audits and risk management | Establish/Maintain Documentation | |
Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 | Audits and risk management | Audits and Risk Management | |
Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 | Audits and risk management | Establish/Maintain Documentation | |
Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 | Audits and risk management | Establish/Maintain Documentation | |
Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 | Audits and risk management | Establish/Maintain Documentation | |
Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 | Audits and risk management | Establish/Maintain Documentation | |
Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 | Audits and risk management | Audits and Risk Management | |
Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 | Audits and risk management | Establish/Maintain Documentation | |
Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 | Audits and risk management | Establish/Maintain Documentation | |
Supervise interested personnel and affected parties participating in the audit. CC ID 07150 | Audits and risk management | Monitor and Evaluate Occurrences | |
Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 | Audits and risk management | Establish Roles | |
Respond to questions or clarification requests regarding the audit. CC ID 08902 | Audits and risk management | Business Processes | |
Track and measure the implementation of the organizational compliance framework. CC ID 06445 | Audits and risk management | Monitor and Evaluate Occurrences | |
Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 | Audits and risk management | Business Processes | |
Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 | Audits and risk management | Process or Activity | |
Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 | Audits and risk management | Establish/Maintain Documentation | |
Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90 {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88] | Audits and risk management | Audits and Risk Management | |
Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 | Audits and risk management | Business Processes | |
Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 | Audits and risk management | Audits and Risk Management | |
Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 | Audits and risk management | Establish/Maintain Documentation | |
Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain organizational audit reports. CC ID 06731 | Audits and risk management | Establish/Maintain Documentation | |
Include the justification for not following the applicable requirements in the audit report. CC ID 16822 | Audits and risk management | Audits and Risk Management | |
Include a statement that the applicable requirements were not followed in the audit report. CC ID 16821 | Audits and risk management | Audits and Risk Management | |
Include audit subject matter in the audit report. CC ID 14882 | Audits and risk management | Establish/Maintain Documentation | |
Include an other-matter paragraph in the audit report. CC ID 14901 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditee did not provide comments in the audit report. CC ID 16849 | Audits and risk management | Establish/Maintain Documentation | |
Write the audit report using clear and conspicuous language. CC ID 13948 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the financial statements were audited in the audit report. CC ID 13963 | Audits and risk management | Establish/Maintain Documentation | |
Include the criteria that financial information was measured against in the audit report. CC ID 13966 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the financial information being reported on in the audit report. CC ID 13965 | Audits and risk management | Establish/Maintain Documentation | |
Include references to any adjustments of financial information in the audit report. CC ID 13964 | Audits and risk management | Establish/Maintain Documentation | |
Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 | Audits and risk management | Establish/Maintain Documentation | |
Include references to historical financial information used in the audit report. CC ID 13961 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 | Audits and risk management | Establish/Maintain Documentation | |
Include the word independent in the title of audit reports. CC ID 07003 | Audits and risk management | Actionable Reports or Measurements | |
Include the date of the audit in the audit report. CC ID 07024 | Audits and risk management | Actionable Reports or Measurements | |
Structure the audit report to be in the form of procedures and findings. CC ID 13940 | Audits and risk management | Establish/Maintain Documentation | |
Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 | Audits and risk management | Actionable Reports or Measurements | |
Include any discussions of significant findings in the audit report. CC ID 13955 | Audits and risk management | Establish/Maintain Documentation | |
Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit criteria in the audit report. CC ID 13945 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 | Audits and risk management | Establish/Maintain Documentation | |
Include all hypothetical assumptions in the audit report. CC ID 13947 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 | Audits and risk management | Actionable Reports or Measurements | |
Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 | Audits and risk management | Establish/Maintain Documentation | |
Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 | Audits and risk management | Establish/Maintain Documentation | |
Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 | Audits and risk management | Establish/Maintain Documentation | |
Include a review of the subject matter expert's findings in the audit report. CC ID 13972 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement of the character of the engagement in the audit report. CC ID 07166 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 | Audits and risk management | Establish/Maintain Documentation | |
Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 | Audits and risk management | Establish/Maintain Documentation | |
Include all restrictions on the audit in the audit report. CC ID 13930 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 | Audits and risk management | Establish/Maintain Documentation | |
Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from referencing previous engagements in the audit report. CC ID 16516 | Audits and risk management | Audits and Risk Management | |
Refrain from referencing other auditor's work in the audit report. CC ID 13881 | Audits and risk management | Establish/Maintain Documentation | |
Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 | Audits and risk management | Establish/Maintain Documentation | |
Include how in scope controls meet external requirements in the audit report. CC ID 16450 | Audits and risk management | Establish/Maintain Documentation | |
Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 | Audits and risk management | Establish/Maintain Documentation | |
Include recommended corrective actions in the audit report. CC ID 16197 | Audits and risk management | Establish/Maintain Documentation | |
Include risks and opportunities in the audit report. CC ID 16196 | Audits and risk management | Establish/Maintain Documentation | |
Include the description of tests of controls and results in the audit report. CC ID 14898 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 | Audits and risk management | Establish/Maintain Documentation | |
Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 | Audits and risk management | Establish/Maintain Documentation | |
Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 | Audits and risk management | Establish/Maintain Documentation | |
Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 | Audits and risk management | Audits and Risk Management | |
Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 | Audits and risk management | Establish/Maintain Documentation | |
Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 | Audits and risk management | Actionable Reports or Measurements | |
Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 | Audits and risk management | Establish/Maintain Documentation | |
Include the attestation standards the auditor follows in the audit report. CC ID 07015 | Audits and risk management | Establish/Maintain Documentation | |
Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169 | Audits and risk management | Establish/Maintain Documentation | |
Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 | Audits and risk management | Establish/Maintain Documentation | |
Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's in scope system description in the audit report. CC ID 11626 | Audits and risk management | Audits and Risk Management | |
Include any out of scope components of in scope systems in the audit report. CC ID 07006 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 | Audits and risk management | Establish/Maintain Documentation | |
Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope and work performed in the audit report. CC ID 11621 | Audits and risk management | Audits and Risk Management | |
Resolve disputes before creating the audit summary. CC ID 08964 | Audits and risk management | Behavior | |
Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 | Audits and risk management | Establish/Maintain Documentation | |
Include an audit opinion in the audit report. CC ID 07017 | Audits and risk management | Establish/Maintain Documentation | |
Include qualified opinions in the audit report. CC ID 13928 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 | Audits and risk management | Establish/Maintain Documentation | |
Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 | Audits and risk management | Establish/Maintain Documentation | |
Include items that were excluded from the audit report in the audit report. CC ID 07007 | Audits and risk management | Establish/Maintain Documentation | |
Include the organization's privacy practices in the audit report. CC ID 07029 | Audits and risk management | Establish/Maintain Documentation | |
Include items that pertain to third parties in the audit report. CC ID 07008 | Audits and risk management | Establish/Maintain Documentation | |
Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 | Audits and risk management | Establish/Maintain Documentation | |
Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 | Audits and risk management | Establish/Maintain Documentation | |
Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 | Audits and risk management | Establish/Maintain Documentation | |
Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 | Audits and risk management | Establish/Maintain Documentation | |
Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 | Audits and risk management | Establish/Maintain Documentation | |
Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 | Audits and risk management | Establish/Maintain Documentation | |
Disclose any audit irregularities in the audit report. CC ID 06995 | Audits and risk management | Actionable Reports or Measurements | |
Include the written signature of the auditor's organization in the audit report. CC ID 13897 | Audits and risk management | Establish/Maintain Documentation | |
Include a statement that additional reports are being submitted in the audit report. CC ID 16848 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117 | Audits and risk management | Establish/Maintain Documentation | |
Define the roles and responsibilities for distributing the audit report. CC ID 16845 | Audits and risk management | Human Resources Management | |
Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 | Audits and risk management | Communicate | |
Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 | Audits and risk management | Communicate | |
Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 | Audits and risk management | Behavior | |
Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 | Audits and risk management | Establish/Maintain Documentation | |
Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 | Audits and risk management | Establish/Maintain Documentation | |
Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 | Audits and risk management | Business Processes | |
Accept the audit report. CC ID 07025 | Audits and risk management | Establish/Maintain Documentation | |
Assign responsibility for remediation actions. CC ID 13622 | Audits and risk management | Human Resources Management | |
Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 | Audits and risk management | Establish/Maintain Documentation | |
Assess the quality of the audit program in regards to its documentation. CC ID 11622 | Audits and risk management | Audits and Risk Management | |
Include the audit criteria in the audit plan. CC ID 15262 | Audits and risk management | Establish/Maintain Documentation | |
Include a list of reference documents in the audit plan. CC ID 15260 | Audits and risk management | Establish/Maintain Documentation | |
Include the languages to be used for the audit in the audit plan. CC ID 15252 | Audits and risk management | Establish/Maintain Documentation | |
Include the allocation of resources in the audit plan. CC ID 15251 | Audits and risk management | Establish/Maintain Documentation | |
Include communication protocols in the audit plan. CC ID 15247 | Audits and risk management | Establish/Maintain Documentation | |
Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 | Audits and risk management | Establish/Maintain Documentation | |
Include meeting schedules in the audit plan. CC ID 15245 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for the audit in the audit plan. CC ID 15244 | Audits and risk management | Establish/Maintain Documentation | |
Include the time frames for conducting the audit in the audit plan. CC ID 15243 | Audits and risk management | Establish/Maintain Documentation | |
Include the locations to be audited in the audit plan. CC ID 15242 | Audits and risk management | Establish/Maintain Documentation | |
Include the processes to be audited in the audit plan. CC ID 15241 | Audits and risk management | Establish/Maintain Documentation | |
Include audit objectives in the audit plan. CC ID 15240 | Audits and risk management | Establish/Maintain Documentation | |
Include the risks associated with audit activities in the audit plan. CC ID 15239 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 | Audits and risk management | Communicate | |
Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158 [{access rights} Institutions and payment institutions should exercise their access and audit rights, determine the audit frequency and areas to be audited on a risk-based approach and adhere to relevant, commonly accepted, national and international audit standards. 4.13.3 90] | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a risk management program. CC ID 12051 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Establish/Maintain Documentation | |
Include the scope of risk management activities in the risk management program. CC ID 13658 | Audits and risk management | Establish/Maintain Documentation | |
Integrate the risk management program with the organization's business activities. CC ID 13661 | Audits and risk management | Business Processes | |
Integrate the risk management program into daily business decision-making. CC ID 13659 | Audits and risk management | Business Processes | |
Include managing mobile risks in the risk management program. CC ID 13535 | Audits and risk management | Establish/Maintain Documentation | |
Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 | Audits and risk management | Audits and Risk Management | |
Include regular updating in the risk management system. CC ID 14990 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk management strategies. CC ID 13209 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage of supplies in the risk management strategies. CC ID 13221 | Audits and risk management | Establish/Maintain Documentation | |
Include data quality in the risk management strategies. CC ID 15308 | Audits and risk management | Data and Information Management | |
Include the use of alternate service providers in the risk management strategies. CC ID 13217 [{be difficult} {substitute} Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: concentration risks, including from: outsourcing to a dominant service provider that is not easily substitutable; and 4.12.2 66(a)(i) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to reintegrate the outsourced function into the institution or payment institution, if necessary or desirable; 4.4 31(i) {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: transfer the function to alternative service providers; 4.6 40(f)(i)] | Audits and risk management | Establish/Maintain Documentation | |
Include minimizing service interruptions in the risk management strategies. CC ID 13215 | Audits and risk management | Establish/Maintain Documentation | |
Include off-site storage in the risk mitigation strategies. CC ID 13213 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain the risk assessment framework. CC ID 00685 | Audits and risk management | Establish/Maintain Documentation | |
Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 [{be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Audits and risk management | Establish Roles | |
Establish, implement, and maintain a risk assessment program. CC ID 00687 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Establish/Maintain Documentation | |
Address past incidents in the risk assessment program. CC ID 12743 | Audits and risk management | Audits and Risk Management | |
Include the need for risk assessments in the risk assessment program. CC ID 06447 | Audits and risk management | Establish/Maintain Documentation | |
Include the information flow of restricted data in the risk assessment program. CC ID 12339 | Audits and risk management | Establish/Maintain Documentation | |
Establish and maintain the factors and context for risk to the organization. CC ID 12230 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess all of the relevant risks of the outsourcing arrangement in accordance with Section 12.2; 4.12 61(c) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain insurance requirements. CC ID 16562 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 | Audits and risk management | Communicate | |
Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 | Audits and risk management | Communicate | |
Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 | Audits and risk management | Business Processes | |
Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 | Audits and risk management | Business Processes | |
Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the measures implemented by the institution or payment institution and by the service provider to manage and mitigate the risks. 4.12.2 66(d) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: 4.7 44 {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the performance of their business activities. 4.7 44(d) When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Business Processes | |
Address cybersecurity risks in the risk assessment program. CC ID 13193 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 | Audits and risk management | Process or Activity | |
Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 | Audits and risk management | Establish/Maintain Documentation | |
Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 | Audits and risk management | Establish/Maintain Documentation | |
Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 | Audits and risk management | Establish/Maintain Documentation | |
Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 | Audits and risk management | Communicate | |
Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 | Audits and risk management | Establish/Maintain Documentation | |
Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 | Audits and risk management | Establish/Maintain Documentation | |
Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 | Audits and risk management | Establish/Maintain Documentation | |
Use the risk taxonomy when managing risk. CC ID 12280 | Audits and risk management | Behavior | |
Establish, implement, and maintain a risk assessment policy. CC ID 14026 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the risk assessment policy. CC ID 14121 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the risk assessment policy. CC ID 14120 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the risk assessment policy. CC ID 14119 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the risk assessment policy. CC ID 14118 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the risk assessment policy. CC ID 14117 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the risk assessment policy. CC ID 14116 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 | Audits and risk management | Communicate | |
Establish, implement, and maintain risk assessment procedures. CC ID 06446 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the organization's information security environment. CC ID 13122 | Audits and risk management | Technical Security | |
Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 | Audits and risk management | Establish/Maintain Documentation | |
Document cybersecurity risks. CC ID 12281 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account information classification. CC ID 06477 | Audits and risk management | Establish/Maintain Documentation | |
Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 | Audits and risk management | Human Resources Management | |
Employ risk assessment procedures that align with strategic objectives. CC ID 06474 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account the target environment. CC ID 06479 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that take into account risk factors. CC ID 16560 | Audits and risk management | Audits and Risk Management | |
Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 | Audits and risk management | Establish/Maintain Documentation | |
Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk criteria. CC ID 12277 | Audits and risk management | Establish/Maintain Documentation | |
Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 | Audits and risk management | Technical Security | |
Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: identify and classify the relevant functions and related data and systems as regards their sensitivity and required security measures; 4.12.2 68(a)] | Audits and risk management | Audits and Risk Management | |
Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 | Audits and risk management | Audits and Risk Management | |
Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 | Audits and risk management | Establish/Maintain Documentation | |
Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 | Audits and risk management | Audits and Risk Management | |
Approve the threat and risk classification scheme. CC ID 15693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157 | Audits and risk management | Audits and Risk Management | |
Include language that is easy to understand in the risk assessment report. CC ID 06461 | Audits and risk management | Establish/Maintain Documentation | |
Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 | Audits and risk management | Establish/Maintain Documentation | |
Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 | Audits and risk management | Establish/Maintain Documentation | |
Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 | Audits and risk management | Establish/Maintain Documentation | |
Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 | Audits and risk management | Establish/Maintain Documentation | |
Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 | Audits and risk management | Establish/Maintain Documentation | |
Automate as much of the risk assessment program, as necessary. CC ID 06459 | Audits and risk management | Audits and Risk Management | |
Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 | Audits and risk management | Communicate | |
Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 | Audits and risk management | Establish/Maintain Documentation | |
Perform risk assessments for all target environments, as necessary. CC ID 06452 | Audits and risk management | Testing | |
Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 | Audits and risk management | Establish/Maintain Documentation | |
Include physical assets in the scope of the risk assessment. CC ID 13075 | Audits and risk management | Establish/Maintain Documentation | |
Include the results of the risk assessment in the risk assessment report. CC ID 06481 | Audits and risk management | Establish/Maintain Documentation | |
Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 | Audits and risk management | Audits and Risk Management | |
Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 | Audits and risk management | Audits and Risk Management | |
Review the risk to the audit function when the audit personnel status changes. CC ID 01153 | Audits and risk management | Audits and Risk Management | |
Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 | Audits and risk management | Establish/Maintain Documentation | |
Create a risk assessment report based on the risk assessment results. CC ID 15695 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 | Audits and risk management | Communicate | |
Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 | Audits and risk management | Business Processes | |
Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718 | Audits and risk management | Behavior | |
Correlate the business impact of identified risks in the risk assessment report. CC ID 00686 | Audits and risk management | Audits and Risk Management | |
Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 | Audits and risk management | Establish/Maintain Documentation | |
Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 | Audits and risk management | Establish/Maintain Documentation | |
Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 | Audits and risk management | Establish/Maintain Documentation | |
Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 | Audits and risk management | Establish/Maintain Documentation | |
Include pandemic risks in the Business Impact Analysis. CC ID 13219 | Audits and risk management | Establish/Maintain Documentation | |
Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 | Audits and risk management | Communicate | |
Establish, implement, and maintain a risk register. CC ID 14828 | Audits and risk management | Establish/Maintain Documentation | |
Document organizational risk tolerance in a risk register. CC ID 09961 | Audits and risk management | Establish/Maintain Documentation | |
Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 | Audits and risk management | Business Processes | |
Review the Business Impact Analysis, as necessary. CC ID 12774 | Audits and risk management | Business Processes | |
Analyze and quantify the risks to in scope systems and information. CC ID 00701 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: the aggregated risks resulting from outsourcing several functions across the institution or payment institution and, in the case of groups of institutions or institutional protection schemes, the aggregated risks on a consolidated basis or on the basis of the institutional protection scheme; 4.12.2 66(b)] | Audits and risk management | Audits and Risk Management | |
Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 | Audits and risk management | Audits and Risk Management | |
Identify the material risks in the risk assessment report. CC ID 06482 | Audits and risk management | Audits and Risk Management | |
Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Audits and risk management | Establish/Maintain Documentation | |
Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 | Audits and risk management | Investigate | |
Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 | Audits and risk management | Behavior | |
Document the results of the gap analysis. CC ID 16271 | Audits and risk management | Establish/Maintain Documentation | |
Prioritize and select controls based on the risk assessment findings. CC ID 00707 | Audits and risk management | Audits and Risk Management | |
Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 | Audits and risk management | Audits and Risk Management | |
Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 | Audits and risk management | Audits and Risk Management | |
Establish, implement, and maintain a risk treatment plan. CC ID 11983 | Audits and risk management | Establish/Maintain Documentation | |
Include the date of the risk assessment in the risk treatment plan. CC ID 16321 | Audits and risk management | Establish/Maintain Documentation | |
Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 | Audits and risk management | Audits and Risk Management | |
Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 | Audits and risk management | Audits and Risk Management | |
Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 | Audits and risk management | Audits and Risk Management | |
Include the risk treatment strategy in the risk treatment plan. CC ID 12159 | Audits and risk management | Establish/Maintain Documentation | |
Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 | Audits and risk management | Establish/Maintain Documentation | |
Include change control processes in the risk treatment plan. CC ID 11981 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 | Audits and risk management | Establish/Maintain Documentation | |
Include the implemented risk management controls in the risk treatment plan. CC ID 11979 | Audits and risk management | Establish/Maintain Documentation | |
Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 | Audits and risk management | Establish/Maintain Documentation | |
Include risk assessment results in the risk treatment plan. CC ID 11978 | Audits and risk management | Establish/Maintain Documentation | |
Include a description of usage in the risk treatment plan. CC ID 11977 | Audits and risk management | Establish/Maintain Documentation | |
Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 | Audits and risk management | Communicate | |
Approve the risk treatment plan. CC ID 13495 | Audits and risk management | Audits and Risk Management | |
Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve the risk assessment findings. CC ID 06485 | Audits and risk management | Establish/Maintain Documentation | |
Include risk responses in the risk management program. CC ID 13195 | Audits and risk management | Establish/Maintain Documentation | |
Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 | Audits and risk management | Business Processes | |
Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 | Audits and risk management | Establish/Maintain Documentation | |
Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 | Audits and risk management | Establish/Maintain Documentation | |
Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity risk management program. CC ID 16827 | Audits and risk management | Audits and Risk Management | |
Include a commitment to continuous improvement In the cybersecurity risk management program. CC ID 16839 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity risk management program. CC ID 16831 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a cybersecurity risk management policy. CC ID 16834 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management policy to interested personnel and affected parties. CC ID 16832 | Audits and risk management | Communicate | |
Disseminate and communicate the cybersecurity risk management program to interested personnel and affected parties. CC ID 16829 | Audits and risk management | Communicate | |
Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32] | Audits and risk management | Establish/Maintain Documentation | |
Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 | Audits and risk management | Establish/Maintain Documentation | |
Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the cybersecurity risk management strategy to interested personnel and affected parties. CC ID 16825 | Audits and risk management | Communicate | |
Evaluate the cyber insurance market. CC ID 12695 | Audits and risk management | Business Processes | |
Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 | Audits and risk management | Business Processes | |
Acquire cyber insurance, as necessary. CC ID 12693 | Audits and risk management | Business Processes | |
Establish, implement, and maintain a cybersecurity supply chain risk management program. CC ID 16826 | Audits and risk management | Establish/Maintain Documentation | |
Establish, implement, and maintain cybersecurity supply chain risk management procedures. CC ID 16830 | Audits and risk management | Establish/Maintain Documentation | |
Monitor the effectiveness of the cybersecurity supply chain risk management program. CC ID 16828 | Audits and risk management | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 | Audits and risk management | Establish/Maintain Documentation | |
Include compliance requirements in the supply chain risk management policy. CC ID 14711 | Audits and risk management | Establish/Maintain Documentation | |
Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 | Audits and risk management | Establish/Maintain Documentation | |
Include management commitment in the supply chain risk management policy. CC ID 14709 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 | Audits and risk management | Establish/Maintain Documentation | |
Include the scope in the supply chain risk management policy. CC ID 14707 | Audits and risk management | Establish/Maintain Documentation | |
Include the purpose in the supply chain risk management policy. CC ID 14706 | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 | Audits and risk management | Communicate | |
Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 | Audits and risk management | Establish/Maintain Documentation | |
Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 | Audits and risk management | Establish/Maintain Documentation | |
Include dates in the supply chain risk management plan. CC ID 15617 | Audits and risk management | Establish/Maintain Documentation | |
Include implementation milestones in the supply chain risk management plan. CC ID 15615 | Audits and risk management | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 | Audits and risk management | Establish/Maintain Documentation | |
Include supply chain risk management procedures in the risk management program. CC ID 13190 [Institutions and payment institutions, taking into account the principle of proportionality in line with Section 1, should identify, assess, monitor and manage all risks resulting from arrangements with third parties to which they are or might be exposed, regardless of whether or not those arrangements are outsourcing arrangements. The risks, in particular the operational risks, of all arrangements with third parties, including the ones referred to in paragraphs 26 and 28, should be assessed in line with Section 12.2. 4.5 33 Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. 4.14 103 When outsourcing, institutions and payment institutions should at least ensure that: the risks related to current and planned outsourcing arrangements are adequately identified, assessed, managed and mitigated, including risks related to ICT and financial technology (fintech); 4.6 40(c)] | Audits and risk management | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 | Audits and risk management | Communicate | |
Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Audits and risk management | Human Resources Management | |
Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 | Audits and risk management | Communicate | |
Establish, implement, and maintain a business continuity program. CC ID 13210 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a continuity framework. CC ID 00732 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 [Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a continuity plan. CC ID 00752 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48 {business continuity testing} reviewing all other relevant information received from the service provider, including reports on business continuity measures and testing. 4.14 104(c) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the business continuity measures; and 4.7 44(c)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 [Business continuity plans should take into account the possible event that the quality of the provision of the outsourced critical or important function deteriorates to an unacceptable level or fails. Such plans should also take into account the potential impact of the insolvency or other failures of service providers and, where relevant, political risks in the service provider's jurisdiction. 4.9 49 {be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain a recovery plan. CC ID 13288 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Establish, implement, and maintain system continuity plan strategies. CC ID 00735 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Review and prioritize the importance of each business unit. CC ID 01165 | Operational and Systems Continuity | Systems Continuity | |
Review and prioritize the importance of each business process. CC ID 11689 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Document the mean time to failure for system components. CC ID 10684 | Operational and Systems Continuity | Systems Continuity | |
Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 | Operational and Systems Continuity | Audits and Risk Management | |
Establish, implement, and maintain a critical third party list. CC ID 06815 [If sub-outsourcing of critical or important functions is permitted, institutions and payment institutions should determine whether the part of the function to be sub-outsourced is, as such, critical or important (i.e. a material part of the critical or important function) and, if so, record it in the register. 4.13.1 77] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 | Operational and Systems Continuity | Behavior | |
Validate information security continuity controls regularly. CC ID 12008 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain a business continuity plan testing program. CC ID 14829 | Operational and Systems Continuity | Testing | |
Establish, implement, and maintain a continuity test plan. CC ID 04896 [When developing exit strategies, institutions and payment institutions should: define success criteria for the transition of outsourced functions and data; and 4.15 108(d)] | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include success criteria for testing the plan in the continuity test plan. CC ID 14877 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include recovery procedures in the continuity test plan. CC ID 14876 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include test scripts in the continuity test plan. CC ID 14875 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include test objectives and scope of testing in the continuity test plan. CC ID 14874 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include the succession plan in the continuity test plan, as necessary. CC ID 14401 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include contact information in the continuity test plan. CC ID 14399 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include testing all system components in the continuity test plan. CC ID 13508 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include test scenarios in the continuity test plan. CC ID 13506 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 | Operational and Systems Continuity | Testing | |
Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 | Operational and Systems Continuity | Testing | |
Validate the emergency communications procedures during continuity plan tests. CC ID 12777 | Operational and Systems Continuity | Testing | |
Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 [{establish and maintain} Institutions, in line with the requirements under Article 85(2) of Directive 2013/36/EU and Title VI of the EBA Guidelines on internal governance, and payment institutions should have in place, maintain and periodically test appropriate business continuity plans with regard to outsourced critical or important functions. Institutions and payment institutions within a group or institutional protection scheme may rely on centrally established business continuity plans regarding their outsourced functions. 4.9 48] | Operational and Systems Continuity | Testing | |
Validate the evacuation plans during continuity plan tests. CC ID 12760 | Operational and Systems Continuity | Testing | |
Include predefined goals and realistic conditions during off-site testing. CC ID 01175 | Operational and Systems Continuity | Establish/Maintain Documentation | |
Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 | Operational and Systems Continuity | Testing | |
Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 [{be inadequate} The assessment should include, where appropriate, scenarios of possible risk events, including high-severity operational risk events. Within the scenario analysis, institutions and payment institutions should assess the potential impact of failed or inadequate services, including the risks caused by processes, systems, people or external events. Institutions and payment institutions, taking into account the principle of proportionality referred to in Section 1, should document the analysis performed and their results and should estimate the extent to which the outsourcing arrangement would increase or decrease their operational risk. Taking into account Title I, small and non-complex institutions and payment institutions may use qualitative risk assessment approaches, while large or complex institutions should have a more sophisticated approach, including, where available, the use of internal and external loss data to inform the scenario analysis. 4.12.2 65] | Operational and Systems Continuity | Actionable Reports or Measurements | |
Approve the continuity plan test results. CC ID 15718 | Operational and Systems Continuity | Systems Continuity | |
Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a)] | Human Resources management | Establish Roles | |
Define and assign the head of Information Security's roles and responsibilities. CC ID 06091 | Human Resources management | Establish Roles | |
Establish, implement, and maintain a security operations center. CC ID 14762 | Human Resources management | Human Resources Management | |
Define the scope for the security operations center. CC ID 15713 | Human Resources management | Establish/Maintain Documentation | |
Designate an alternate for each organizational leader. CC ID 12053 | Human Resources management | Human Resources Management | |
Limit the activities performed as a proxy to an organizational leader. CC ID 12054 | Human Resources management | Behavior | |
Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program. CC ID 13112 | Human Resources management | Human Resources Management | |
Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures. CC ID 00807 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the responsibilities of the management body in line with paragraph 36, including its involvement, as appropriate, in the decision-making on outsourcing of critical or important functions; 4.7 42(a) {be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Human Resources management | Establish Roles | |
Establish and maintain board committees, as necessary. CC ID 14789 | Human Resources management | Human Resources Management | |
Define and assign the roles and responsibilities of the chairman of the board. CC ID 14786 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of C-level executives to the Board of Directors. CC ID 14784 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain candidate selection procedures to the board of directors. CC ID 14782 | Human Resources management | Establish/Maintain Documentation | |
Include the criteria of mixed experiences and skills in the candidate selection procedures. CC ID 14791 | Human Resources management | Establish/Maintain Documentation | |
Assign oversight of the financial management program to the board of directors. CC ID 14781 | Human Resources management | Human Resources Management | |
Assign senior management to the role of supporting Quality Management. CC ID 13692 | Human Resources management | Human Resources Management | |
Assign senior management to the role of authorizing official. CC ID 14238 | Human Resources management | Establish Roles | |
Assign members who are independent from management to the Board of Directors. CC ID 12395 | Human Resources management | Human Resources Management | |
Assign ownership of risks to the Board of Directors or senior management. CC ID 13662 | Human Resources management | Human Resources Management | |
Assign the organization's board and senior management to oversee the continuity planning process. CC ID 12991 | Human Resources management | Human Resources Management | |
Define and assign board committees, as necessary. CC ID 14787 | Human Resources management | Human Resources Management | |
Define and assign risk committees, as necessary. CC ID 14795 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a board committee charter, as necessary. CC ID 14802 | Human Resources management | Establish/Maintain Documentation | |
Define and assign audit committees, as necessary. CC ID 14788 | Human Resources management | Human Resources Management | |
Include members with experience in audit practices, financial reporting, and accounting in the audit committee. CC ID 14796 | Human Resources management | Human Resources Management | |
Define and assign compensation committees, as necessary. CC ID 14793 | Human Resources management | Human Resources Management | |
Define and assign the Chief Information Officer's roles and responsibilities. CC ID 00808 | Human Resources management | Establish Roles | |
Define and assign the network administrator's roles and responsibilities. CC ID 16363 | Human Resources management | Human Resources Management | |
Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809 | Human Resources management | Establish Roles | |
Define and assign the Data Protection Officer's roles and responsibilities. CC ID 16525 | Human Resources management | Human Resources Management | |
Define and assign the business unit manager's roles and responsibilities. CC ID 00810 | Human Resources management | Establish Roles | |
Define and assign the Facility Security Officer's roles and responsibilities. CC ID 01887 | Human Resources management | Establish Roles | |
Define and assign the Chief Risk Officer's roles and responsibilities. CC ID 14333 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for network management. CC ID 13128 | Human Resources management | Human Resources Management | |
Define and assign the technology security leader's roles and responsibilities. CC ID 01897 | Human Resources management | Establish Roles | |
Define and assign the security staff roles and responsibilities. CC ID 11750 | Human Resources management | Establish/Maintain Documentation | |
Define and assign the authorized representatives roles and responsibilities. CC ID 15033 | Human Resources management | Human Resources Management | |
Define and assign the property management leader's roles and responsibilities. CC ID 00669 | Human Resources management | Establish Roles | |
Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697 | Human Resources management | Establish Roles | |
Define and assign the Privacy Officer's roles and responsibilities. CC ID 00714 | Human Resources management | Establish Roles | |
Define and assign critical facility management personnel's roles and responsibilities. CC ID 06381 | Human Resources management | Establish Roles | |
Define the objectives and extent of outsourcing operational roles and responsibilities. CC ID 06383 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: overseeing the day-to-day management of the institution or payment institution, including the management of all risks associated with outsourcing; and 4.6 36(e)] | Human Resources management | Establish/Maintain Documentation | |
Define and assign the Chief Security Officer's roles and responsibilities. CC ID 06431 | Human Resources management | Establish Roles | |
Establish and maintain an Information Technology steering committee. CC ID 12706 | Human Resources management | Human Resources Management | |
Assign the Information Technology steering committee to report to senior management. CC ID 12731 | Human Resources management | Human Resources Management | |
Convene the Information Technology steering committee, as necessary. CC ID 12730 | Human Resources management | Human Resources Management | |
Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 | Human Resources management | Human Resources Management | |
Assign a contact person to all business units. CC ID 07144 | Human Resources management | Establish Roles | |
Define and assign the assessment team's roles and responsibilities. CC ID 08890 | Human Resources management | Business Processes | |
Assign the role of Risk Assessment Manager to applicable controls. CC ID 12143 | Human Resources management | Human Resources Management | |
Assign the Risk Assessment manager the duty of reporting risk assessment results to organizational management. CC ID 12152 | Human Resources management | Human Resources Management | |
Refrain from allocating temporary staff to perform sensitive jobs absent the presence and control of authorized permanent staff. CC ID 12299 | Human Resources management | Human Resources Management | |
Define and assign workforce roles and responsibilities. CC ID 13267 | Human Resources management | Human Resources Management | |
Define and assign roles and responsibilities for dispute resolution. CC ID 13626 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the identification, assessment and management of conflicts of interest; 4.6 36(c)] | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a personnel management program. CC ID 14018 | Human Resources management | Establish/Maintain Documentation | |
Establish, implement, and maintain a personnel security program. CC ID 10628 | Human Resources management | Establish/Maintain Documentation | |
Assign security clearance procedures to qualified personnel. CC ID 06812 | Human Resources management | Establish Roles | |
Assign personnel screening procedures to qualified personnel. CC ID 11699 | Human Resources management | Establish Roles | |
Establish, implement, and maintain personnel screening procedures. CC ID 11700 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal identification check during personnel screening. CC ID 06721 | Human Resources management | Human Resources Management | |
Perform a criminal records check during personnel screening. CC ID 06643 | Human Resources management | Establish/Maintain Documentation | |
Include all residences in the criminal records check. CC ID 13306 | Human Resources management | Process or Activity | |
Document any reasons a full criminal records check could not be performed. CC ID 13305 | Human Resources management | Establish/Maintain Documentation | |
Perform a personal references check during personnel screening. CC ID 06645 | Human Resources management | Human Resources Management | |
Perform a credit check during personnel screening. CC ID 06646 | Human Resources management | Human Resources Management | |
Perform an academic records check during personnel screening. CC ID 06647 | Human Resources management | Establish/Maintain Documentation | |
Perform a drug test during personnel screening. CC ID 06648 | Human Resources management | Testing | |
Perform a resume check during personnel screening. CC ID 06659 | Human Resources management | Human Resources Management | |
Perform a curriculum vitae check during personnel screening. CC ID 06660 | Human Resources management | Human Resources Management | |
Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 | Human Resources management | Human Resources Management | |
Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 | Human Resources management | Communicate | |
Perform personnel screening procedures, as necessary. CC ID 11763 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain security clearance procedures. CC ID 00783 | Human Resources management | Establish/Maintain Documentation | |
Perform security clearance procedures, as necessary. CC ID 06644 | Human Resources management | Human Resources Management | |
Establish and maintain security clearances. CC ID 01634 | Human Resources management | Human Resources Management | |
Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406 | Operational management | Establish/Maintain Documentation | |
Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 [allocate sufficient resources to ensure compliance with all legal and regulatory requirements, including these guidelines and the documentation and monitoring of all outsourcing arrangements; 4.6 38(b) have sufficient resources and capacities to ensure compliance with points (a) to (c). 4.6 39(d)] | Operational management | Acquisition/Sale of Assets or Services | |
Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523 [{be responsible} {be accountable} The management body is at all times fully responsible and accountable for at least: the internal organisation of the institution or the payment institution; 4.6 36(b)] | Operational management | Human Resources Management | |
Establish, implement, and maintain an internal control framework. CC ID 00820 [{be able} {cyber security} In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title I, payment institutions should also have internal ICT control mechanisms, including ICT security control and mitigation measures. 4.13.3 94] | Operational management | Establish/Maintain Documentation | |
Define the scope for the internal control framework. CC ID 16325 | Operational management | Business Processes | |
Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 | Operational management | Establish Roles | |
Assign resources to implement the internal control framework. CC ID 00816 | Operational management | Business Processes | |
Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 | Operational management | Establish Roles | |
Establish, implement, and maintain a baseline of internal controls. CC ID 12415 | Operational management | Business Processes | |
Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 | Operational management | Establish/Maintain Documentation | |
Include the implementation status of controls in the baseline of internal controls. CC ID 16128 | Operational management | Establish/Maintain Documentation | |
Leverage actionable information to support internal controls. CC ID 12414 | Operational management | Business Processes | |
Include procedures for continuous quality improvement in the internal control framework. CC ID 00819 | Operational management | Establish/Maintain Documentation | |
Include continuous service account management procedures in the internal control framework. CC ID 13860 | Operational management | Establish/Maintain Documentation | |
Include threat assessment in the internal control framework. CC ID 01347 | Operational management | Establish/Maintain Documentation | |
Automate threat assessments, as necessary. CC ID 06877 | Operational management | Configuration | |
Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 | Operational management | Establish/Maintain Documentation | |
Automate vulnerability management, as necessary. CC ID 11730 | Operational management | Configuration | |
Include personnel security procedures in the internal control framework. CC ID 01349 | Operational management | Establish/Maintain Documentation | |
Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 | Operational management | Establish/Maintain Documentation | |
Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 | Operational management | Establish/Maintain Documentation | |
Include security information sharing procedures in the internal control framework. CC ID 06489 | Operational management | Establish/Maintain Documentation | |
Share security information with interested personnel and affected parties. CC ID 11732 | Operational management | Communicate | |
Evaluate information sharing partners, as necessary. CC ID 12749 | Operational management | Process or Activity | |
Include security incident response procedures in the internal control framework. CC ID 01359 | Operational management | Establish/Maintain Documentation | |
Include incident response escalation procedures in the internal control framework. CC ID 11745 | Operational management | Establish/Maintain Documentation | |
Include continuous user account management procedures in the internal control framework. CC ID 01360 | Operational management | Establish/Maintain Documentation | |
Authorize and document all exceptions to the internal control framework. CC ID 06781 | Operational management | Establish/Maintain Documentation | |
Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 | Operational management | Communicate | |
Implement and comply with the Governance, Risk, and Compliance framework. CC ID 00818 [{be adequate} In accordance with Article 109 (2) of Directive2013/36/EU, these guidelines should also apply on a sub-consolidated and consolidated basis, taking into account the prudential scope of consolidation. For this purpose, the EU parent undertakings or the parent undertaking in a Member State should ensure that internal governance arrangements, processes and mechanisms in their subsidiaries, including payment institutions, are consistent, well integrated and adequate for the effective application of these guidelines at all relevant levels. 4.2 21] | Operational management | Business Processes | |
Analyze how policies used to create management boundaries relates to the Governance, Risk, and Compliance approach. CC ID 12821 | Operational management | Process or Activity | |
Analyze how the organization sets limits in policies relating to the Governance, Risk, and Compliance approach. CC ID 12819 | Operational management | Process or Activity | |
Analyze how the Board of Directors' and senior management's tone influences the Governance, Risk, and Compliance approach. CC ID 12818 | Operational management | Process or Activity | |
Analyze the degree to which the governing body is engaged in the Governance, Risk, and Compliance approach. CC ID 12817 | Operational management | Process or Activity | |
Analyze the Governance, Risk, and Compliance approach. CC ID 12816 | Operational management | Process or Activity | |
Analyze the organizational culture. CC ID 12899 | Operational management | Process or Activity | |
Include employee engagement in the analysis of the organizational culture. CC ID 12914 | Operational management | Behavior | |
Include contractual relationships with workforce members in the analysis of the organizational culture. CC ID 15674 | Operational management | Business Processes | |
Include the number of workforce members who are not employees in the analysis of the organizational culture. CC ID 15673 | Operational management | Business Processes | |
Include the type of work performed by workforce members in the analysis of the organizational culture. CC ID 15675 | Operational management | Business Processes | |
Include skill development in the analysis of the organizational culture. CC ID 12913 | Operational management | Behavior | |
Include employee turnover rates in the analysis of the organizational culture. CC ID 12912 | Operational management | Behavior | |
Include demographic characteristics of employees in the analysis of the organizational culture. CC ID 15671 | Operational management | Business Processes | |
Include employee loyalty in the analysis of the organizational culture. CC ID 12911 | Operational management | Behavior | |
Include employee satisfaction in the analysis of the organizational culture. CC ID 12910 | Operational management | Behavior | |
Comply with all implemented policies in the organization's compliance framework. CC ID 06384 [Institutions and payment institutions that are subsidiaries of an EU parent undertaking or of a parent undertaking in a Member State to which no waivers have been granted on the basis of Article 21 of Directive 2013/36/EU or Article 109(1) of Directive 2013/36/EU in conjunction with Article 7 of Regulation (EU) No 575/2013 should ensure that they comply with these Guidelines on an individual basis. 4.2 25 Institutions, payment institutions and competent authorities should, when complying or supervising compliance with these guidelines, have regard to the principle of proportionality. The proportionality principle aims to ensure that governance arrangements, including those related to outsourcing, are consistent with the individual risk profile, the nature and business model of the institution or payment institution, and the scale and complexity of their activities so that the objectives of the regulatory requirements are effectively achieved. 4.1 18 {third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The management body is at all times fully responsible and accountable for at least: ensuring that the institution or payment institution meets on an ongoing basis the conditions with which it must comply to remain authorised, including any conditions imposed by the competent authority; 4.6 36(a) {remain responsible} {be accountable} The outsourcing of functions cannot result in the delegation of the management body's responsibilities. Institutions and payment institutions remain fully responsible and accountable for complying with all of their regulatory obligations, including the ability to oversee the outsourcing of critical or important functions. 4.6 35 meet all the conditions of their authorisation at all times, including the management body effectively carrying out its responsibilities as set out in paragraph 36 of these guidelines; 4.6 39(a)] | Operational management | Establish/Maintain Documentation | |
Provide assurance to interested personnel and affected parties that the Governance, Risk, and Compliance capability is reliable, effective, efficient, and responsive. CC ID 12788 | Operational management | Communicate | |
Review systems for compliance with organizational information security policies. CC ID 12004 | Operational management | Business Processes | |
Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties. CC ID 00815 | Operational management | Behavior | |
Establish, implement, and maintain a Service Management System. CC ID 13889 | Operational management | Business Processes | |
Establish, implement, and maintain a service management program. CC ID 11388 | Operational management | Establish/Maintain Documentation | |
Include the change management policy in the service management program. CC ID 13923 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii)] | Operational management | Establish/Maintain Documentation | |
Assign roles and responsibilities in the service management program. CC ID 11393 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c) clearly assign the responsibilities for the documentation, management and control of outsourcing arrangements; 4.6 38(a)] | Operational management | Establish/Maintain Documentation | |
Include all resources needed to achieve the objectives in the service management program. CC ID 11394 [When developing exit strategies, institutions and payment institutions should: assign roles, responsibilities and sufficient resources to manage exit plans and the transition of activities; 4.15 108(c)] | Operational management | Establish/Maintain Documentation | |
Include service management procedures in the service management program. CC ID 11396 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the criteria, including those referred to in Section 4, and processes for identifying critical or important functions; 4.7 42(c)(ii)] | Operational management | Establish/Maintain Documentation | |
Include continuity plans in the Service Management program. CC ID 13919 [identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain a Service Level Agreement framework. CC ID 00839 [When outsourcing, institutions and payment institutions should at least ensure that: they maintain the orderliness of the conduct of their business and the banking and payment services they provide; 4.6 40(b)] | Operational management | Establish/Maintain Documentation | |
Include exceptions in the Service Level Agreements, as necessary. CC ID 13912 | Operational management | Establish/Maintain Documentation | |
Include the organizational structure for service level management in the Service Level Agreement framework. CC ID 13633 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the involvement of business lines, internal control functions and other individuals in respect of outsourcing arrangements; 4.7 42(b) {organizational structure} retain a clear and transparent organisational framework and structure that enables them to ensure compliance with legal and regulatory requirements; 4.6 39(b)] | Operational management | Establish/Maintain Documentation | |
Include the security mechanisms of network services in the Service Level Agreement. CC ID 12023 | Operational management | Establish/Maintain Documentation | |
Include capacity planning in Service Level Agreements. CC ID 13096 | Operational management | Establish/Maintain Documentation | |
Include Operational Level Agreements within Service Level Agreements, as necessary. CC ID 13631 | Operational management | Establish/Maintain Documentation | |
Include funding sources in Service Level Agreements, as necessary. CC ID 13632 | Operational management | Establish/Maintain Documentation | |
Include business requirements of delivered services in the Service Level Agreement. CC ID 00840 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the definition of business requirements regarding outsourcing arrangements; 4.7 42(c)(i)] | Operational management | Establish/Maintain Documentation | |
Include the management requirements for network services in the Service Level Agreement. CC ID 12025 | Operational management | Establish/Maintain Documentation | |
Include notification requirements in the service level agreement. CC ID 16675 | Operational management | Establish/Maintain Documentation | |
Include performance requirements in the Service Level Agreement. CC ID 00841 | Operational management | Establish/Maintain Documentation | |
Include the service levels for network services in the Service Level Agreement. CC ID 12024 | Operational management | Establish/Maintain Documentation | |
Include the consequences for failure to meet service levels in Service Level Agreements. CC ID 15698 | Operational management | Establish/Maintain Documentation | |
Include availability requirements in Service Level Agreements. CC ID 13095 | Operational management | Establish/Maintain Documentation | |
Establish and maintain a service catalog. CC ID 13634 | Operational management | Establish/Maintain Documentation | |
Include a service description in the service catalog. CC ID 13917 | Operational management | Establish/Maintain Documentation | |
Assign unique reference numbers to all services in the service catalog. CC ID 14424 [The register should include at least the following information for all existing outsourcing arrangements: a reference number for each outsourcing arrangement; 4.11 54(a)] | Operational management | Establish/Maintain Documentation | |
Include relationships and dependencies between services in the service catalog, as necessary. CC ID 13914 [{outsourcing arrangements} {time sensitive operation} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether the outsourced critical or important function supports business operations that are time-critical; 4.11 55(j) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: an outcome of the assessment of the service provider's substitutability (as easy, difficult or impossible), the possibility of reintegrating a critical or important function into the institution or the payment institution or the impact of discontinuing the critical or important function; 4.11 55(h)] | Operational management | Establish/Maintain Documentation | |
Categorize services in the service catalog. CC ID 14419 | Operational management | Establish/Maintain Documentation | |
Refrain from categorizing services as outsourced in the service catalog, as necessary. CC ID 14426 [As a general principle, institutions and payment institutions should not consider the following as outsourcing: a function that is legally required to be performed by a service provider, e.g. statutory audit; 4.3 28(a) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global network infrastructures (e.g. Visa, MasterCard); 4.3 28(c) As a general principle, institutions and payment institutions should not consider the following as outsourcing: correspondent banking services; and 4.3 28(f) As a general principle, institutions and payment institutions should not consider the following as outsourcing: the acquisition of services that would otherwise not be undertaken by the institution or payment institution (e.g. advice from an architect, providing legal opinion and representation in front of the court and administrative bodies, cleaning, gardening and maintenance of the institution's or payment institution's premises, medical services, servicing of company cars, catering, vending machine services, clerical services, travel services, post-room services, receptionists, secretaries and switchboard operators), goods (e.g. plastic cards, card readers, office supplies, personal computers, furniture) or utilities (e.g. electricity, gas, water, telephone line). 4.3 28(g) As a general principle, institutions and payment institutions should not consider the following as outsourcing: clearing and settlement arrangements between clearing houses, central counterparties and settlement institutions and their members; 4.3 28(d) As a general principle, institutions and payment institutions should not consider the following as outsourcing: market information services (e.g. provision of data by Bloomberg, Moody's, Standard & Poor's, Fitch); 4.3 28(b) As a general principle, institutions and payment institutions should not consider the following as outsourcing: global financial messaging infrastructures that are subject to oversight by relevant authorities; 4.3 28(e)] | Operational management | Establish/Maintain Documentation | |
Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
Retain records in accordance with applicable requirements. CC ID 00968 [{outsourcing arrangements} Taking into account Title I of these guidelines, and under the conditions set out in paragraph 23(d), for institutions and payment institutions within a group, institutions permanently affiliated to a central body or institutions that are members of the same institutional protection scheme, the register may be kept centrally. 4.11 53] | Records management | Records Management | |
Establish, implement, and maintain records management procedures. CC ID 11619 | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain authorization records. CC ID 14367 | Records management | Establish/Maintain Documentation | |
Include the reasons for granting the authorization in the authorization records. CC ID 14371 | Records management | Establish/Maintain Documentation | |
Include the date and time the authorization was granted in the authorization records. CC ID 14370 | Records management | Establish/Maintain Documentation | |
Include the person's name who approved the authorization in the authorization records. CC ID 14369 [For the outsourcing of critical or important functions, the register should include at least the following additional information: the individual or decision-making body (e.g. the management body) in the institution or the payment institution that approved the outsourcing arrangement; 4.11 55(d)] | Records management | Establish/Maintain Documentation | |
Establish, implement, and maintain electronic health records. CC ID 14436 | Records management | Data and Information Management | |
Include Individually Identifiable Health Information in the patient's electronic health record. CC ID 14437 | Records management | Data and Information Management | |
Review and update Individually Identifiable Health Information in the patient's electronic health records, as necessary. CC ID 14438 | Records management | Records Management | |
Display required information automatically in electronic health records. CC ID 14442 | Records management | Process or Activity | |
Create summary of care records in accordance with applicable standards. CC ID 14440 | Records management | Establish/Maintain Documentation | |
Provide the patient with a summary of care record, as necessary. CC ID 14441 | Records management | Actionable Reports or Measurements | |
Create export summaries, as necessary. CC ID 14446 | Records management | Process or Activity | |
Import data files into a patient's electronic health record. CC ID 14448 | Records management | Data and Information Management | |
Export requested sections of the electronic health record. CC ID 14447 | Records management | Data and Information Management | |
Establish and maintain an implantable device list. CC ID 14444 | Records management | Records Management | |
Display the implantable device list to authorized users. CC ID 14445 | Records management | Data and Information Management | |
Establish, implement, and maintain decision support interventions. CC ID 14443 | Records management | Business Processes | |
Include attributes in the decision support intervention. CC ID 16766 | Records management | Data and Information Management | |
Establish, implement, and maintain a recordkeeping system. CC ID 15709 | Records management | Records Management | |
Log the termination date in the recordkeeping system. CC ID 16181 | Records management | Records Management | |
Log the name of the requestor in the recordkeeping system. CC ID 15712 | Records management | Records Management | |
Log the date and time each item is accessed in the recordkeeping system. CC ID 15711 | Records management | Records Management | |
Log records as being received into the recordkeeping system. CC ID 11696 | Records management | Records Management | |
Log the date and time each item is received into the recordkeeping system. CC ID 11709 | Records management | Log Management | |
Log the date and time each item is made available into the recordkeeping system. CC ID 11710 | Records management | Log Management | |
Log the number of routine items received into the recordkeeping system. CC ID 11701 | Records management | Establish/Maintain Documentation | |
Log the number of routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11707 | Records management | Log Management | |
Log the number of routine items received during the month that were turned around in the recordkeeping system. CC ID 11705 | Records management | Log Management | |
Log the number of routine items received during the month that were not turned around within three business days of receipt in the recordkeeping system. CC ID 11703 | Records management | Log Management | |
Log the date and time when a notice of refusal to perform the registrar function is received in the recordkeeping system. CC ID 11711 | Records management | Log Management | |
Log inquiries concerning items in the recordkeeping system, annotating the date received. CC ID 11718 | Records management | Log Management | |
Log responses to inquiries, annotating the send date for each response into the recordkeeping system. CC ID 11719 | Records management | Log Management | |
Log the number of non-routine items received into the recordkeeping system. CC ID 11706 | Records management | Log Management | |
Log the documentation of determination that items received are not routine into the recordkeeping system. CC ID 11716 | Records management | Log Management | |
Log the number of non-routine items in the organization's possession at the close of business for the month in the recordkeeping system. CC ID 11708 | Records management | Log Management | |
Log the number of non-routine items received during the month that were turned around in the recordkeeping system. CC ID 11704 | Records management | Log Management | |
Log performance monitoring into the recordkeeping system. CC ID 11724 | Records management | Log Management | |
Log the number of inquiries pending as of the close of business into the recordkeeping system. CC ID 11728 | Records management | Log Management | |
Log the number of inquiries received but not responded to within the required time frame into the recordkeeping system. CC ID 11727 | Records management | Log Management | |
Establish, implement, and maintain a transfer journal. CC ID 11729 | Records management | Records Management | |
Log any notices filed by the organization into the recordkeeping system. CC ID 11725 | Records management | Log Management | |
Log telephone responses into a telephone log, annotating the date of each response, in the recordkeeping system. CC ID 11723 | Records management | Log Management | |
Log the date each certificate is made available to interested personnel and affected parties into the recordkeeping system. CC ID 11720 | Records management | Log Management | |
Log the number of items not processed within the required time frame into the recordkeeping system. CC ID 11717 | Records management | Log Management | |
Provide a receipt of records logged into the recordkeeping system. CC ID 11697 | Records management | Records Management | |
Log the appointments and termination of appointments of registered transfer agents into the recordkeeping system. CC ID 11712 | Records management | Log Management | |
Log any stop orders or notices of adverse claims into the recordkeeping system. CC ID 11726 | Records management | Log Management | |
Log the number of items processed within the required time frame into the recordkeeping system. CC ID 11715 | Records management | Log Management | |
Establish, implement, and maintain payment and settlement functions for selling products and services. CC ID 13538 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: whether the outsourcing arrangement is directly connected to the provision of banking activities or payment services for which they are authorised; 4.4 31(a) {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when they intend to outsource functions of banking activities or payment services to an extent that would require authorisation by a competent authority, as referred to in Section 12.1. 4.4 29(c) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a) Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in the same or another Member State takes place only if one of the following conditions is met: the service provider is authorised or registered by a competent authority to perform such banking activities or payment services; or 4.12.1 62(a)] | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain expedited recredit procedures. CC ID 13574 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish, implement, and maintain payment systems. CC ID 13539 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Document the business need justification for payment page scripts. CC ID 15480 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish, implement, and maintain an inventory of payment page scripts. CC ID 15467 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain retail payment activities supporting the retail payment system, as necessary. CC ID 13540 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Employ Remote Deposit Capture systems, as necessary. CC ID 13570 | Acquisition or sale of facilities, technology, and services | Configuration | |
Include liquidity plans in the payment and settlement functions. CC ID 16722 | Acquisition or sale of facilities, technology, and services | Process or Activity | |
Establish, implement, and maintain an electronic commerce program. CC ID 08617 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Define risk levels for Automated Clearing House activities, as necessary. CC ID 13542 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Determine Automated Clearing House exposure limits, as necessary. CC ID 13549 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain payment transaction security measures. CC ID 13088 | Acquisition or sale of facilities, technology, and services | Technical Security | |
Establish, implement, and maintain a list of approved third parties for payment transactions. CC ID 16349 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Restrict transaction activities, as necessary. CC ID 16334 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify affected parties prior to initiating high-risk funds transfer transactions. CC ID 13687 | Acquisition or sale of facilities, technology, and services | Communicate | |
Reset transaction limits to zero after no activity within N* time period, as necessary. CC ID 13683 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Preset transaction limits for high-risk funds transfers, as necessary. CC ID 13682 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Implement dual authorization for high-risk funds transfers, as necessary. CC ID 13671 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Establish, implement, and maintain a mobile payment acceptance security program. CC ID 12182 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Obtain cardholder authorization prior to completing payment transactions. CC ID 13108 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Encrypt electronic commerce transactions and messages. CC ID 08621 | Acquisition or sale of facilities, technology, and services | Configuration | |
Protect the integrity of application service transactions. CC ID 12017 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Include required information in electronic commerce transactions and messages. CC ID 15318 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
Establish, implement, and maintain telephone-initiated transaction security measures. CC ID 13566 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Disseminate and communicate confirmations of telephone-initiated transactions to affected parties. CC ID 13571 | Acquisition or sale of facilities, technology, and services | Communicate | |
Bill and settle electronic commerce transactions. CC ID 08622 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Notify affected parties after successful card-not-present transactions. CC ID 13668 | Acquisition or sale of facilities, technology, and services | Communicate | |
Deliver incoming and outgoing electronic commerce transactions and messages to the correct Internet Protocol address. CC ID 08620 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Disseminate and communicate transaction exceptions to consumers. CC ID 08619 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Make electronic commerce order information available to the customer who ordered the product. CC ID 04585 | Acquisition or sale of facilities, technology, and services | Data and Information Management | |
Withhold payment and settlement functions, as necessary. CC ID 15460 | Acquisition or sale of facilities, technology, and services | Business Processes | |
Obtain consent from affected parties prior to changes in payment and settlement functions. CC ID 15455 | Acquisition or sale of facilities, technology, and services | Behavior | |
Plan for acquiring facilities, technology, or services. CC ID 06892 | Acquisition or sale of facilities, technology, and services | Acquisition/Sale of Assets or Services | |
Establish, implement, and maintain system acquisition contracts. CC ID 14758 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include security requirements in system acquisition contracts. CC ID 01124 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Include operational requirements in system acquisition contracts. CC ID 00825 [{critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: when operational tasks of internal control functions are outsourced, unless the assessment establishes that a failure to provide the outsourced function or the inappropriate provision of the outsourced function would not have an adverse impact on the effectiveness of the internal control function; 4.4 29(b)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Provide suppliers with operational requirement information needed to define required service levels in system acquisition contracts. CC ID 06890 | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836 [{not authorized} The outsourcing policy should differentiate between the following: outsourcing to service providers that are authorised by a competent authority and those that are not; 4.7 43(b)] | Acquisition or sale of facilities, technology, and services | Establish/Maintain Documentation | |
Install software that originates from approved third parties. CC ID 12184 | Acquisition or sale of facilities, technology, and services | Technical Security | |
Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
Notify the supervisory authority. CC ID 00472 [Institutions, without prejudice to Article 19(6) of Directive (EU) 2015/2366, and payment institutions should adequately inform competent authorities in a timely manner or engage in a supervisory dialogue with the competent authorities about the planned outsourcing of critical or important functions and/or where an outsourced function has become critical or important and provide at least the information specified in paragraph 54. 4.11 58 Institutions and payment institutions should inform competent authorities in a timely manner of material changes and/or severe events regarding their outsourcing arrangements that could have a material impact on the continuing provision of the institutions' or payment institutions' business activities. 4.11 59] | Privacy protection for information and data | Behavior | |
Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Institutions and payment institutions should, upon request, make available to the competent authority all information necessary to enable the competent authority to execute the effective supervision of the institution or the payment institution, including, where required, a copy of the outsourcing agreement. 4.11 57] | Privacy protection for information and data | Process or Activity | |
Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a data handling program. CC ID 13427 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data handling policies. CC ID 00353 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain data and information confidentiality policies. CC ID 00361 | Privacy protection for information and data | Establish/Maintain Documentation | |
Prohibit personal data from being sent by e-mail or instant messaging. CC ID 00565 | Privacy protection for information and data | Data and Information Management | |
Protect electronic messaging information. CC ID 12022 | Privacy protection for information and data | Technical Security | |
Establish, implement, and maintain record structures to support information confidentiality. CC ID 00360 | Privacy protection for information and data | Data and Information Management | |
Include passwords, Personal Identification Numbers, and card security codes in the personal data definition. CC ID 04699 | Privacy protection for information and data | Configuration | |
Store payment card data in secure chips, if possible. CC ID 13065 | Privacy protection for information and data | Configuration | |
Refrain from storing data elements containing sensitive authentication data after authorization is approved. CC ID 04758 | Privacy protection for information and data | Configuration | |
Render unrecoverable sensitive authentication data after authorization is approved. CC ID 11952 | Privacy protection for information and data | Technical Security | |
Automate the disposition process for records that contain "do not store" data or "delete after transaction process" data. CC ID 06083 | Privacy protection for information and data | Data and Information Management | |
Log the disclosure of personal data. CC ID 06628 | Privacy protection for information and data | Log Management | |
Log the modification of personal data. CC ID 11844 | Privacy protection for information and data | Log Management | |
Encrypt, truncate, or tokenize data fields, as necessary. CC ID 06850 | Privacy protection for information and data | Technical Security | |
Implement security measures to protect personal data. CC ID 13606 | Privacy protection for information and data | Technical Security | |
Implement physical controls to protect personal data. CC ID 00355 | Privacy protection for information and data | Testing | |
Limit data leakage. CC ID 00356 | Privacy protection for information and data | Data and Information Management | |
Identify potential red flags to alert the organization before a data leakage has occurred. CC ID 04654 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Establish, implement, and maintain Consumer Reporting Agency notification procedures. CC ID 04851 | Privacy protection for information and data | Business Processes | |
Acquire enough insurance to cover the liability for damages due to data leakage. CC ID 06408 | Privacy protection for information and data | Acquisition/Sale of Assets or Services | |
Alert appropriate personnel when data leakage is detected. CC ID 14715 | Privacy protection for information and data | Process or Activity | |
Include text about data ownership in the data handling policy. CC ID 15720 | Privacy protection for information and data | Data and Information Management | |
Establish, implement, and maintain a telephone systems usage policy. CC ID 15170 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain call metadata controls. CC ID 04790 | Privacy protection for information and data | Establish/Maintain Documentation | |
Establish, implement, and maintain de-identifying and re-identifying procedures. CC ID 07126 | Privacy protection for information and data | Data and Information Management | |
Use de-identifying code and re-identifying code that is not derived from or related to information about the data subject. CC ID 07127 | Privacy protection for information and data | Data and Information Management | |
Store de-identifying code and re-identifying code separately. CC ID 16535 | Privacy protection for information and data | Data and Information Management | |
Prevent the disclosure of de-identifying code and re-identifying code. CC ID 07128 | Privacy protection for information and data | Data and Information Management | |
Disseminate and communicate the data handling policy to all interested personnel and affected parties. CC ID 15465 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain data handling procedures. CC ID 11756 | Privacy protection for information and data | Establish/Maintain Documentation | |
Define personal data that falls under breach notification rules. CC ID 00800 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include data elements that contain an individual's name combined with account numbers or other identifying information as personal data that falls under the breach notification rules. CC ID 04662 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's legal surname prior to marriage as personal data that falls under the breach notification rules. CC ID 04669 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's date of birth as personal data that falls under the breach notification rules. CC ID 04771 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's address as personal data that falls under the breach notification rules. CC ID 04671 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's telephone number as personal data that falls under the breach notification rules. CC ID 04672 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's fingerprints as personal data that falls under the breach notification rules. CC ID 04670 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Social Security Number or Personal Identification Number as personal data that falls under the breach notification rules. CC ID 04656 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's driver's license number or an individual's state identification card number as personal data that falls under the breach notification rules. CC ID 04657 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's passport number as personal data that falls under the breach notification rules. CC ID 04774 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Alien Registration Number as personal data that falls under the breach notification rules. CC ID 04775 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Taxpayer Identification Number as personal data that falls under the breach notification rules. CC ID 04764 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number as personal data that falls under the breach notification rules. CC ID 04658 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's financial account number with associated password or password hint as personal data that falls under the breach notification rules. CC ID 04660 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's electronic identification name or number as personal data that falls under the breach notification rules. CC ID 04663 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain electronic signatures as personal data that falls under the breach notification rules. CC ID 04666 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's biometric data as personal data that falls under the breach notification rules. CC ID 04667 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's account number, password, or password hint as personal data that falls under the breach notification rules. CC ID 04668 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card information as personal data that falls under the breach notification rules. CC ID 04752 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's credit card number or an individual's debit card number as personal data that falls under the breach notification rules. CC ID 04659 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card service code as personal data that falls under the breach notification rules. CC ID 04754 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card expiration date as personal data that falls under the breach notification rules. CC ID 04756 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card full magnetic stripe data as personal data that falls under the breach notification rules. CC ID 04759 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card security codes (Card Authentication Value 2/Card Validation Code Value 2/Card Verification Value 2/Card Identification Number) as personal data that falls under the breach notification rules. CC ID 04760 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's payment card associated password or password hint as personal data that falls under the breach notification rules. CC ID 04661 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Individually Identifiable Health Information as personal data that falls under the breach notification rules. CC ID 04673 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical history as personal data that falls under the breach notification rules. CC ID 04674 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical treatment as personal data that falls under the breach notification rules. CC ID 04675 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's medical diagnosis as personal data that falls under the breach notification rules. CC ID 04676 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's mental condition or physical condition as personal data that falls under the breach notification rules. CC ID 04682 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance information as personal data that falls under the breach notification rules. CC ID 04681 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance policy number as personal data that falls under the breach notification rules. CC ID 04683 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's health insurance application and health insurance claims history (including appeals) as personal data that falls under the breach notification rules. CC ID 04684 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's employment information as personal data that falls under the breach notification rules. CC ID 04772 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's Employee Identification Number as personal data that falls under the breach notification rules. CC ID 04773 | Privacy protection for information and data | Data and Information Management | |
Include data elements that contain an individual's place of employment as personal data that falls under the breach notification rules. CC ID 04788 | Privacy protection for information and data | Data and Information Management | |
Define an out of scope privacy breach. CC ID 04677 | Privacy protection for information and data | Establish/Maintain Documentation | |
Include personal data that is publicly available information as an out of scope privacy breach. CC ID 04678 | Privacy protection for information and data | Business Processes | |
Include personal data that is encrypted or redacted as an out of scope privacy breach. CC ID 04679 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include cryptographic keys not being accessed during a privacy breach as an out of scope privacy breach. CC ID 04761 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Include any personal data that is on an encrypted mobile device as an out of scope privacy breach, if the encryption keys were not accessed and the mobile device was recovered. CC ID 04762 | Privacy protection for information and data | Monitor and Evaluate Occurrences | |
Disseminate and communicate the data handling procedures to all interested personnel and affected parties. CC ID 15466 | Privacy protection for information and data | Communicate | |
Establish, implement, and maintain a supply chain management program. CC ID 11742 [With regard to the outsourcing process, the internal audit function should at least ascertain: the appropriate monitoring and management of outsourcing arrangements. 4.10 51(e) When outsourcing, institutions and payment institutions should at least ensure that: they can take and implement decisions related to their business activities and critical or important functions, including with regard to those that have been outsourced; 4.6 40(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts. CC ID 00796 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: the approval process of new outsourcing arrangements; 4.7 42(c)(vii) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the renewal processes; 4.7 42(d)(iv) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) Institutions and payment institutions should ensure that the service provider appropriately oversees the sub-service providers, in line with the policy defined by the institution or payment institution. If the sub-outsourcing proposed could have material adverse effects on the outsourcing arrangement of a critical or important function or would lead to a material increase of risk, including where the conditions in paragraph 79 would not be met, the institution or payment institution should exercise its right to object to the sub-outsourcing, if such a right was agreed, and/or terminate the contract. 4.13.1 80 {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42 {substitutability} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the ability to transfer the proposed outsourcing arrangement to another service provider, if necessary or desirable, both contractually and in practice, including the estimated risks, impediments to business continuity, costs and time frame for doing so ('substitutability'); 4.4 31(h) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Review and update all contracts, as necessary. CC ID 11612 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document and maintain supply chain processes. CC ID 08816 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain an exit plan. CC ID 15492 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in the exit plan. CC ID 15497 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Test the exit plan, as necessary. CC ID 15495 | Third Party and supply chain oversight | Testing | |
Include contingency plans in the third party management plan. CC ID 10030 [{ensure} where those institutions and payment institutions rely on an exit plan for a critical or important function that has been established at group level, within the institutional protection scheme or by the central body, all institutions and payment institutions should receive a summary of the plan and be satisfied that the plan can be effectively executed. 4.2 23(e) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the exit strategies and termination processes, including a requirement for a documented exit plan for each critical or important function to be outsourced where such an exit is considered possible taking into account possible service interruptions or the unexpected termination of an outsourcing agreement. 4.7 42(f) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: business continuity planning in accordance with Section 9; 4.7 42(c)(vi) develop and implement exit plans that are comprehensive, documented and, where appropriate, sufficiently tested (e.g. by carrying out an analysis of the potential costs, impacts, resources and timing implications of transferring an outsourced service to an alternative provider); and 4.15 107(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: 4.15 106 {be able} {timely manner} When outsourcing, institutions and payment institutions should at least ensure that: with regard to the outsourcing of critical or important functions, they are able to undertake at least one of the following actions, within an appropriate time frame: reintegrate the function; or 4.6 40(f)(ii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Refrain from placing excessive reliance on third parties that provide support for service continuity. CC ID 12768 | Third Party and supply chain oversight | Systems Continuity | |
Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist. CC ID 06505 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain software exchange agreements with all third parties. CC ID 11615 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the product or service to be provided in third party contracts. CC ID 06509 [The outsourcing agreement for critical or important functions should set out at least: a clear description of the outsourced function to be provided; 4.13 75(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the products or services fees in third party contracts. CC ID 10018 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include which parties are responsible for which fees in third party contracts. CC ID 10019 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain rules of engagement with third parties. CC ID 13994 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain information flow agreements with all third parties. CC ID 04543 [Institutions and payment institutions should monitor, on an ongoing basis, the performance of the service providers with regard to all outsourcing arrangements on a risk-based approach and with the main focus being on the outsourcing of critical or important functions, including that the availability, integrity and security of data and information is ensured. Where the risk, nature or scale of an outsourced function has materially changed, institutions and payment institutions should reassess the criticality or importance of that function in line with Section 4. 4.14 100 When outsourcing, institutions and payment institutions should at least ensure that: an appropriate flow of relevant information with service providers is maintained; 4.6 40(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the type of information being transmitted in the information flow agreement. CC ID 14245 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the security requirements in the information flow agreement. CC ID 14244 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the interface characteristics in the information flow agreement. CC ID 14240 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the scope and inventory of third party systems and assets being provided to the organization in third party contracts. CC ID 06528 [Where an arrangement with a service provider covers multiple functions, institutions and payment institutions should consider all aspects of the arrangement within their assessment, e.g. if the service provided includes the provision of data storage hardware and the backup of data, both aspects should be considered together. 4.3 27] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include proof of license documentation for the third parties with access to in scope systems in third party contracts. CC ID 06529 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of costs and responsibility for purchasing and maintaining hardware and software in third party contracts. CC ID 10020 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of the data or information to be covered in third party contracts. CC ID 06510 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about access, use, disclosure, and transfer of data or information in third party contracts. CC ID 11610 [The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing agreement for critical or important functions should set out at least: provisions that ensure that the data that are owned by the institution or payment institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider; 4.13 75(m) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a) When outsourcing, institutions and payment institutions should at least ensure that: where personal data are processed by service providers located in the EU and/or third countries, appropriate measures are implemented and data are processed in accordance with Regulation (EU) 2016/679. 4.6 40(g) {be able} {be necessary} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain, upon request, the information necessary to carry out their supervisory tasks pursuant to Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; 4.12.1 63(c)(i) {be able} {supervise} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: obtain appropriate access to any data, documents, premises or personnel in the third country that are relevant for the performance of their supervisory powers; 4.12.1 63(c)(ii)] | Third Party and supply chain oversight | Business Processes | |
Include text about data ownership in third party contracts. CC ID 06502 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about trade secrets and intellectual property in third party contracts. CC ID 06503 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about participation in the organization's testing programs in third party contracts. CC ID 14402 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the contract duration in third party contracts. CC ID 16221 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in third party contracts. CC ID 13487 [{data treatment} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: clearly set out the obligations of the existing service provider, in the case of a transfer of the outsourced function to another service provider or back to the institution or payment institution, including the treatment of data; 4.13.4 99(a) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cryptographic keys in third party contracts. CC ID 16179 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include bankruptcy provisions in third party contracts. CC ID 16519 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cybersecurity supply chain risk management requirements in third party contracts. CC ID 15646 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that organizations must meet organizational compliance requirements in third party contracts. CC ID 06506 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 The outsourcing agreement for critical or important functions should set out at least: the parties' financial obligations; 4.13 75(d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's access policy as a requirement in third party contracts. CC ID 06507 [{access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's breach notification policy as a requirement in third party contracts. CC ID 06508 [Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: receive, as soon as possible, information from the supervisory authority in the third country for investigating apparent breaches of the requirements of Directive 2013/36/EU, Regulation (EU) No 575/2013, Directive (EU) 2015/2366 and Directive 2009/110/EC; and 4.12.1 63(c)(iii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's monitoring policies as a requirement in third party contracts. CC ID 06513 [The outsourcing agreement for critical or important functions should set out at least: the obligation of the service provider to cooperate with the competent authorities and resolution authorities of the institution or payment institution, including other persons appointed by them; 4.13 75(n) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {supervisory authority} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the service provider is authorised or registered to provide that banking activity or payment service in the third country and is supervised by a relevant competent authority in that third country (referred to as a 'supervisory authority'); 4.12.1 63(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's incident response policy and incident notification policy in third party contracts. CC ID 06515 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about the expected actions to be taken in case of a breach of contract in third party contracts. CC ID 06504 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's privacy policy in third party contracts. CC ID 06518 [When outsourcing, institutions and payment institutions should at least ensure that: appropriate confidentiality arrangements are in place regarding data and other information; 4.6 40(d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's media handling policy in third party contracts. CC ID 06525 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for compliance awareness in third party contracts. CC ID 06530 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's data usage policies in third party contracts. CC ID 16413 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's system hardening framework in third party contracts. CC ID 06531 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include compliance with the organization's physical access policy in third party contracts. CC ID 06878 [With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: full access to all relevant business premises (e.g. head offices and operation centres), including the full range of relevant devices, systems, networks, information and data used for providing the outsourced function, including related financial information, personnel and the service provider's external auditors ('access and information rights'); and 4.13.3 87(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a reporting structure in third party contracts. CC ID 06532 [The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include points of contact in third party contracts. CC ID 12355 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include financial reporting in third party contracts, as necessary. CC ID 13573 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include reporting to the organization of third party audit findings in third party contracts. CC ID 06512 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l) {third party audit report} Without prejudice to their final responsibility regarding outsourcing arrangements, institutions and payment institutions may use: third-party certifications and third-party or internal audit reports, made available by the service provider. 4.13.3 91(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the right of the organization to conduct compliance audits in third party contracts. CC ID 06514 [The outsourcing agreement for critical or important functions should set out at least: the unrestricted right of institutions, payment institutions and competent authorities to inspect and audit the service provider with regard to, in particular, the critical or important outsourced function, as specified in Section 13.3; 4.13 75(p) The outsourcing agreement for critical or important functions should set out at least: the right of the institution or payment institution to monitor the service provider's performance on an ongoing basis; 4.13 75(h) Institutions and payment institutions should ensure within the written outsourcing arrangement that the internal audit function is able to review the outsourced function using a risk-based approach. 4.13.3 85 {access rights} Institutions and payment institutions should ensure that the outsourcing agreement or any other contractual arrangement does not impede or limit the effective exercise of the access and audit rights by them, competent authorities or third parties appointed by them to exercise these rights. 4.13.3 89 {right to audit} With regard to the outsourcing of critical or important functions, institutions and payment institutions should ensure within the written outsourcing agreement that the service provider grants them and their competent authorities, including resolution authorities, and any other person appointed by them or the competent authorities, the following: unrestricted rights of inspection and auditing related to the outsourcing arrangement ('audit rights'), to enable them to monitor the outsourcing arrangement and to ensure compliance with all applicable regulatory and contractual requirements. 4.13.3 87(b) {outsourcing policy} Institutions and payment institutions should ensure that the policy covers the identification of the following potential effects of critical or important outsourcing arrangements and that these are taken into account in the decision-making process: the ability to oversee the service provider and to manage the risks; 4.7 44(b) {third-party certifications} {third-party audit report} {be legitimate} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: have the contractual right to request the expansion of the scope of the certifications or audit reports to other relevant systems and controls; the number and frequency of such requests for scope modification should be reasonable and legitimate from a risk management perspective; and 4.13.3 93(g) {access rights} {right to audit} {operational risks} {contract duration} {be critical} For the outsourcing of functions that are not critical or important, institutions and payment institutions should ensure the access and audit rights as set out in paragraph 87 (a) and (b) and Section 13.3, on a risk-based approach, considering the nature of the outsourced function and the related operational and reputational risks, its scalability, the potential impact on the continuous performance of its activities and the contractual period. Institutions and payment institutions should take into account that functions may become critical or important over time. 4.13.3 88 When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: conduct appropriate audits regarding the outsourced function; 4.4 31(c)(iii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts. CC ID 06516 [The outsourcing agreement for critical or important functions should set out at least: the requirements to implement and test business contingency plans; 4.13 75(l)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include training requirements in third party contracts. CC ID 16367 | Third Party and supply chain oversight | Acquisition/Sale of Assets or Services | |
Include an indemnification and liability clause in third party contracts. CC ID 06517 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a third party delegation clause and subcontractor to third party clause in third party contracts. CC ID 06521 [The outsourcing agreement should specify whether or not sub-outsourcing of critical or important functions, or material parts thereof, is permitted. 4.13.1 76 The outsourcing agreement for critical or important functions should set out at least: whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions specified in Section 13.1 that the suboutsourcing is subject to; 4.13 75(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text that subcontractors must meet organizational compliance requirements in third party contracts. CC ID 06522 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify the conditions to be complied with in the case of sub-outsourcing; 4.13.1 78(b) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: comply with all applicable laws, regulatory requirements and contractual obligations; and 4.13.1 79(a) Institutions and payment institutions should agree to sub-outsourcing only if the sub-contractor undertakes to: grant the institution, payment institution and competent authority the same contractual rights of access and audit as those granted by the service provider. 4.13.1 79(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text regarding foreign-based third parties in third party contracts. CC ID 06722 [{confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 The outsourcing agreement for critical or important functions should set out at least: the governing law of the agreement; 4.13 75(c) Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control clauses in third party contracts, as necessary. CC ID 06523 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 The outsourcing agreement for critical or important functions should set out at least: the location(s) (i.e. regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the institution or payment institution if the service provider proposes to change the location(s); 4.13 75(f) The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where there are material changes affecting the outsourcing arrangement or the service provider (e.g. sub-outsourcing or changes of sub-contractors); 4.13.4 98(c) {refrain from replacing} When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the possibility that the proposed outsourcing arrangement might be scaled up without replacing or revising the underlying agreement; 4.4 31(g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include notification to the organization of any material change in the third party's ability to perform functions according to Service Level Agreements in third party contracts. CC ID 07115 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: the procedures for being notified and responding to changes to an outsourcing arrangement or service provider (e.g. to its financial position, organisational or ownership structures, sub-outsourcing); 4.7 42(d)(ii) The outsourcing agreement for critical or important functions should set out at least: the reporting obligations of the service provider to the institution or payment institution, including the communication by the service provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports of the internal audit function of the service provider; 4.13 75(j) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e) The outsourcing agreement for critical or important functions should set out at least: the start date and end date, where applicable, of the agreement and the notice periods for the service provider and the institution or payment institution; 4.13 75(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include triggers for renegotiating the contract in third party contracts. CC ID 06527 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include change control notification processes in third party contracts. CC ID 06524 [institutions and payment institutions should ensure that their management body will be duly informed of relevant planned changes regarding service providers that are monitored centrally and the potential impact of these changes on the critical or important functions provided, including a summary of the risk analysis, including legal risks, compliance with regulatory requirements and the impact on service levels, in order for them to assess the impact of these changes; 4.2 23(b) If sub-outsourcing of critical or important functions is permitted, the written agreement should: include an obligation of the service provider to inform the institution or payment institution of any planned sub-outsourcing, or material changes thereof, in particular where that might affect the ability of the service provider to meet its responsibilities under the outsourcing agreement. This includes planned significant changes of subcontractors and to the notification period; in particular, the notification period to be set should allow the outsourcing institution or payment institution at least to carry out a risk assessment of the proposed changes and to object to changes before the planned sub-outsourcing, or material changes thereof, come into effect; 4.13.1 78(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include cost structure changes in third party contracts. CC ID 10021 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a choice of venue clause in third party contracts. CC ID 06520 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a dispute resolution clause in third party contracts. CC ID 06519 [Institutions, in line with Title IV, Section 11, of the EBA Guidelines on internal governance, and payment institutions should identify, assess and manage conflicts of interests with regard to their outsourcing arrangements. 4.8 45 Where outsourcing creates material conflicts of interest, including between entities within the same group or institutional protection scheme, institutions and payment institutions need to take appropriate measures to manage those conflicts of interest. 4.8 46 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the dispute resolution body's contact information in the terms and conditions in third party contracts. CC ID 13813 [The outsourcing agreement for critical or important functions should set out at least: for institutions, a clear reference to the national resolution authority's powers, especially to Articles 68 and 71 of Directive 2014/59/EU (BRRD), and in particular a description of the 'substantive obligations' of the contract in the sense of Article 68 of that Directive; 4.13 75(o)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include early termination contingency plans in the third party contracts. CC ID 06526 [{re-incorporate} The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: 4.13.4 99 identify alternative solutions and develop transition plans to enable the institution or payment institution to remove outsourced functions and data from the service provider and transfer them to alternative providers or back to the institution or payment institution or to take other measures that ensure the continuous provision of the critical or important function or business activity in a controlled and sufficiently tested manner, taking into account the challenges that may arise because of the location of data and taking the necessary measures to ensure business continuity during the transition phase. 4.15 107(b) The outsourcing arrangement should facilitate the transfer of the outsourced function to another service provider or its re-incorporation into the institution or payment institution. To this end, the written outsourcing arrangement should: set an appropriate transition period, during which the service provider, after the termination of the outsourcing arrangement, would continue to provide the outsourced function to reduce the risk of disruptions; and 4.13.4 99(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a liquidated damages clause and material breach clause in third party contracts. CC ID 06817 [The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where the provider of the outsourced functions is in a breach of applicable law, regulations or contractual provisions; 4.13.4 98(a) Institutions and payment institutions should have a documented exit strategy when outsourcing critical or important functions that is in line with their outsourcing policy and business continuity plans, taking into account at least the possibility of: the failure of the service provider; 4.15 106(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include termination costs in third party contracts. CC ID 10023 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include text about obtaining adequate insurance in third party contracts. CC ID 06880 [The outsourcing agreement for critical or important functions should set out at least: whether the service provider should take mandatory insurance against certain risks and, if applicable, the level of insurance cover requested; 4.13 75(k)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include incident management procedures and incident reporting procedures in third party contracts. CC ID 01214 [{be able} Institutions and payment institutions should ensure that the outsourcing of functions of banking activities or payment services, to an extent that the performance of that function requires authorisation or registration by a competent authority in the Member State where they are authorised, to a service provider located in a third country takes place only if the following conditions are met: the cooperation agreement referred to in point (b) should ensure that the competent authorities are able, at least, to: cooperate with the relevant supervisory authorities in the third country on enforcement in the case of a breach of the applicable regulatory requirements and national law in the Member State. Cooperation should include, but not necessarily be limited to, receiving information on potential breaches of the applicable regulatory requirements from the supervisory authorities in the third country as soon as is practicable. 4.12.1 63(c)(iv)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a usage limitation of restricted data clause in third party contracts. CC ID 13026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include end-of-life information in third party contracts. CC ID 15265 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain third party transaction authentication procedures. CC ID 00791 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include responding to privacy rights violation complaints in third party contracts. CC ID 12432 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include disclosure requirements in third party contracts. CC ID 08825 [Regardless of the criticality or importance of the outsourced function, the written outsourcing arrangements between institutions and service providers should refer to the information gathering and investigatory powers of competent authorities and resolution authorities under Article 63(1)(a) of Directive 2014/59/EU and Article 65(3) of Directive 2013/36/EU with regard to service providers located in a Member State and should also ensure those rights with regard to service providers located in third countries. 4.13.3 86] | Third Party and supply chain oversight | Business Processes | |
Include requirements for alternate processing facilities in third party contracts. CC ID 13059 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document the organization's supply chain in the supply chain management program. CC ID 09958 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain a Third Party Service Provider list. CC ID 12480 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include required information in the Third Party Service Provider list. CC ID 14429 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the date of the most recent assessment of the criticality or importance of the outsourced function. 4.11 54(i) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the estimated annual budget cost. 4.11 55(k) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include subcontractors in the Third Party Service Provider list. CC ID 14425 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include alternate service providers in the Third Party Service Provider list. CC ID 14420 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: identification of alternative service providers in line with point (h); 4.11 55(i)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the Third Party Service Provider list to interested personnel and affected parties. CC ID 14422 [{electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56 {electronic format} Institutions and payment institutions should, upon request, make available to the competent authority either the full register of all existing outsourcing arrangements or sections specified thereof, such as information on all outsourcing arrangements falling under one of the categories referred to in point (d) of paragraph 54 of these guidelines (e.g. all IT outsourcing arrangements). Institutions and payment institutions should provide this information in a processable electronic form (e.g. a commonly used database format, comma separated values). 4.11 56] | Third Party and supply chain oversight | Communicate | |
Include contact information of the Service Provider in the Third Party Service Provider list. CC ID 14430 [The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e) The register should include at least the following information for all existing outsourcing arrangements: the name of the service provider, the corporate registration number, the legal entity identifier (where available), the registered address and other relevant contact details, and the name of its parent company (if any); 4.11 54(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all contract dates in the Third Party Service Provider list. CC ID 14421 [The register should include at least the following information for all existing outsourcing arrangements: the start date and, as applicable, the next contract renewal date, the end date and/or notice periods for the service provider and for the institution or payment institution; 4.11 54(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the services provided by each supplier in the Third Party Service Provider list. CC ID 12481 [where the register of all existing outsourcing arrangements, as referred to in Section 11, is established and maintained centrally within a group or institutional protection scheme, competent authorities, all institutions and payment institutions should be able to obtain their individual register without undue delay. This register should include all outsourcing arrangements, including outsourcing arrangements with service providers inside that group or institutional protection scheme; 4.2 23(d) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include criticality of services in the Third Party Service Provider list. CC ID 14428 [{be critical} The register should include at least the following information for all existing outsourcing arrangements: whether or not (yes/no) the outsourced function is considered critical or important, including, where applicable, a brief summary of the reasons why the outsourced function is considered critical or important; 4.11 54(g) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the date of the most recent risk assessment and a brief summary of the main results; 4.11 55(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a description of data used in the Third Party Service Provider list. CC ID 14427 [The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the location of services provided in the Third Party Service Provider list. CC ID 14423 [{outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: a brief description of the outsourced function, including the data that are outsourced and whether or not personal data (e.g. by providing a yes or no in a separate data field) have been transferred or if their processing is outsourced to a service provider; 4.11 54(c) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the governing law of the outsourcing agreement; 4.11 55(e) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) The register should include at least the following information for all existing outsourcing arrangements: the country or countries where the service is to be performed, including the location (i.e. country or region) of the data; 4.11 54(f) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) {outsourcing arrangements} {sub-outsourcing} For the outsourcing of critical or important functions, the register should include at least the following additional information: where applicable, the names of any sub-contractors to which material parts of a critical or important function are sub-outsourced, including the country where the subcontractors are registered, where the service will be performed and, if applicable, the location (i.e. country or region) where the data will be stored; 4.11 55(g) The register should include at least the following information for all existing outsourcing arrangements: in the case of outsourcing to a cloud service provider, the cloud service and deployment models, i.e. public/private/hybrid/community, and the specific nature of the data to be held and the locations (i.e. countries or regions) where such data will be stored; 4.11 54(h)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Document supply chain transactions in the supply chain management program. CC ID 08857 | Third Party and supply chain oversight | Business Processes | |
Document the supply chain's critical paths in the supply chain management program. CC ID 10032 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish and maintain supply chain manufacturing and integration requirements documents for all items being produced for the organization. CC ID 11558 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disallow access to restricted information on machines used to manufacture authentication elements. CC ID 11561 | Third Party and supply chain oversight | Physical and Environmental Protection | |
Establish, implement, and maintain Operational Level Agreements. CC ID 13637 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include technical processes in operational level agreements, as necessary. CC ID 13639 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain Service Level Agreements with the organization's supply chain. CC ID 00838 [The outsourcing agreement for critical or important functions should set out at least: the agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met; 4.13 75(i) The rights and obligations of the institution, the payment institution and the service provider should be clearly allocated and set out in a written agreement. 4.13 74] | Third Party and supply chain oversight | Process or Activity | |
Include the responsible party for managing complaints in third party contracts. CC ID 10022 | Third Party and supply chain oversight | Establish Roles | |
Categorize all suppliers in the supply chain management program. CC ID 00792 [The outsourcing policy should differentiate between the following: intragroup outsourcing arrangements, outsourcing arrangements within the same institutional protection scheme (including entities fully owned individually or collectively by institutions within the institutional protection scheme) and outsourcing to entities outside the group; and 4.7 43(c) The outsourcing policy should differentiate between the following: outsourcing to service providers located within a Member State and third countries. 4.7 43(d) Institutions and payment institutions should establish whether an arrangement with a third party falls under the definition of outsourcing. Within this assessment, consideration should be given to whether the function (or a part thereof) that is outsourced to a service provider is performed on a recurrent or an ongoing basis by the service provider and whether this function (or part thereof) would normally fall within the scope of functions that would or could realistically be performed by institutions or payment institutions, even if the institution or payment institution has not performed this function in the past itself. 4.3 26 When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52 {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the institutions, payment institutions and other firms within the scope of the prudential consolidation or institutional protection scheme, where applicable, that make use of the outsourcing; 4.11 55(a) {outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: whether or not the service provider or sub-service provider is part of the group or a member of the institutional protection scheme or is owned by institutions or payment institutions within the group or is owned by members of an institutional protection scheme; 4.11 55(b) The register should include at least the following information for all existing outsourcing arrangements: a category assigned by the institution or payment institution that reflects the nature of the function as described under point (c) (e.g. information technology (IT), control function), which should facilitate the identification of different types of arrangements; 4.11 54(d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include risk management procedures in the supply chain management policy. CC ID 08811 [As part of the overall internal control framework, including internal control mechanisms, institutions and payment institutions should have a holistic institution-wide risk management framework extending across all business lines and internal units. Under that framework, institutions and payment institutions should identify and manage all their risks, including risks caused by arrangements with third parties. The risk management framework should also enable institutions and payment institutions to make well-informed decisions on risk-taking and ensure that risk management measures are appropriately implemented, including with regard to cyber risks. 4.5 32 {outsourcing policy} {risk assessment} {risk management} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: risk identification, assessment and management in accordance with Section 12.2; 4.7 42(c)(iii) where operational tasks of internal control functions are outsourced (e.g. in the case of intragroup outsourcing or outsourcing within institutional protection schemes), exercise appropriate oversight and be able to manage the risks that are generated by the outsourcing of critical or important functions; and 4.6 39(c) When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of any disruption to the outsourced function or failure of the service provider to provide the service at the agreed service levels on a continuous basis on their: operational risk, including conduct, information and communication technology (ICT) and legal risks; 4.4 31(b)(iii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of the complexity of the third party relationships in the supply chain risk assessment. CC ID 10024 [{financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a) where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: conduct a thorough risk-based analysis of the functions and related data and systems that are being considered for outsourcing or have been outsourced and address the potential risks, in particular the operational risks, including legal, ICT, compliance and reputational risks, and the oversight limitations related to the countries where the outsourced services are or may be provided and where the data are or are likely to be stored; 4.12.2 68(b) When applying the requirements set out in these guidelines, institutions and payment institutions should take into account the complexity of the outsourced functions, the risks arising from the outsourcing arrangement, the criticality or importance of the outsourced function and the potential impact of the outsourcing on the continuity of their activities. 4.1 19 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Business Processes | |
Include a determination of financial benefits over actual costs of third party relationships in the supply chain risk assessment report. CC ID 10025 [Within the risk assessment, institutions and payments institutions should also take into account the expected benefits and costs of the proposed outsourcing arrangement, including weighing any risks that may be reduced or better managed against any risks that may arise as a result of the proposed outsourcing arrangement, taking into account at least: 4.12.2 66 {critical function} Institutions and payment institutions should always consider a function as critical or important in the following situations: where a defect or failure in its performance would materially impair: their financial performance; or 4.4 29(a)(ii)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination of how third party relationships affect strategic initiatives in the supply chain risk assessment report. CC ID 10026 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination if the third party relationship will affect employees in the supply chain risk assessment report. CC ID 10027 | Third Party and supply chain oversight | Business Processes | |
Include a determination of customer interactions with third parties in the supply chain risk assessment report. CC ID 10028 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report. CC ID 10029 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a supply chain management policy. CC ID 08808 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Require supply chain members to accept and sign the organization's code of conduct. CC ID 12397 [Institutions and payment institutions should take appropriate steps to ensure that service providers act in a manner consistent with their values and code of conduct. In particular, with regard to service providers located in third countries and, if applicable, their sub-contractors, institutions and payment institutions should be satisfied that the service provider acts in an ethical and socially responsible manner and adheres to international standards on human rights (e.g. the European Convention on Human Rights), environmental protection and appropriate working conditions, including the prohibition of child labour. 4.12.3 73] | Third Party and supply chain oversight | Business Processes | |
Require third parties to employ a Chief Information Security Officer. CC ID 12057 | Third Party and supply chain oversight | Human Resources Management | |
Include supplier assessment principles in the supply chain management policy. CC ID 08809 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the third party selection process in the supply chain management policy. CC ID 13132 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Select suppliers based on their qualifications. CC ID 00795 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include refraining from depending on any individual third party in the supply chain management policy. CC ID 13133 [When functions are provided by a service provider that is part of a group or a member of an institutional protection scheme or that is owned by the institution, payment institution, group or institutions that are members of an institutional protection scheme, the conditions, including financial conditions, for the outsourced service should be set at arm's length. However, within the pricing of services synergies resulting from providing the same or similar services to several institutions within a group or an institutional protection scheme may be factored in, as long as the service provider remains viable on a stand-alone basis; within a group this should be irrespective of the failure of any other group entity. 4.8 47] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a clear management process in the supply chain management policy. CC ID 08810 [The management body of an institution or payment institution 44 that has outsourcing arrangements in place or plans on entering into such arrangements should approve, regularly review and update a written outsourcing policy and ensure its implementation, as applicable, on an individual, sub-consolidated and consolidated basis. For institutions, the outsourcing policy should be in accordance with Section 8 of the EBA's Guidelines on internal governance and, in particular, should take into account the requirements set out in Section 18 (new products and significant changes) of those guidelines. Payment institutions may also align their policies with Sections 8 and 18 of the EBA Guidelines on internal governance. 4.7 41 {not carry out} {corrective action} Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important function effectively or in compliance with applicable laws and regulatory requirements. If shortcomings are identified, institutions and payment institutions should take appropriate corrective or remedial actions. Such actions may include terminating the outsourcing agreement, with immediate effect, if necessary. 4.14 105 {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the implementation, monitoring and management of outsourcing arrangements, including: 4.7 42(d) {be responsible} {be accountable} taking into account Section 1 of these guidelines, establish an outsourcing function or designate a senior staff member who is directly accountable to the management body (e.g. a key function holder of a control function) and responsible for managing and overseeing the risks of outsourcing arrangements as part of the institutions internal control framework and overseeing the documentation of outsourcing arrangements. Small and less complex institutions or payment institutions should at least ensure a clear division of tasks and responsibilities for the management and control of outsourcing arrangements and may assign the outsourcing function to a member of the institution's or payment institution's management body. 4.6 38(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include roles and responsibilities in the supply chain management policy. CC ID 15499 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include third party due diligence standards in the supply chain management policy. CC ID 08812 [Institutions and payment institutions should apply due skill, care and diligence when monitoring and managing outsourcing arrangements. 4.14 101] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the supply chain management policy to all interested personnel and affected parties. CC ID 15493 | Third Party and supply chain oversight | Communicate | |
Require suppliers to commit to the supply chain management policy. CC ID 08813 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Support third parties in building their capabilities. CC ID 08814 | Third Party and supply chain oversight | Business Processes | |
Implement measurable improvement plans with all third parties. CC ID 08815 | Third Party and supply chain oversight | Business Processes | |
Post a list of compliant third parties on the organization's website. CC ID 08817 | Third Party and supply chain oversight | Business Processes | |
Use third parties that are compliant with the applicable requirements. CC ID 08818 [{selection process} Before entering into an outsourcing arrangement and considering the operational risks related to the function to be outsourced, institutions and payment institutions should ensure in their selection and assessment process that the service provider is suitable. 4.12.3 69 {be reliable} With regard to critical and important functions, institutions and payment institutions should ensure that the service provider has the business reputation, appropriate and sufficient abilities, the expertise, the capacity, the resources (e.g. human, IT, financial), the organisational structure and, if applicable, the required regulatory authorisation(s) or registration(s) to perform the critical or important function in a reliable and professional manner to meet its obligations over the duration of the draft contract. 4.12.3 70] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain a conflict minerals policy. CC ID 08943 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a statement of avoided areas from receiving minerals in the conflict minerals policy. CC ID 08944 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all in scope materials in the conflict minerals policy. CC ID 08945 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include adherence to international transportation regulations in the conflict minerals policy. CC ID 08946 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include all applicable authority documents in the conflict minerals policy. CC ID 08947 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate the conflict minerals policy to all interested personnel and affected parties. CC ID 08948 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Make the conflict minerals policy Publicly Available Information. CC ID 08949 | Third Party and supply chain oversight | Data and Information Management | |
Establish and maintain a conflict materials report. CC ID 08823 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define documentation requirements for each potential conflict material's source of origin. CC ID 08820 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define documentation requirements for smelted minerals and legacy refined materials sources of origin. CC ID 08821 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Identify supply sources for secondary materials. CC ID 08822 | Third Party and supply chain oversight | Business Processes | |
Deal directly with third parties that provide any material listed in the conflict materials report. CC ID 08891 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain supply chain due diligence standards. CC ID 08846 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v)] | Third Party and supply chain oversight | Business Processes | |
Provide management support for third party due diligence. CC ID 08847 | Third Party and supply chain oversight | Business Processes | |
Commit to the supply chain due diligence process. CC ID 08849 | Third Party and supply chain oversight | Business Processes | |
Structure the organization to support supply chain due diligence. CC ID 08850 | Third Party and supply chain oversight | Business Processes | |
Schedule supply chain audits, as necessary. CC ID 10015 [{outsourcing arrangements} For the outsourcing of critical or important functions, the register should include at least the following additional information: the dates of the most recent and next scheduled audits, where applicable; 4.11 55(f)] | Third Party and supply chain oversight | Audits and Risk Management | |
Establish, implement, and maintain internal accountability for the supply chain due diligence process. CC ID 08851 [where those institutions or payment institutions have outsourcing arrangements with service providers within the group or the institutional protection scheme 33 , the management body of those institutions or payment institutions retains, also for these outsourcing arrangements, full responsibility for compliance with all regulatory requirements and the effective application of these guidelines; 4.2 22(a) {outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: 4.7 42] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain supply chain due diligence requirements. CC ID 08853 | Third Party and supply chain oversight | Business Processes | |
Document and maintain records of supply chain transactions in a transaction file. CC ID 08858 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Cross-check the supply chain due diligence practices against the supply chain management policy. CC ID 08859 | Third Party and supply chain oversight | Business Processes | |
Exclude suppliers that have passed the conflict-free smelter program from the conflict materials report. CC ID 10016 | Third Party and supply chain oversight | Business Processes | |
Assign the appropriate individuals or groups to oversee and support supply chain due diligence. CC ID 08861 | Third Party and supply chain oversight | Business Processes | |
Develop and implement supply chain due diligence capability training program. CC ID 08862 | Third Party and supply chain oversight | Business Processes | |
Determine if additional supply chain due diligence processes are required. CC ID 08863 | Third Party and supply chain oversight | Business Processes | |
Review transaction files for compliance with the supply chain audit standard. CC ID 08864 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Provide additional documentation to validate and approve the use of non-compliant materials. CC ID 08865 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements. CC ID 08870 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: procedures for the identification, assessment, management and mitigation of potential conflicts of interest, in accordance with Section 8; 4.7 42(c)(v) Before entering into any outsourcing arrangement, institutions and payment institutions should: identify and assess conflicts of interest that the outsourcing may cause in line with Section 8. 4.12 61(e)] | Third Party and supply chain oversight | Business Processes | |
Calculate and report the margin of error in the supply chain due diligence report. CC ID 08871 | Third Party and supply chain oversight | Business Processes | |
Conduct all parts of the supply chain due diligence process. CC ID 08854 [{outsourcing policy} The policy should include the main phases of the life cycle of outsourcing arrangements and define the principles, responsibilities and processes in relation to outsourcing. In particular, the policy should cover at least: the planning of outsourcing arrangements, including: due diligence checks on prospective service providers, including the measures required under Section 12.3; 4.7 42(c)(iv) Before entering into any outsourcing arrangement, institutions and payment institutions should: undertake appropriate due diligence on the prospective service provider in accordance with Section 12.3; 4.12 61(d) {financial condition} Additional factors to be considered when conducting due diligence on a potential service provider include, but are not limited to: its business model, nature, scale, complexity, financial situation, ownership and group structure; 4.12.3 71(a)] | Third Party and supply chain oversight | Business Processes | |
Identify all service providers in the supply chain. CC ID 12213 [When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: consider whether the service provider is a subsidiary or parent undertaking of the institution, is included in the scope of accounting consolidation or is a member of or owned by institutions that are members of an institutional protection scheme and, if so, the extent to which the institution controls it or has the ability to influence its actions in line with Section 2. 4.12.2 68(f)] | Third Party and supply chain oversight | Business Processes | |
Disallow engaging service providers that are restricted from performing their duties. CC ID 12214 | Third Party and supply chain oversight | Business Processes | |
Collect evidence of each supplier's supply chain due diligence processes. CC ID 08855 | Third Party and supply chain oversight | Business Processes | |
Conduct spot checks of the supplier's supply chain due diligence processes as necessary. CC ID 08860 | Third Party and supply chain oversight | Business Processes | |
Determine if suppliers can meet the organization's production requirements. CC ID 11559 | Third Party and supply chain oversight | Business Processes | |
Require suppliers to meet the organization's manufacturing and integration requirements. CC ID 11560 | Third Party and supply chain oversight | Business Processes | |
Evaluate the impact of the authentication element of the anti-counterfeit measures on the manufacturing process. CC ID 11557 | Third Party and supply chain oversight | Business Processes | |
Include a requirement in outsourcing contracts that supply chain members must implement security controls to protect information. CC ID 13353 [{data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {confidential information} {personal information} Without prejudice to the requirements under the Regulation (EU) 2016/679, institutions and payment institutions, when outsourcing (in particular to third countries), should take into account differences in national provisions regarding the protection of data. Institutions and payment institutions should ensure that the outsourcing agreement includes the obligation that the service provider protects confidential, personal or otherwise sensitive information and complies with all legal requirements regarding the protection of data that apply to the institution or payment institution (e.g. the protection of personal data and that banking secrecy or similar legal confidentiality duties with respect to clients' information, where applicable, are observed). 4.13.2 84 {confidentiality, integrity, security and availability} The outsourcing agreement for critical or important functions should set out at least: where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data, as specified in Section 13.2; 4.13 75(g)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Disseminate and communicate third parties' external audit reports to interested personnel and affected parties. CC ID 13139 | Third Party and supply chain oversight | Communicate | |
Include the audit scope in the third party external audit report. CC ID 13138 [{third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Require individual attestations of compliance from each location a third party operates in. CC ID 12228 | Third Party and supply chain oversight | Business Processes | |
Validate the third parties' compliance to organizationally mandated compliance requirements. CC ID 08819 [{third party relationship} Institutions and payment institutions should ensure that they comply with all requirements under Regulation (EU) 2016/679, including for their third-party and outsourcing arrangements. 4.5 34 {data requirement} Where relevant (e.g. in the context of cloud or other ICT outsourcing), institutions and payment institutions should define data and system security requirements within the outsourcing agreement and monitor compliance with these requirements on an ongoing basis. 4.13.2 82 {third-party certifications} {third-party audit report} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: ensure that the scope of the certification or audit report covers the systems (i.e. processes, applications, infrastructure, data centres, etc.) and key controls identified by the institution or payment institution and the compliance with relevant regulatory requirements; 4.13.3 93(b) {third-party certifications} {third-party audit report} {are current} Institutions and payment institutions should make use of the method referred to in paragraph 91(b) only if they: thoroughly assess the content of the certifications or audit reports on an ongoing basis and verify that the reports or certifications are not obsolete; 4.13.3 93(c)] | Third Party and supply chain oversight | Business Processes | |
Determine third party compliance with third party contracts. CC ID 08866 | Third Party and supply chain oversight | Business Processes | |
Quarantine non-compliant material. CC ID 08867 | Third Party and supply chain oversight | Business Processes | |
Refrain from quarantining conflict-free materials. CC ID 08868 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain disposition processes for non-compliant material. CC ID 08869 | Third Party and supply chain oversight | Business Processes | |
Review the information collected about each supplier for the supply chain due diligence report. CC ID 08856 [where those institutions and payment institutions within the group, institutions affiliated to a central body or institutions that are part of an institutional protection scheme rely on a central pre-outsourcing assessment of outsourcing arrangements, as referred to in Section 12, each institution and payment institution should receive a summary of the assessment and ensure that it takes into consideration its specific structure and risks within the decision-making process; 4.2 23(c) Institutions and payment institutions should assess the potential impact of outsourcing arrangements on their operational risk, should take into account the assessment results when deciding if the function should be outsourced to a service provider and should take appropriate steps to avoid undue additional operational risks before entering into outsourcing arrangements. 4.12.2 64] | Third Party and supply chain oversight | Business Processes | |
Establish and maintain a supply chain due diligence report. CC ID 08824 | Third Party and supply chain oversight | Business Processes | |
Submit the supply chain due diligence report. CC ID 08828 | Third Party and supply chain oversight | Business Processes | |
Include supply chain risk assessment reports in the supply chain due diligence report. CC ID 08835 [Institutions should regularly update their risk assessment in accordance with Section 12.2and should periodically report to the management body on the risks identified in respect of the outsourcing of critical or important functions. 4.14 102] | Third Party and supply chain oversight | Business Processes | |
Include monitoring and tracking risk mitigation performance in the supply chain due diligence report. CC ID 08837 [When assessing whether an outsourcing arrangement relates to a function that is critical or important, institutions and payment institutions should take into account, together with the outcome of the risk assessment outlined in Section 12.2, at least the following factors: the potential impact of the outsourcing arrangement on their ability to: identify, monitor and manage all risks; 4.4 31(c)(i)] | Third Party and supply chain oversight | Business Processes | |
Include supplier agreement terminations in the supply chain due diligence report. CC ID 08845 [As part of their risk management framework, institutions and payment institutions should maintain an updated register of information on all outsourcing arrangements at the institution and, where applicable, at sub-consolidated and consolidated levels, as set out in Section 2, and should appropriately document all current outsourcing arrangements, distinguishing between the outsourcing of critical or important functions and other outsourcing arrangements. Taking into account national law, institutions should maintain the documentation of ended outsourcing arrangements within the register and the supporting documentation for an appropriate period. 4.11 52] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain third party reporting requirements. CC ID 13289 [where the operational monitoring of outsourcing is centralised (e.g. as part of a master agreement for the monitoring of outsourcing arrangements), institutions and payment institutions should ensure that, at least for outsourced critical or important functions, both independent monitoring of the service provider and appropriate oversight by each institution or payment institution is possible, including by receiving, at least annually and upon request from the centralised monitoring function, reports that include, at least, a summary of the risk assessment and performance monitoring. In addition, institutions and payment institutions should receive from the centralised monitoring function a summary of the relevant audit reports for critical or important outsourcing and, upon request, the full audit report; 4.2 23(a) ensuring that they receive appropriate reports from service providers; 4.14 104(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Define timeliness factors for third party reporting requirements. CC ID 13304 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Review the supply chain's service delivery on a regular basis. CC ID 12010 | Third Party and supply chain oversight | Business Processes | |
Identify red flags in the supply chain. CC ID 08873 | Third Party and supply chain oversight | Business Processes | |
Detect red flags in the supply chain. CC ID 08874 | Third Party and supply chain oversight | Business Processes | |
Notify interested personnel and affected parties when critical components or materials are not obtained from an authorized source. CC ID 11516 | Third Party and supply chain oversight | Business Processes | |
Review third party red flag locations to identify facts for the supply chain risk assessment. CC ID 08875 | Third Party and supply chain oversight | Business Processes | |
Establish and maintain an interactive map of third party red flag locations. CC ID 08876 | Third Party and supply chain oversight | Business Processes | |
Collect information on red-flagged supply chains. CC ID 08877 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain outsourcing contracts. CC ID 13124 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include performance standards in outsourcing contracts. CC ID 13140 [{be capable} The outsourcing arrangement should expressly allow the possibility for the institution or payment institution to terminate the arrangement, in accordance with applicable law, including in the following situations: where impediments capable of altering the performance of the outsourced function are identified; 4.13.4 98(b)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include the organization approving subcontractors in the outsourcing contract. CC ID 13131 [{specific written authorisation} If sub-outsourcing of critical or important functions is permitted, the written agreement should: require the service provider to obtain prior specific or general written authorisation from the institution or payment institution before sub-outsourcing data; 4.13.1 78(d) If sub-outsourcing of critical or important functions is permitted, the written agreement should: ensure, where appropriate, that the institution or payment institution has the right to object to intended sub-outsourcing, or material changes thereof, or that explicit approval is required; 4.13.1 78(f) If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify any types of activities that are excluded from sub-outsourcing; 4.13.1 78(a)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Include a provision that third parties are responsible for their subcontractors in the outsourcing contract. CC ID 13130 [If sub-outsourcing of critical or important functions is permitted, the written agreement should: specify that the service provider is obliged to oversee those services that it has subcontracted to ensure that all contractual obligations between the service provider and the institution or payment institution are continuously met; 4.13.1 78(c)] | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain. CC ID 08878 | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain a system of transparency and controls over the entire supply chain. CC ID 08879 [Where the outsourcing arrangement includes the possibility that the service provider sub-outsources critical or important functions to other service providers, institutions and payment institutions should take into account: the risk that long and complex chains of sub-outsourcing reduce the ability of institutions or payment institutions to oversee the outsourced critical or important function and the ability of competent authorities to effectively supervise them. 4.12.2 67(b) When carrying out the risk assessment prior to outsourcing and during ongoing monitoring of the service provider's performance, institutions and payment institutions should, at least: define and decide on an appropriate level of protection of data confidentiality, of continuity of the activities outsourced and of the integrity and traceability of data and systems in the context of the intended outsourcing. Institutions and payment institutions should also consider specific measures, where necessary, for data in transit, data in memory and data at rest, such as the use of encryption technologies in combination with an appropriate key management architecture; 4.12.2 68(e)] | Third Party and supply chain oversight | Business Processes | |
Establish, implement, and maintain supply chain onsite investigation procedures. CC ID 08919 [{site visit} Before a planned on-site visit, institutions, payment institutions, competent authorities and auditors or third parties acting on behalf of the institution, payment institution or competent authorities should provide reasonable notice to the service provider, unless this is not possible due to an emergency or crisis situation or would lead to a situation where the audit would no longer be effective. 4.13.3 95] | Third Party and supply chain oversight | Business Processes | |
Assist with local logistics in support of supply chain onsite investigations. CC ID 08920 | Third Party and supply chain oversight | Behavior | |
Create an on-site mine visit report. CC ID 08921 | Third Party and supply chain oversight | Establish/Maintain Documentation | |
Establish, implement, and maintain information security controls for the supply chain. CC ID 13109 [{personal data} In the case of outsourcing to cloud service providers and other outsourcing arrangements that involve the handling or transfer of personal or confidential data, institutions and payment institutions should adopt a risk-based approach to data storage and data processing location(s) (i.e. country or region) and information security considerations. 4.13.2 83] | Third Party and supply chain oversight | Establish/Maintain Documentation |