Back

North America > US Federal Financial Institutions Examination Council (FFIEC)

FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021



AD ID

0003341

AD STATUS

FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

Free

SYNONYMS

FFIEC IT Examination Handbook Architecture, Infrastructure, and Operations 2021

FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations

EFFECTIVE

2021-06-01

ADDED

The document as a whole was last reviewed and released on 2022-01-26T00:00:00-0800.

AD ID

0003341

AD STATUS

Free

ORIGINATOR

US Federal Financial Institutions Examination Council (FFIEC)

TYPE

Audit Guideline

AVAILABILITY

SYNONYMS

FFIEC IT Examination Handbook Architecture, Infrastructure, and Operations 2021

FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations

EFFECTIVE

2021-06-01

ADDED

The document as a whole was last reviewed and released on 2022-01-26T00:00:00-0800.


Important Notice

This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.

This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.

This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.

The process we used to tag and map this document

This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.

Controls and asociated Citations breakdown

When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.

The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:

Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.

Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021 that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.

Dictionary Terms – The dictionary terms listed for FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021 are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.



Common Controls and
mandates by Impact Zone
619 Mandated Controls - bold    
167 Implied Controls - italic     4570 Implementation

An Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.


The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.

Number of Controls
5356 Total
  • Acquisition or sale of facilities, technology, and services
    49
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Acquisition or sale of facilities, technology, and services CC ID 01123 IT Impact Zone IT Impact Zone
    Plan for acquiring facilities, technology, or services. CC ID 06892 Acquisition/Sale of Assets or Services Preventive
    Conduct an acquisition feasibility study prior to acquiring assets. CC ID 01129
    [With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Establishment of processes to evaluate and procure technology. App A Objective 12:4b Bullet 4]
    Acquisition/Sale of Assets or Services Detective
    Include a Business Impact Analysis in the acquisition feasibility study. CC ID 16231 Acquisition/Sale of Assets or Services Preventive
    Include environmental considerations in the acquisition feasibility study. CC ID 16224 Acquisition/Sale of Assets or Services Preventive
    Conduct a risk assessment to determine operational risks as a part of the acquisition feasibility study. CC ID 01135 Testing Detective
    Refrain from implementing systems that are beyond the organization's risk acceptance level. CC ID 13054 Acquisition/Sale of Assets or Services Preventive
    Approve the risk assessment report of operational risks as a part of the acquisition feasibility study. CC ID 11666 Technical Security Preventive
    Establish test environments separate from the production environment to support feasibility testing before product acquisition. CC ID 01130 Configuration Preventive
    Establish test environments separate from the production environment to support integration testing before product acquisition. CC ID 11668 Testing Detective
    Analyze the proposed Information Architecture as it pertains to acquisition feasibility. CC ID 01132 Acquisition/Sale of Assets or Services Detective
    Establish, implement, and maintain a product and services acquisition program. CC ID 01136
    [With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Establishment of processes to evaluate and procure technology. App A Objective 12:4b Bullet 4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a product and services acquisition policy. CC ID 14028 Establish/Maintain Documentation Preventive
    Obtain authorization for marketing new products. CC ID 16805 Business Processes Preventive
    Include compliance requirements in the product and services acquisition policy. CC ID 14163 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the product and services acquisition policy. CC ID 14162 Establish/Maintain Documentation Preventive
    Include management commitment in the product and services acquisition policy. CC ID 14161 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the product and services acquisition policy. CC ID 14160 Establish/Maintain Documentation Preventive
    Include the scope in the product and services acquisition policy. CC ID 14159 Establish/Maintain Documentation Preventive
    Include the purpose in the product and services acquisition policy. CC ID 14158 Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition policy to interested personnel and affected parties. CC ID 14157 Communicate Preventive
    Establish, implement, and maintain product and services acquisition procedures. CC ID 14065 Establish/Maintain Documentation Preventive
    Disseminate and communicate the product and services acquisition procedures to interested personnel and affected parties. CC ID 14152 Communicate Preventive
    Establish, implement, and maintain acquisition approval requirements. CC ID 13704 Establish/Maintain Documentation Preventive
    Disseminate and communicate acquisition approval requirements to all affected parties. CC ID 13706 Communicate Preventive
    Include preventive maintenance contracts in system acquisition contracts. CC ID 06658
    [Evaluate whether the following is effective: For equipment owned or leased from a third party, management obtains a separate agreement to manage maintenance. The agreement includes: App A Objective 15:1e
    For equipment owned or leased from a third party, management obtains a separate agreement to manage maintenance. The agreement includes: Provisions for repair services. App A Objective 15:1e Bullet 2
    {timely manner}Evaluate whether the following is effective: If there is an arrangement with a contractor to manage the entity's preventive maintenance and repair services, the contract or agreement guarantees timely performance of maintenance. App A Objective 15:1g
    For equipment owned or leased from a third party, management obtains a separate agreement to manage maintenance. The agreement includes: Preventive maintenance to be performed. App A Objective 15:1e Bullet 1]
    Establish/Maintain Documentation Preventive
    Prohibit the use of Personal Electronic Devices, absent approval. CC ID 04599 Behavior Detective
    Sign a forfeiture statement acknowledging unapproved Personal Electronic Devices will be confiscated. CC ID 11667 Physical and Environmental Protection Preventive
    Include chain of custody procedures in the product and services acquisition program. CC ID 10058 Acquisition/Sale of Assets or Services Preventive
    Review and update the acquisition contracts, as necessary. CC ID 14279 Acquisition/Sale of Assets or Services Corrective
    Establish, implement, and maintain a software product acquisition methodology. CC ID 01138
    [{be internal}{be appropriate} This examination procedure may be performed in coordination with related examination procedures in the "Development and Acquisition" booklet. Determine whether management appropriately chooses software (e.g., to meet the entity's infrastructure and operational requirements) and considers whether to develop software internally or obtain it from a third party. App A Objective 13:5]
    Establish/Maintain Documentation Preventive
    Align the service management program with the Code of Conduct. CC ID 14211 Establish/Maintain Documentation Preventive
    Store source code documentation in escrow by an independent third party. CC ID 01139 Testing Detective
    Review software licensing agreements to ensure compliance. CC ID 01140 Establish/Maintain Documentation Detective
    Establish, implement, and maintain third party Software Maintenance Agreements. CC ID 01143 Establish/Maintain Documentation Preventive
    Establish and maintain a register of approved third parties, technologies and tools. CC ID 06836
    [Hardware inventory process that does the following: Identifies equipment owned and managed by third parties on the entity's behalf. App A Objective 4:3a Bullet 2
    {third party storage solution}Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Implementation of appropriate operational controls, such as: Use of only a trusted provider for third-party file exchange and storage solutions. App A Objective 11:1e Bullet 3]
    Establish/Maintain Documentation Preventive
    Install software that originates from approved third parties. CC ID 12184 Technical Security Preventive
    Establish, implement, and maintain facilities, assets, and services acceptance procedures. CC ID 01144
    [Regardless of the type of externally developed software selected, determine whether management performed the following: Approved the selected software's use and determined that it met the entity's infrastructure requirements and strategic objectives. App A Objective 13:5c Bullet 1
    With respect to specific software types, determine whether management does the following: For open source software: Evaluates open source software components during software due diligence. App A Objective 13:6g Bullet 4]
    Establish/Maintain Documentation Preventive
    Test new hardware or upgraded hardware and software against predefined performance requirements. CC ID 06740 Testing Detective
    Test new hardware or upgraded hardware and software for error recovery and restart procedures. CC ID 06741 Testing Detective
    Follow the system's operating procedures when testing new hardware or upgraded hardware and software. CC ID 06742 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of security controls. CC ID 06743
    [Determine whether management appropriately considers the uses and risks of data analytics and performs the following: Incorporates confidentiality, integrity, and availability when designing or selecting analytics tools. App A Objective 3:9b]
    Testing Detective
    Test new software or upgraded software for security vulnerabilities. CC ID 01898 Testing Detective
    Test new software or upgraded software for compatibility with the current system. CC ID 11654
    [With externally developed software, evaluate whether management performed the following: Determined whether COTS software meets the entity's needs and security requirements or if it will integrate with existing software and require further configuration. App A Objective 13:5b Bullet 1
    With externally developed software, evaluate whether management performed the following: Determined whether custom software was designed to integrate with the existing enterprise software, hardware, and data, and whether management considered issues related to obsolescence, patching, and availability of expertise. App A Objective 13:5b Bullet 2]
    Testing Detective
    Test new hardware or upgraded hardware for compatibility with the current system. CC ID 11655 Testing Detective
    Test new hardware or upgraded hardware for security vulnerabilities. CC ID 01899 Testing Detective
    Test new hardware or upgraded hardware and software for implementation of predefined continuity arrangements. CC ID 06744 Testing Detective
    Correct defective acquired goods or services. CC ID 06911 Acquisition/Sale of Assets or Services Corrective
    Authorize new assets prior to putting them into the production environment. CC ID 13530
    [Regardless of the type of externally developed software selected, determine whether management performed the following: Approved the selected software's use and determined that it met the entity's infrastructure requirements and strategic objectives. App A Objective 13:5c Bullet 1]
    Process or Activity Preventive
  • Audits and risk management
    551
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Audits and risk management CC ID 00677 IT Impact Zone IT Impact Zone
    Define the roles and responsibilities for personnel assigned to tasks in the Audit function. CC ID 00678 Establish Roles Preventive
    Define and assign the external auditor's roles and responsibilities. CC ID 00683 Establish Roles Preventive
    Engage auditors who have adequate knowledge of the subject matter. CC ID 07102
    [Evaluate the appropriateness of the following: Qualifications, training, and experience of auditor (or independent reviewer) in reviewing the functions and activities of AIO. App A Objective 2:11b]
    Audits and Risk Management Preventive
    Retain copies of external auditor outsourcing contracts and engagement letters. CC ID 01188 Establish/Maintain Documentation Preventive
    Include the scope and work to be performed in external auditor outsourcing contracts. CC ID 01190 Establish/Maintain Documentation Preventive
    Review the conclusions of the external auditor's work papers and audit reports. CC ID 01200
    [Review preliminary conclusions with the examiner-in-charge regarding the following: App A Objective 18:1
    {URSIT composite rating}Review preliminary conclusions with the examiner-in-charge regarding the following: Proposed Uniform Rating System for IT (URSIT) support and delivery component rating and the potential impact of the examiner's conclusions on composite or other URSIT component ratings. App A Objective 18:1c]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an audit program. CC ID 00684
    [The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with applicable laws and regulations, and helps ensure adherence to contractual agreements and entity policies, standards, and procedures to mitigate risks. II.D Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain audit policies. CC ID 13166 Establish/Maintain Documentation Preventive
    Assign the audit to impartial auditors. CC ID 07118
    [Evaluate the appropriateness of the following: Independence of auditor from the AIO functions and activities being reviewed. App A Objective 2:11c
    Examiners should review for the following: Independence of AIO-related audits or other reviews. II.D Action Summary ¶ 2 Bullet 1]
    Establish Roles Preventive
    Exercise due professional care during the planning and performance of the audit. CC ID 07119 Behavior Preventive
    Include resource requirements in the audit program. CC ID 15237 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit program. CC ID 15236 Establish/Maintain Documentation Preventive
    Include provisions for legislative plurality and legislative domain in the audit program. CC ID 06959 Audits and Risk Management Preventive
    Establish and maintain audit terms. CC ID 13880
    [Examiners should review for the following: Appropriate scope and detail of AIO-related audits or other reviews. II.D Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Refrain from approving changes to the audit terms absent reasonable justification. CC ID 13973 Process or Activity Preventive
    Include a statement about the inherent limitations of the audit in the audit terms. CC ID 13883 Establish/Maintain Documentation Preventive
    Include a statement that the audit will be conducted in accordance with attestation standards in the audit terms. CC ID 13882 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain agreed upon procedures that are in scope for the audit. CC ID 13893 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an in scope system description. CC ID 14873 Establish/Maintain Documentation Preventive
    Include in scope procedures in the audit assertion's in scope system description. CC ID 16551 Audits and Risk Management Preventive
    Include roles and responsibilities in the audit assertion's in scope system description. CC ID 16558 Audits and Risk Management Preventive
    Include the audit criteria in the audit assertion's in scope system description. CC ID 16548 Audits and Risk Management Preventive
    Include third party data in the audit assertion's in scope system description. CC ID 16554 Audits and Risk Management Preventive
    Include third party personnel in the audit assertion's in scope system description. CC ID 16552 Audits and Risk Management Preventive
    Include compliance requirements in the audit assertion's in scope system description. CC ID 16506 Audits and Risk Management Preventive
    Include third party assets in the audit assertion's in scope system description. CC ID 16550 Audits and Risk Management Preventive
    Include third party services in the audit assertion's in scope system description. CC ID 16503 Establish/Maintain Documentation Preventive
    Include monitoring controls in the audit assertion's in scope system description. CC ID 16501 Establish/Maintain Documentation Preventive
    Include availability commitments in the audit assertion's in scope system description. CC ID 14914 Establish/Maintain Documentation Preventive
    Include deviations and the corrective actions taken in the audit assertion's in scope system description. CC ID 16549 Audits and Risk Management Preventive
    Include changes in the audit assertion's in scope system description. CC ID 14894 Establish/Maintain Documentation Preventive
    Include external communications in the audit assertion's in scope system description. CC ID 14913 Establish/Maintain Documentation Preventive
    Include a section regarding incidents related to the system in the audit assertion’s in scope system description. CC ID 14878 Establish/Maintain Documentation Preventive
    Include the function performed by the in scope system in the audit assertion's in scope system description. CC ID 14911 Establish/Maintain Documentation Preventive
    Include the disposition of the incident in the audit assertion's in scope system description. CC ID 14896 Establish/Maintain Documentation Preventive
    Include the extent of the incident in the audit assertion's in scope system description. CC ID 14895 Establish/Maintain Documentation Preventive
    Include the timing of each incident in the audit assertion's in scope system description. CC ID 14891 Establish/Maintain Documentation Preventive
    Include the nature of each incident in the audit assertion's in scope system description. CC ID 14889 Establish/Maintain Documentation Preventive
    Include a section regarding in scope controls related to the system in the audit assertion's in scope system description. CC ID 14897 Establish/Maintain Documentation Preventive
    Include how the in scope system meets external requirements in the audit assertion's in scope system description. CC ID 16502 Establish/Maintain Documentation Preventive
    Include the timing of each control in the audit assertion's in scope system description. CC ID 14916 Establish/Maintain Documentation Preventive
    Include the nature of the control in the audit assertion's in scope system description. CC ID 14910 Establish/Maintain Documentation Preventive
    Include the information sources used in performing the control in the audit assertion's in scope system description. CC ID 14909 Establish/Maintain Documentation Preventive
    Include the responsible party for performing the control in the audit assertion's in scope system description. CC ID 14907 Establish/Maintain Documentation Preventive
    Include the subject matter to which the control is applied in the audit assertion's in scope system description. CC ID 14904 Establish/Maintain Documentation Preventive
    Refrain from omitting or distorting information in the audit assertion's in scope system description. CC ID 14893 Establish/Maintain Documentation Preventive
    Include the timing of each change in the audit assertion's in scope system description. CC ID 14892 Establish/Maintain Documentation Preventive
    Include the system boundaries in the audit assertion's in scope system description. CC ID 14887 Establish/Maintain Documentation Preventive
    Determine the presentation method of the audit assertion's in scope system description. CC ID 14885 Establish/Maintain Documentation Detective
    Include the time frame covered by the description in the audit assertion's in scope system description. CC ID 14884 Establish/Maintain Documentation Preventive
    Include commitments to third parties in the audit assertion. CC ID 14899 Establish/Maintain Documentation Preventive
    Determine the completeness of the audit assertion's in scope system description. CC ID 14883 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit assertion's in scope system description. CC ID 16449 Audits and Risk Management Detective
    Include system requirements in the audit assertion's in scope system description. CC ID 14881 Establish/Maintain Documentation Preventive
    Include third party controls in the audit assertion's in scope system description. CC ID 14880 Establish/Maintain Documentation Preventive
    Hold an opening meeting with interested personnel and affected parties prior to an audit. CC ID 15256 Audits and Risk Management Preventive
    Identify personnel who should attend the closing meeting. CC ID 15261 Business Processes Preventive
    Confirm audit requirements during the opening meeting. CC ID 15255 Audits and Risk Management Detective
    Include discussions about how particular situations will be handled in the opening meeting. CC ID 15254 Audits and Risk Management Preventive
    Include agreement to the audit scope and audit terms in the audit program. CC ID 06965
    [Determine the appropriate scope and objectives for the examination. App A Objective 1]
    Establish/Maintain Documentation Preventive
    Establish and maintain a bespoke audit scope for each audit being performed. CC ID 13077
    [Evaluate the appropriateness of the following: Reports to the board and senior management containing the results of audits or other independent reviews and an assessment of management's ability to oversee the entity's AIO functions and activities. Validate whether the review scope and frequency are appropriate for the complexity of the entity's AIO functions. App A Objective 2:11d
    Examiners should review for the following: Appropriate scope and detail of AIO-related audits or other reviews. II.D Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Include third party assets in the audit scope. CC ID 16504 Audits and Risk Management Preventive
    Include audit subject matter in the audit program. CC ID 07103
    [Determine the appropriate scope and objectives for the examination. App A Objective 1]
    Establish/Maintain Documentation Preventive
    Examine the availability of the audit criteria in the audit program. CC ID 16520 Investigate Preventive
    Examine the objectivity of the audit criteria in the audit program. CC ID 07104 Establish/Maintain Documentation Preventive
    Examine the measurability of the audit criteria in the audit program. CC ID 07105 Establish/Maintain Documentation Preventive
    Examine the completeness of the audit criteria in the audit program. CC ID 07106 Establish/Maintain Documentation Preventive
    Examine the relevance of the audit criteria in the audit program. CC ID 07107 Establish/Maintain Documentation Preventive
    Determine the appropriateness of the audit subject matter. CC ID 16505 Audits and Risk Management Preventive
    Disseminate and communicate the audit program with the audit subject matter and audit criteria to all interested personnel and affected parties. CC ID 07116 Establish/Maintain Documentation Preventive
    Include the in scope material or in scope products in the audit program. CC ID 08961 Audits and Risk Management Preventive
    Include in scope information in the audit program. CC ID 16198 Establish/Maintain Documentation Preventive
    Include the out of scope material or out of scope products in the audit program. CC ID 08962 Establish/Maintain Documentation Preventive
    Provide a representation letter in support of the audit assertion. CC ID 07158 Establish/Maintain Documentation Preventive
    Include the date of the audit in the representation letter. CC ID 16517 Audits and Risk Management Preventive
    Include a statement that management has evaluated compliance with external requirements in the representation letter. CC ID 13942 Establish/Maintain Documentation Preventive
    Include a statement that the assumptions used for estimates are reasonable in the representation letter. CC ID 13934 Establish/Maintain Documentation Preventive
    Include a statement that uncorrected misstatements are believed to be immaterial in the representation letter. CC ID 13884 Establish/Maintain Documentation Preventive
    Include a statement that system incidents have been disclosed to the auditor in the representation letter. CC ID 16772 Establish/Maintain Documentation Preventive
    Include a statement that incidents of fraud and non-compliance have been disclosed to the auditor in the representation letter. CC ID 16769 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for the subject matter in the representation letter. CC ID 07159 Establish/Maintain Documentation Preventive
    Include a statement of responsibility for selecting the audit criteria in the representation letter. CC ID 07160 Establish/Maintain Documentation Preventive
    Include a statement of responsibility regarding the appropriateness of the audit criteria in the representation letter. CC ID 07161 Establish/Maintain Documentation Preventive
    Include an assertion about the subject matter based on the selected audit criteria in the representation letter. CC ID 07162 Establish/Maintain Documentation Preventive
    Include a statement that all known matters contradicting the audit assertion have been disclosed to the auditor in the representation letter. CC ID 07163 Establish/Maintain Documentation Preventive
    Include the availability of all in scope records relevant to the subject matter in the representation letter. CC ID 07164 Establish/Maintain Documentation Preventive
    Include a statement that any known subsequent events have been disclosed to the auditor in the representation letter. CC ID 07165 Establish/Maintain Documentation Preventive
    Include a statement that deficiencies in internal controls have been disclosed to the auditor in the representation letter. CC ID 13899 Establish/Maintain Documentation Preventive
    Establish and maintain audit assertions, as necessary. CC ID 14871 Establish/Maintain Documentation Detective
    Include an in scope system description in the audit assertion. CC ID 14872 Establish/Maintain Documentation Preventive
    Include any assumptions that are improbable in the audit assertion. CC ID 13950 Establish/Maintain Documentation Preventive
    Include how the audit scope matches in scope controls in the audit assertion. CC ID 06969 Establish/Maintain Documentation Preventive
    Include why specific criteria are ignored by in scope controls in the audit assertion. CC ID 07027 Establish/Maintain Documentation Preventive
    Include how the in scope system is designed and implemented in the audit assertion. CC ID 06970 Establish/Maintain Documentation Preventive
    Include the responsible party's opinion of the quality of the evidence in the audit assertion. CC ID 13949 Establish/Maintain Documentation Preventive
    Include the end users and affected parties of the in scope system in the audit assertion. CC ID 07028 Establish/Maintain Documentation Preventive
    Include the in scope services offered or in scope transactions processed in the audit assertion. CC ID 06971 Establish/Maintain Documentation Preventive
    Include the in scope procedures in the audit assertion. CC ID 06972 Establish/Maintain Documentation Preventive
    Include the in scope records produced in the audit assertion. CC ID 06968 Establish/Maintain Documentation Preventive
    Include how in scope material events are monitored and logged in the audit assertion. CC ID 06973 Establish/Maintain Documentation Preventive
    Include any in scope material events that might affect the assertion in the audit assertion. CC ID 06991 Establish/Maintain Documentation Preventive
    Include the in scope controls and compliance documents in the audit assertion. CC ID 06974 Establish/Maintain Documentation Preventive
    Include the in scope risk assessment processes in the audit assertion. CC ID 06975 Establish/Maintain Documentation Preventive
    Include in scope change controls in the audit assertion. CC ID 06976 Establish/Maintain Documentation Preventive
    Include any in scope uncorrected errors or non-compliance issues in the audit assertion. CC ID 06989 Establish/Maintain Documentation Preventive
    Disseminate and communicate a written audit assertion of the audit scope and audit terms to interested personnel and affected parties. CC ID 06967 Establish/Maintain Documentation Preventive
    Include the scope for the desired level of assurance in the audit program. CC ID 12793 Communicate Preventive
    Include conditions that might require modification of the audit program in the audit terms. CC ID 07149 Establish/Maintain Documentation Preventive
    Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms. CC ID 06988 Establish/Maintain Documentation Preventive
    Include the criteria for determining the desired level of assurance in the audit program. CC ID 12795 Audits and Risk Management Preventive
    Establish, implement, and maintain procedures for determining the desired level of assurance in the audit program. CC ID 12794 Establish/Maintain Documentation Preventive
    Include the expectations for the audit report in the audit terms. CC ID 07148 Establish/Maintain Documentation Preventive
    Establish and maintain a practitioner’s report on management’s assertions, as necessary. CC ID 13888 Establish/Maintain Documentation Preventive
    Refrain from changing the date of the practitioner's report on agreed-upon procedures when reissuing it. CC ID 13896 Establish/Maintain Documentation Corrective
    Hold a closing meeting following an audit to present audit findings and conclusions. CC ID 15248 Communicate Preventive
    Include materiality levels in the audit terms. CC ID 01238 Establish/Maintain Documentation Preventive
    Include material changes in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01239
    [{new service} Interview management and review responses to pre-examination information requests to identify changes to the entity's technology related to new products and services that could affect the areas of review within AIO. Consider the following to identify changes: App A Objective 1:3]
    Establish/Maintain Documentation Preventive
    Include material weaknesses, material failures, and material errors in information processes, Information Systems, and assets that could affect audits in the audit terms. CC ID 01240 Establish/Maintain Documentation Preventive
    Schedule attestation engagement meetings with interested personnel and affected parties, as necessary. CC ID 15263 Business Processes Preventive
    Refrain from performing an attestation engagement under defined conditions. CC ID 13952 Audits and Risk Management Detective
    Refrain from accepting an attestation engagement when the engaging party refuses to sign the engagement letter. CC ID 14912 Business Processes Preventive
    Refrain from accepting an attestation engagement unless the prospective financial information includes a summary of significant assumptions. CC ID 13954 Behavior Preventive
    Refrain from accepting an attestation engagement when all parties disagree on the procedures. CC ID 13951 Audits and Risk Management Preventive
    Accept the attestation engagement when all preconditions are met. CC ID 13933 Business Processes Preventive
    Audit in scope audit items and compliance documents. CC ID 06730
    [Determine whether the entity's risk management processes include the following governance mechanisms: Internal audit, independent reviews, and certifications. App A Objective 2:1f
    With respect to design objectives, determine whether management does the following: Includes the following aspects in its architecture design: Auditability. App A Objective 12:4c Bullet 10
    The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with applicable laws and regulations, and helps ensure adherence to contractual agreements and entity policies, standards, and procedures to mitigate risks. II.D Action Summary ¶ 1]
    Audits and Risk Management Preventive
    Collect all work papers for the audit and audit report into an engagement file. CC ID 07001 Actionable Reports or Measurements Preventive
    Document any after the fact changes to the engagement file. CC ID 07002 Establish/Maintain Documentation Preventive
    Protect access to the engagement file and all associated audit documentation in compliance with Authority Documents the organization must follow. CC ID 07179 Establish/Maintain Documentation Preventive
    Disclose work papers in the engagement file in compliance with legal requirements. CC ID 07180 Establish/Maintain Documentation Preventive
    Archive the engagement file and all work papers for the period prescribed by law or contract. CC ID 10038 Records Management Preventive
    Conduct onsite inspections, as necessary. CC ID 16199 Testing Preventive
    Identify hypothetical assumptions in forecasts and projections during an audit. CC ID 13946 Audits and Risk Management Detective
    Refrain from examining forecasts and projections which refrain from disclosing assumptions during an audit. CC ID 13932 Audits and Risk Management Detective
    Audit policies, standards, and procedures. CC ID 12927
    [Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriateness of the following: App A Objective 2:11]
    Audits and Risk Management Preventive
    Audit cybersecurity risk management within the policies, standards, and procedures of the organization. CC ID 13011 Investigate Detective
    Audit information systems, as necessary. CC ID 13010
    [With respect to specific software types, determine whether management does the following: For mainframe security software: Verifies mainframe security auditing (e.g., regular review and validation of security controls, privileges, roles, and access profiles). App A Objective 13:6h Bullet 7]
    Investigate Detective
    Audit the potential costs of compromise to information systems. CC ID 13012 Investigate Detective
    Determine the accurateness of the audit assertion's in scope system description. CC ID 06979 Testing Detective
    Determine if the in scope system has been implemented as described in the audit assertion. CC ID 06983 Testing Detective
    Investigate the nature and causes of misstatements in the audit assertion's in scope system description. CC ID 16557 Audits and Risk Management Detective
    Determine the effect of fraud and non-compliance on the description of the system in the audit assertion, as necessary. CC ID 13977 Process or Activity Detective
    Edit the audit assertion for accuracy. CC ID 07030 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope procedures are accurately documented. CC ID 06982 Establish/Maintain Documentation Preventive
    Determine if the audit assertion's in scope controls are reasonable. CC ID 06980
    [Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriateness of the following: App A Objective 2:11]
    Testing Detective
    Determine the effect of fraud and non-compliance on the achievement of in scope controls in the audit assertion, as necessary. CC ID 13978 Process or Activity Detective
    Document test plans for auditing in scope controls. CC ID 06985 Testing Detective
    Determine the implementation status of the audit assertion's in scope controls. CC ID 06981
    [Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriateness of the following: App A Objective 2:11]
    Testing Detective
    Determine the effectiveness of in scope controls. CC ID 06984
    [Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriateness of the following: App A Objective 2:11
    Determine whether the board and senior management engage qualified audit or use other independent review functions to assess the AIO design, implementation, and operational effectiveness, including the adequacy of policies and procedures and the effectiveness of controls. Evaluate the appropriateness of the following: App A Objective 2:11
    The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with applicable laws and regulations, and helps ensure adherence to contractual agreements and entity policies, standards, and procedures to mitigate risks. II.D Action Summary ¶ 1
    Management should develop processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. VI.D Action Summary ¶ 1
    Management develops processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. (VI.D, "Ongoing Monitoring and Evaluation Processes") App A Objective 17]
    Testing Detective
    Review incident management audit logs to determine the effectiveness of in scope controls. CC ID 12157 Audits and Risk Management Detective
    Review audit reports to determine the effectiveness of in scope controls. CC ID 12156 Audits and Risk Management Detective
    Observe processes to determine the effectiveness of in scope controls. CC ID 12155 Audits and Risk Management Detective
    Interview stakeholders to determine the effectiveness of in scope controls. CC ID 12154 Audits and Risk Management Detective
    Review documentation to determine the effectiveness of in scope controls. CC ID 16522 Process or Activity Preventive
    Review policies and procedures to determine the effectiveness of in scope controls. CC ID 12144 Audits and Risk Management Detective
    Evaluate personnel status changes to determine the effectiveness of in scope controls. CC ID 16556 Audits and Risk Management Detective
    Determine whether individuals performing a control have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 16555 Audits and Risk Management Detective
    Determine any errors or material omissions in the audit assertion that affect in scope control implementations. CC ID 06990 Testing Detective
    Include the process of using evidential matter to test in scope controls in the test plan. CC ID 06996 Establish/Maintain Documentation Preventive
    Audit the in scope system according to the test plan using relevant evidence. CC ID 07112 Testing Preventive
    Implement procedures that collect sufficient audit evidence. CC ID 07153 Audits and Risk Management Preventive
    Collect evidence about the in scope audit items of the audit assertion. CC ID 07154 Audits and Risk Management Preventive
    Collect audit evidence sufficient to avoid misstatements. CC ID 07155 Audits and Risk Management Preventive
    Collect audit evidence at the level of the organization's competence in the subject matter. CC ID 07156 Audits and Risk Management Preventive
    Collect audit evidence sufficient to overcome inadequacies in the organization's attestation. CC ID 07157 Audits and Risk Management Preventive
    Provide transactional walkthrough procedures for external auditors. CC ID 00672 Testing Preventive
    Establish, implement, and maintain interview procedures. CC ID 16282 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the interview procedures. CC ID 16297 Human Resources Management Preventive
    Coordinate the scheduling of interviews. CC ID 16293 Process or Activity Preventive
    Create a schedule for the interviews. CC ID 16292 Process or Activity Preventive
    Identify interviewees. CC ID 16290 Process or Activity Preventive
    Conduct interviews, as necessary. CC ID 07188 Testing Detective
    Verify statements made by interviewees are correct. CC ID 16299 Behavior Detective
    Discuss unsolved questions with the interviewee. CC ID 16298 Process or Activity Detective
    Allow interviewee to respond to explanations. CC ID 16296 Process or Activity Detective
    Explain the requirements being discussed to the interviewee. CC ID 16294 Process or Activity Detective
    Explain the goals of the interview to the interviewee. CC ID 07189 Behavior Detective
    Explain the testing results to the interviewee. CC ID 16291 Process or Activity Preventive
    Withdraw from the audit, when defined conditions exist. CC ID 13885 Process or Activity Corrective
    Establish and maintain work papers, as necessary. CC ID 13891 Establish/Maintain Documentation Preventive
    Include the auditor's conclusions on work performed by individuals assigned to the audit in the work papers. CC ID 16775 Establish/Maintain Documentation Preventive
    Include audit irregularities in the work papers. CC ID 16774 Establish/Maintain Documentation Preventive
    Include corrective actions in the work papers. CC ID 16771 Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the work papers. CC ID 16770 Establish/Maintain Documentation Preventive
    Include discussions with interested personnel and affected parties in the work papers. CC ID 16768 Establish/Maintain Documentation Preventive
    Include justification for departing from mandatory requirements in the work papers. CC ID 13935 Establish/Maintain Documentation Preventive
    Include audit evidence obtained from previous engagements in the work papers. CC ID 16518 Audits and Risk Management Preventive
    Include the reviewer, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06998 Establish/Maintain Documentation Preventive
    Include the tests, examinations, interviews and observations performed during the audit in the work papers. CC ID 07190 Establish/Maintain Documentation Preventive
    Include if any subject matter experts or additional research had to be undertaken to test in scope controls in the work papers. CC ID 07026 Establish/Maintain Documentation Preventive
    Include the tester, and dates, for using evidential matter to test in scope controls in the work papers. CC ID 06997 Establish/Maintain Documentation Preventive
    Include if the audit evidence has identified in scope control deficiencies in the work papers. CC ID 07152 Audits and Risk Management Detective
    Include any subsequent events related to the audit assertion or audit subject matter in the work papers. CC ID 07177 Audits and Risk Management Preventive
    Include if in scope control deviations allow in scope controls to be performed acceptably in the work papers. CC ID 06987 Testing Detective
    Include the causes of identified in scope control deficiencies in the work papers. CC ID 07000 Establish/Maintain Documentation Preventive
    Include discussions regarding the causes of identified in scope control deficiencies in the work papers. CC ID 06999 Establish/Maintain Documentation Preventive
    Investigate the nature and causes of identified in scope control deviations. CC ID 06986
    [Additionally, evaluate whether management does the following: Sets KPI benchmarks to achieve and analyzes deviations from those benchmarks. App A Objective 17:2b]
    Testing Detective
    Supervise interested personnel and affected parties participating in the audit. CC ID 07150 Monitor and Evaluate Occurrences Preventive
    Notify interested personnel and affected parties participating in the audit of their roles and responsibilities during the audit. CC ID 07151 Establish Roles Preventive
    Respond to questions or clarification requests regarding the audit. CC ID 08902 Business Processes Preventive
    Track and measure the implementation of the organizational compliance framework. CC ID 06445
    [Evaluate whether management does the following: Maintains a process to measure the results of continuous improvement efforts and includes the following: App A Objective 17:4c]
    Monitor and Evaluate Occurrences Preventive
    Review the need for organizational efficiency as balanced against the needs of compliance and security. CC ID 07111 Business Processes Preventive
    Engage subject matter experts when the auditor requires additional expertise during an attestation engagement, as necessary. CC ID 13971 Process or Activity Preventive
    Review the subject matter expert's findings. CC ID 16559 Audits and Risk Management Detective
    Establish, implement, and maintain a practitioner’s report on agreed-upon procedures. CC ID 13894 Establish/Maintain Documentation Preventive
    Provide auditors access to all in scope records, in scope assets, personnel and in scope procedures. CC ID 06966 Audits and Risk Management Preventive
    Permit assessment teams to conduct audits, as necessary. CC ID 16430 Investigate Detective
    Provide auditors access to affected parties during the audit, as necessary. CC ID 07187 Business Processes Preventive
    Solve any access problems auditors encounter during the audit. CC ID 08959 Audits and Risk Management Corrective
    Notify interested personnel and affected parties when an auditee refuses to provide access or participate in the audit. CC ID 08960 Audits and Risk Management Preventive
    Establish and maintain a practitioner's examination report on pro forma financial information. CC ID 13968 Establish/Maintain Documentation Preventive
    Include references to where financial information was derived in the practitioner's review report on pro forma financial information. CC ID 13982 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements used were audited by other practitioners in the practitioner's examination report on pro forma financial information, as necessary. CC ID 13981 Establish/Maintain Documentation Preventive
    Establish and maintain organizational audit reports. CC ID 06731
    [{independent assurance report}{be independent}Review past reports for outstanding issues or previous problems. Consider the following: Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. App A Objective 1:1d]
    Establish/Maintain Documentation Preventive
    Determine what disclosures are required in the audit report. CC ID 14888 Establish/Maintain Documentation Detective
    Include audit subject matter in the audit report. CC ID 14882 Establish/Maintain Documentation Preventive
    Include an other-matter paragraph in the audit report. CC ID 14901 Establish/Maintain Documentation Preventive
    Identify the audit team members in the audit report. CC ID 15259 Human Resources Management Detective
    Write the audit report using clear and conspicuous language. CC ID 13948 Establish/Maintain Documentation Preventive
    Include a statement that the sufficiency of the agreed upon procedures is the responsibility of the specified parties in the audit report. CC ID 13936 Establish/Maintain Documentation Preventive
    Include a statement that the financial statements were audited in the audit report. CC ID 13963 Establish/Maintain Documentation Preventive
    Include the criteria that financial information was measured against in the audit report. CC ID 13966 Establish/Maintain Documentation Preventive
    Include a description of the financial information being reported on in the audit report. CC ID 13965 Establish/Maintain Documentation Preventive
    Include references to any adjustments of financial information in the audit report. CC ID 13964 Establish/Maintain Documentation Preventive
    Include in the audit report that audit opinions are not dependent on references to subject matter experts, as necessary. CC ID 13953 Establish/Maintain Documentation Preventive
    Include references to historical financial information used in the audit report. CC ID 13961 Establish/Maintain Documentation Preventive
    Include a statement about the inherent limitations of the audit in the audit report. CC ID 14900 Establish/Maintain Documentation Preventive
    Include a description of the limitations on the usefulness of hypothetical assumptions in the audit report. CC ID 13958 Establish/Maintain Documentation Preventive
    Include the word independent in the title of audit reports. CC ID 07003 Actionable Reports or Measurements Preventive
    Include the date of the audit in the audit report. CC ID 07024 Actionable Reports or Measurements Preventive
    Structure the audit report to be in the form of procedures and findings. CC ID 13940
    [Organize work papers to show clear support for m_primary-noun">significant findings by examination objective. App A Objective 18:4]
    Establish/Maintain Documentation Preventive
    Include information about the organization being audited and the auditor performing the audit in the audit report. CC ID 07004 Actionable Reports or Measurements Preventive
    Include any discussions of significant findings in the audit report. CC ID 13955 Establish/Maintain Documentation Preventive
    Include the date and with whom discussions about significant findings took place in the audit report. CC ID 13962 Establish/Maintain Documentation Preventive
    Include the audit criteria in the audit report. CC ID 13945 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that the agreed upon procedures were potentially insufficient in identifying material risks, as necessary. CC ID 13957 Establish/Maintain Documentation Preventive
    Include all hypothetical assumptions in the audit report. CC ID 13947 Establish/Maintain Documentation Preventive
    Include a statement that access to the report is restricted based on least privilege in the audit report. CC ID 07023 Actionable Reports or Measurements Preventive
    Include a statement that identifies the distribution list for the report in the audit report. CC ID 07172 Establish/Maintain Documentation Preventive
    Include a statement that identifies the use restrictions for the report in the audit report. CC ID 07173 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures involves collecting evidence in the audit report. CC ID 13956 Establish/Maintain Documentation Preventive
    Include all of the facts and demonstrated plausibility in the audit report. CC ID 08929 Establish/Maintain Documentation Preventive
    Include a statement that the agreed upon procedures were performed by all parties in the audit report. CC ID 13931 Establish/Maintain Documentation Preventive
    Include references to subject matter experts in the audit report when citing qualified opinions. CC ID 13929 Establish/Maintain Documentation Preventive
    Include a description of the assistance provided by Subject Matter Experts in the audit report. CC ID 13939 Establish/Maintain Documentation Preventive
    Include a review of the subject matter expert's findings in the audit report. CC ID 13972 Establish/Maintain Documentation Preventive
    Include a statement of the character of the engagement in the audit report. CC ID 07166 Establish/Maintain Documentation Preventive
    Include the nature and scope of the audit performed in the statement of the character of the engagement in the audit report. CC ID 07167 Establish/Maintain Documentation Preventive
    Include the professional standards governing the audit in the statement of the character of the engagement in the audit report. CC ID 07168 Establish/Maintain Documentation Preventive
    Include all restrictions on the audit in the audit report. CC ID 13930 Establish/Maintain Documentation Preventive
    Include a statement that the auditor has no responsibility to update the audit report after its submission. CC ID 13943 Establish/Maintain Documentation Preventive
    Include a statement on the auditor's ethical requirements in the audit report. CC ID 16767 Establish/Maintain Documentation Preventive
    Include a statement that the responsible party refused to provide a written assertion in the audit report. CC ID 13887 Establish/Maintain Documentation Preventive
    Include a statement that the examination involves procedures for collecting evidence in the audit report. CC ID 13941 Establish/Maintain Documentation Preventive
    Express an adverse opinion in the audit report when significant assumptions are not suitably supported. CC ID 13944 Establish/Maintain Documentation Preventive
    Include a statement that modifications to historical evidence accurately reflect current evidence in the audit report. CC ID 13938 Establish/Maintain Documentation Preventive
    Refrain from referencing previous engagements in the audit report. CC ID 16516 Audits and Risk Management Preventive
    Refrain from referencing other auditor's work in the audit report. CC ID 13881 Establish/Maintain Documentation Preventive
    Include that the audit findings are not a predictive analysis of future compliance in the audit report. CC ID 07018 Establish/Maintain Documentation Preventive
    Identify the participants from the organization being audited in the audit report. CC ID 15258 Audits and Risk Management Detective
    Include how in scope controls meet external requirements in the audit report. CC ID 16450 Establish/Maintain Documentation Preventive
    Include the in scope records used to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14915 Establish/Maintain Documentation Preventive
    Include recommended corrective actions in the audit report. CC ID 16197 Establish/Maintain Documentation Preventive
    Include risks and opportunities in the audit report. CC ID 16196 Establish/Maintain Documentation Preventive
    Include the description of tests of controls and results in the audit report. CC ID 14898 Establish/Maintain Documentation Preventive
    Include the nature of the tests performed in the description of tests of controls and results in the audit report. CC ID 14908 Establish/Maintain Documentation Preventive
    Include the test scope in the description of tests of controls and results in the audit report. CC ID 14906 Establish/Maintain Documentation Preventive
    Identify the stakeholders interviewed to obtain audit evidence in the description of tests of controls and results in the audit report. CC ID 14905 Establish/Maintain Documentation Preventive
    Include the timing of controls in the description of tests of controls and results in the audit report. CC ID 16553 Audits and Risk Management Preventive
    Include the controls that were tested in the description of tests of controls and results in the audit report. CC ID 14902 Establish/Maintain Documentation Preventive
    Include subsequent events related to the audit assertion or audit subject matter in the audit report. CC ID 16773 Establish/Maintain Documentation Preventive
    Include the organization's audit assertion of the in scope system in the audit report. CC ID 07005 Actionable Reports or Measurements Preventive
    Include that the organization is the responsible party for the content of its audit assertion and in scope system description in the audit report. CC ID 07010 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for providing in scope services in the audit report. CC ID 14903 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for specifying in scope controls not defined by law or contractual obligation in the audit report. CC ID 07011 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for designing and implementing the in scope controls it identified in the audit scope in the audit report. CC ID 07014 Establish/Maintain Documentation Preventive
    Include the audit opinion regarding the accurateness of the in scope system description in the audit report. CC ID 07019 Establish/Maintain Documentation Preventive
    Include the attestation standards the auditor follows in the audit report. CC ID 07015 Establish/Maintain Documentation Preventive
    Include the audit opinion about the audit assertion in relation to the audit criteria used for evaluation in the audit report. CC ID 07169
    [Document conclusions in a memorandum to the examiner-in-charge that provides report- ready comments for all relevant sections of the report of examination and clarifying guidance to future examiners. App A Objective 18:3
    Document conclusions in a memorandum to the examiner-in-charge that provides report- ready comments for all relevant sections of the report of examination and clarifying guidance to future examiners. App A Objective 18:3]
    Establish/Maintain Documentation Preventive
    Include the auditor's significant reservations about the engagement, the audit assertion, or the audit subject matter in the audit report. CC ID 07170 Establish/Maintain Documentation Preventive
    Include an emphasis-of-matter paragraph in the audit report. CC ID 14890 Establish/Maintain Documentation Preventive
    Include the organization's in scope system description in the audit report. CC ID 11626 Audits and Risk Management Preventive
    Include any out of scope components of in scope systems in the audit report. CC ID 07006 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for identifying material risks in the audit report. CC ID 07012 Establish/Maintain Documentation Preventive
    Include that the organization is the responsible party for selecting the audit criteria in the audit report. CC ID 07013 Establish/Maintain Documentation Preventive
    Include the scope and work performed in the audit report. CC ID 11621
    [Document conclusions in a memorandum to the examiner-in-charge that provides report- ready comments for all relevant sections of the report of examination and clarifying guidance to future examiners. App A Objective 18:3]
    Audits and Risk Management Preventive
    Review the adequacy of the internal auditor's work papers. CC ID 01146 Audits and Risk Management Detective
    Compare the evaluations completed by the internal auditors and the external auditors in past audit reports. CC ID 01158 Establish/Maintain Documentation Detective
    Review the adequacy of the internal auditor's audit reports. CC ID 11620 Audits and Risk Management Detective
    Review past audit reports. CC ID 01155
    [Review past reports for outstanding issues or previous problems. Consider the following: App A Objective 1:1]
    Establish/Maintain Documentation Detective
    Review past audit reports for specific process steps and calculations that were stated to support the audit report's conclusions. CC ID 01160 Establish/Maintain Documentation Detective
    Review the reporting of material weaknesses and risks in past audit reports. CC ID 01161
    [Review past reports for outstanding issues or previous problems. Consider the following: Regulatory reports of examination. App A Objective 1:1a
    {previous audit}Review past reports for outstanding issues or previous problems. Consider the following: ass="term_primary-noun">Reports by independent risk management. App A Objective 1:1c]
    Establish/Maintain Documentation Detective
    Resolve disputes before creating the audit summary. CC ID 08964 Behavior Preventive
    Refrain from including the description of the audit in the audit report when the auditor is disclaiming an audit opinion. CC ID 13975 Establish/Maintain Documentation Preventive
    Refrain from including scope limitations from changed attestation engagements in the audit report. CC ID 13983 Establish/Maintain Documentation Preventive
    Refrain from including in the audit report any procedures that were performed that the auditor is disclaiming in an audit opinion. CC ID 13974 Establish/Maintain Documentation Preventive
    Include deficiencies and non-compliance in the audit report. CC ID 14879 Establish/Maintain Documentation Corrective
    Determine the effect of deficiencies on the audit report, as necessary. CC ID 14886 Investigate Detective
    Determine the effect of fraud and non-compliance on the audit report, as necessary. CC ID 13979 Process or Activity Detective
    Include an audit opinion in the audit report. CC ID 07017 Establish/Maintain Documentation Preventive
    Include qualified opinions in the audit report. CC ID 13928 Establish/Maintain Documentation Preventive
    Include that the auditor is the responsible party to express an opinion on the audit subject matter based on examination of evidence in the audit report. CC ID 07174 Establish/Maintain Documentation Preventive
    Include a description of the reasons for modifying the audit opinion in the audit report. CC ID 13898 Establish/Maintain Documentation Corrective
    Include that the auditor did not express an opinion in the audit report, as necessary. CC ID 13886 Establish/Maintain Documentation Preventive
    Disclaim the audit opinion in the audit report, as necessary. CC ID 13901 Business Processes Corrective
    Include items that were excluded from the audit report in the audit report. CC ID 07007 Establish/Maintain Documentation Preventive
    Include the organization's privacy practices in the audit report. CC ID 07029 Establish/Maintain Documentation Preventive
    Include items that pertain to third parties in the audit report. CC ID 07008 Establish/Maintain Documentation Preventive
    Refrain from including reference to procedures performed in previous attestation engagements in the audit report. CC ID 13970 Establish/Maintain Documentation Preventive
    Include a statement in the audit report that no procedures were performed subsequent to the date of the practitioner's review report on pro forma financial information, as necessary. CC ID 13969 Establish/Maintain Documentation Preventive
    Include any of the organization's use of compensating controls that were not audited in the audit report. CC ID 07009 Establish/Maintain Documentation Preventive
    Include whether the use of compensating controls are necessary in the audit report. CC ID 07020 Establish/Maintain Documentation Preventive
    Include the pass or fail test status of all in scope controls in the audit report. CC ID 07016 Establish/Maintain Documentation Preventive
    Include the process of using evidential matter to test in scope controls in the audit report. CC ID 07021 Establish/Maintain Documentation Preventive
    Include the nature and causes of identified in scope control deviations in the audit report. CC ID 07022 Establish/Maintain Documentation Preventive
    Modify the audit opinion in the audit report under defined conditions. CC ID 13937 Establish/Maintain Documentation Corrective
    Disclose any audit irregularities in the audit report. CC ID 06995 Actionable Reports or Measurements Preventive
    Include the written signature of the auditor's organization in the audit report. CC ID 13897 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list. CC ID 07117
    [Examiners should review for the following: Applicable reporting of the AIO-related audit results to the board. II.D Action Summary ¶ 2 Bullet 3
    Evaluate the appropriateness of the following: Reports to the board and senior management containing the results of audits or other independent reviews and an assessment of management's ability to oversee the entity's AIO functions and activities. Validate whether the review scope and frequency are appropriate for the complexity of the entity's AIO functions. App A Objective 2:11d]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the reviews of audit reports to organizational management. CC ID 00653 Log Management Detective
    Disseminate and communicate the reasons the audit report was delayed to interested personnel and affected parties. CC ID 15257 Communicate Preventive
    Notify auditees if disclosure of audit documentation is required by law. CC ID 15249 Communicate Preventive
    Disseminate and communicate to the organization that access and use of audit reports are based on least privilege. CC ID 07171 Behavior Preventive
    Disseminate and communicate documents that contain information in support of the audit report. CC ID 07175 Establish/Maintain Documentation Preventive
    Correct any material misstatements in documents that contain information in support of the audit report. CC ID 07176 Establish/Maintain Documentation Preventive
    Review the issues of non-compliance from past audit reports. CC ID 01148
    [{internal audit report} Review past reports for outstanding issues or previous problems. Consider the following: Internal and external audit reports. App A Objective 1:1b
    {internal audit report} Review past reports for outstanding issues or previous problems. Consider the following: Internal and external audit reports. App A Objective 1:1b
    {previous audit}Review management's response to issues identified during or subsequent to the last examination. Consider the following: >Statuspan> of uncorrected issues App A Objective 1:2c]
    Establish/Maintain Documentation Detective
    Notify interested personnel and affected parties after bribes are offered during the audit. CC ID 08872 Business Processes Preventive
    Submit an audit report that is complete. CC ID 01145 Testing Detective
    Accept the audit report. CC ID 07025 Establish/Maintain Documentation Preventive
    Implement a corrective action plan in response to the audit report. CC ID 06777 Establish/Maintain Documentation Corrective
    Assign responsibility for remediation actions. CC ID 13622
    [Additionally, evaluate whether management does the following: Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. App A Objective 17:2f]
    Human Resources Management Preventive
    Monitor and report on the status of mitigation actions in the corrective action plan. CC ID 15250 Actionable Reports or Measurements Corrective
    Review management's response to issues raised in past audit reports. CC ID 01149
    [{previous audit} Review management's response to issues identified during or subsequent to the last examination. Consider the following: App A Objective 1:2
    {previous audit}Review management's response to issues identified during or subsequent to the last examination. Consider the following: Adequacy and primary-noun">timing of corrective action. App A Objective 1:2a
    {previous audit}Review management's response to issues identified during or subsequent to the last examination. Consider the following: >Resolution of root causes rather than symptoms. App A Objective 1:2b]
    Audits and Risk Management Detective
    Define penalties for uncorrected audit findings or remaining non-compliant with the audit report. CC ID 08963 Establish/Maintain Documentation Preventive
    Assess the quality of the audit program in regards to the staff and their qualifications. CC ID 01150
    [Evaluate the appropriateness of the following: Qualifications, training, and experience of auditor (or independent reviewer) in reviewing the functions and activities of AIO. App A Objective 2:11b
    Examiners should review for the following: Qualifications of auditors reviewing AIO functions and activities. II.D Action Summary ¶ 2 Bullet 5]
    Testing Detective
    Evaluate the competency of auditors. CC ID 15253 Human Resources Management Detective
    Review the audit program scope as it relates to the organization's profile. CC ID 01159 Audits and Risk Management Detective
    Assess the quality of the audit program in regards to its documentation. CC ID 11622 Audits and Risk Management Preventive
    Establish, implement, and maintain the audit plan. CC ID 01156 Testing Detective
    Include the audit criteria in the audit plan. CC ID 15262 Establish/Maintain Documentation Preventive
    Include a list of reference documents in the audit plan. CC ID 15260 Establish/Maintain Documentation Preventive
    Include the languages to be used for the audit in the audit plan. CC ID 15252 Establish/Maintain Documentation Preventive
    Include the allocation of resources in the audit plan. CC ID 15251 Establish/Maintain Documentation Preventive
    Include communication protocols in the audit plan. CC ID 15247 Establish/Maintain Documentation Preventive
    Include the level of audit sampling necessary to collect sufficient audit evidence in the audit plan. CC ID 15246 Establish/Maintain Documentation Preventive
    Include meeting schedules in the audit plan. CC ID 15245 Establish/Maintain Documentation Preventive
    Include the time frames for the audit in the audit plan. CC ID 15244 Establish/Maintain Documentation Preventive
    Include the time frames for conducting the audit in the audit plan. CC ID 15243 Establish/Maintain Documentation Preventive
    Include the locations to be audited in the audit plan. CC ID 15242 Establish/Maintain Documentation Preventive
    Include the processes to be audited in the audit plan. CC ID 15241 Establish/Maintain Documentation Preventive
    Include audit objectives in the audit plan. CC ID 15240 Establish/Maintain Documentation Preventive
    Include the risks associated with audit activities in the audit plan. CC ID 15239 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit plan to interested personnel and affected parties. CC ID 15238 Communicate Preventive
    Establish, implement, and maintain an audit schedule for the audit program. CC ID 13158
    [Evaluate the appropriateness of the following: Reports to the board and senior management containing the results of audits or other independent reviews and an assessment of management's ability to oversee the entity's AIO functions and activities. Validate whether the review scope and frequency are appropriate for the complexity of the entity's AIO functions. App A Objective 2:11d]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a risk management program. CC ID 12051
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. App A Objective 2:8b Bullet 6
    Determine whether oversight includes the following: Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. App A Objective 2:2b
    Determine whether the entity's risk management processes include the following governance mechanisms: Policies, standards, and procedures. App A Objective 2:1e
    Determine whether the entity's risk management processes include the following governance mechanisms: ERM. App A Objective 2:1c
    Evaluate the appropriateness of the following: Review of the entity's AIO functions and activities and management's ability to oversee and control AIO-related risks. App A Objective 2:11a]
    Establish/Maintain Documentation Preventive
    Include the scope of risk management activities in the risk management program. CC ID 13658 Establish/Maintain Documentation Preventive
    Document and justify any exclusions from the scope of the risk management activities in the risk management program. CC ID 15336 Business Processes Detective
    Integrate the risk management program with the organization's business activities. CC ID 13661
    [Evaluate whether, as part of ERM, there is the following: An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: App A Objective 2:8b
    Determine whether board oversight includes the following: Aligning AIO principles and practices with the board's strategic plans and risk appetite. App A Objective 2:3a
    This examination procedure may be coordinated with related examination procedures in the "Management" booklet. Determine whether the entity's ERM structure incorporates the functions of AIO. Evaluate whether, as part of ERM, there is the following: App A Objective 2:8]
    Business Processes Preventive
    Integrate the risk management program into daily business decision-making. CC ID 13659 Business Processes Preventive
    Include managing mobile risks in the risk management program. CC ID 13535 Establish/Maintain Documentation Preventive
    Take into account if the system will be accessed by or have an impact on children in the risk management program. CC ID 14992 Audits and Risk Management Preventive
    Include regular updating in the risk management system. CC ID 14990 Business Processes Preventive
    Establish, implement, and maintain risk management strategies. CC ID 13209
    [Determine whether the entity's risk management processes include the following governance mechanisms: Strategic planning. App A Objective 2:1b]
    Establish/Maintain Documentation Preventive
    Include off-site storage of supplies in the risk management strategies. CC ID 13221 Establish/Maintain Documentation Preventive
    Include data quality in the risk management strategies. CC ID 15308 Data and Information Management Preventive
    Include the use of alternate service providers in the risk management strategies. CC ID 13217 Establish/Maintain Documentation Preventive
    Include minimizing service interruptions in the risk management strategies. CC ID 13215 Establish/Maintain Documentation Preventive
    Include off-site storage in the risk mitigation strategies. CC ID 13213 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the risk assessment framework. CC ID 00685 Establish/Maintain Documentation Preventive
    Analyze the risk management strategy for addressing requirements. CC ID 12926 Audits and Risk Management Detective
    Analyze the risk management strategy for addressing threats. CC ID 12925
    [Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. App A Objective 8:1]
    Audits and Risk Management Detective
    Analyze the risk management strategy for addressing opportunities. CC ID 12924 Audits and Risk Management Detective
    Define and assign the roles and responsibilities for the risk assessment framework, as necessary. CC ID 06456 Establish Roles Preventive
    Establish, implement, and maintain a risk assessment program. CC ID 00687
    [Determine whether oversight includes the following: Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. App A Objective 2:2b
    {risk profile}Review past reports for outstanding issues or previous problems. Consider the following: The entity's overall risk assessment and profile. App A Objective 1:1f]
    Establish/Maintain Documentation Preventive
    Address past incidents in the risk assessment program. CC ID 12743 Audits and Risk Management Preventive
    Employ third parties when implementing a risk assessment, as necessary. CC ID 16306 Human Resources Management Detective
    Include the need for risk assessments in the risk assessment program. CC ID 06447 Establish/Maintain Documentation Preventive
    Include the information flow of restricted data in the risk assessment program. CC ID 12339 Establish/Maintain Documentation Preventive
    Establish and maintain the factors and context for risk to the organization. CC ID 12230 Audits and Risk Management Preventive
    Establish, implement, and maintain a financial plan to support the risk management strategy. CC ID 12786 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain insurance requirements. CC ID 16562 Establish/Maintain Documentation Preventive
    Disseminate and communicate insurance options to interested personnel and affected parties. CC ID 16572 Communicate Preventive
    Disseminate and communicate insurance requirements to interested personnel and affected parties. CC ID 16567 Communicate Preventive
    Purchase insurance on behalf of interested personnel and affected parties. CC ID 16571 Acquisition/Sale of Assets or Services Corrective
    Design a portfolio of insurance options in accordance with risk decision-making criteria. CC ID 12878 Business Processes Preventive
    Design a portfolio of loans in accordance with risk decision-making criteria. CC ID 12877 Business Processes Preventive
    Design a portfolio of risk limiting and mitigating approaches in organizational contracts in accordance with risk decision-making criteria. CC ID 12903 Business Processes Preventive
    Address cybersecurity risks in the risk assessment program. CC ID 13193 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Data Protection Impact Assessments. CC ID 14830 Process or Activity Preventive
    Include a Data Protection Impact Assessment in the risk assessment program. CC ID 12630 Establish/Maintain Documentation Preventive
    Include an assessment of the necessity and proportionality of the processing operations in relation to the purposes in the Data Protection Impact Assessment. CC ID 12681 Establish/Maintain Documentation Preventive
    Include an assessment of the relationship between the data subject and the parties processing the data in the Data Protection Impact Assessment. CC ID 16371 Establish/Maintain Documentation Preventive
    Include a risk assessment of data subject's rights in the Data Protection Impact Assessment. CC ID 12674 Establish/Maintain Documentation Preventive
    Include the description and purpose of processing restricted data in the Data Protection Impact Assessment. CC ID 12673 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Data Protection Impact Assessment to interested personnel and affected parties. CC ID 15313 Communicate Preventive
    Include consideration of the data subject's expectations in the Data Protection Impact Assessment. CC ID 16370 Establish/Maintain Documentation Preventive
    Include monitoring unsecured areas in the Data Protection Impact Assessment. CC ID 12671 Establish/Maintain Documentation Preventive
    Include security measures for protecting restricted data in the Data Protection Impact Assessment. CC ID 12635 Establish/Maintain Documentation Preventive
    Use the risk taxonomy when managing risk. CC ID 12280 Behavior Preventive
    Establish, implement, and maintain a risk assessment policy. CC ID 14026 Establish/Maintain Documentation Preventive
    Include compliance requirements in the risk assessment policy. CC ID 14121 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the risk assessment policy. CC ID 14120 Establish/Maintain Documentation Preventive
    Include management commitment in the risk assessment policy. CC ID 14119 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the risk assessment policy. CC ID 14118 Establish/Maintain Documentation Preventive
    Include the scope in the risk assessment policy. CC ID 14117 Establish/Maintain Documentation Preventive
    Include the purpose in the risk assessment policy. CC ID 14116 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk assessment policy to interested personnel and affected parties. CC ID 14115 Communicate Preventive
    Establish, implement, and maintain risk assessment procedures. CC ID 06446 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling. CC ID 06472 Establish/Maintain Documentation Preventive
    Analyze the organization's information security environment. CC ID 13122 Technical Security Preventive
    Document cybersecurity risks. CC ID 12281 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that follow standards and best practices, as necessary. CC ID 06473 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account both electronic records and printed records. CC ID 06476 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account information classification. CC ID 06477 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that align with strategic objectives. CC ID 06474 Establish/Maintain Documentation Preventive
    Engage appropriate parties to assist with risk assessments, as necessary. CC ID 12153 Human Resources Management Preventive
    Employ risk assessment procedures that take into account prior risk assessment findings of the same scope. CC ID 06478 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account the target environment. CC ID 06479
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Initial assessment of the AIO-related risk. App A Objective 2:8b Bullet 1]
    Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account incidents associated with the target environment. CC ID 06480 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that take into account risk factors. CC ID 16560 Audits and Risk Management Preventive
    Include compliance with disposition requirements in the risk assessment procedures. CC ID 12342 Establish/Maintain Documentation Preventive
    Include compliance with retention requirements in the risk assessment procedures. CC ID 12341 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a threat and risk classification scheme. CC ID 07183 Establish/Maintain Documentation Preventive
    Employ risk assessment procedures that include appropriate risk treatment options for each identified risk. CC ID 06484 Establish/Maintain Documentation Preventive
    Document organizational risk criteria. CC ID 12277 Establish/Maintain Documentation Preventive
    Include security threats and vulnerabilities in the threat and risk classification scheme. CC ID 00699 Technical Security Preventive
    Include an analysis of system interdependencies in the threat and risk classification scheme. CC ID 13056 Investigate Detective
    Categorize the systems, information, and data by risk profile in the threat and risk classification scheme. CC ID 01443
    [{risk profile}Review past reports for outstanding issues or previous problems. Consider the following: The entity's overall risk assessment and profile. App A Objective 1:1f]
    Audits and Risk Management Preventive
    Review the risk profiles, as necessary. CC ID 16561 Audits and Risk Management Detective
    Include risks to critical personnel and assets in the threat and risk classification scheme. CC ID 00698 Audits and Risk Management Preventive
    Include the traceability of malicious code in the threat and risk classification scheme. CC ID 06600 Establish/Maintain Documentation Preventive
    Assign a probability of occurrence to all types of threats in the threat and risk classification scheme. CC ID 01173 Audits and Risk Management Preventive
    Approve the threat and risk classification scheme. CC ID 15693 Business Processes Preventive
    Establish, implement, and maintain risk profiling procedures for internal risk assessments. CC ID 01157
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Ongoing monitoring that identifies and evaluates changes in risk and periodic updates to the risk profile assessment. App A Objective 2:8b Bullet 5]
    Audits and Risk Management Preventive
    Include language that is easy to understand in the risk assessment report. CC ID 06461 Establish/Maintain Documentation Preventive
    Include the environments that call for risk assessments in the risk assessment program. CC ID 06448 Establish/Maintain Documentation Preventive
    Include the process for defining the scope of each risk assessment in the risk assessment program. CC ID 06462 Establish/Maintain Documentation Preventive
    Include the circumstances that call for risk assessments in the risk assessment program. CC ID 06449 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities involved in risk assessments in the risk assessment program. CC ID 06450 Establish/Maintain Documentation Preventive
    Include the methods of managing and responding to the risk assessment report in the risk assessment program. CC ID 06451 Establish/Maintain Documentation Preventive
    Automate as much of the risk assessment program, as necessary. CC ID 06459 Audits and Risk Management Preventive
    Disseminate and communicate the risk assessment procedures to interested personnel and affected parties. CC ID 14136 Communicate Preventive
    Approve the risk assessment program and associated risk assessment procedures at the senior management level. CC ID 06458 Establish/Maintain Documentation Preventive
    Perform risk assessments for all target environments, as necessary. CC ID 06452
    [Determine the effectiveness of EOL management through the following: Conducts risk assessments to determine assets' EOLs. App A Objective 4:4c
    Additionally, determine whether management does the following: Addresses voice communications risks through development and acquisition processes, and in written policies, standards, and procedures. If the entity uses VoIP for voice communications, determine whether management performs a comprehensive risk assessment to ensure confidentiality, integrity, and availability in voice communications. App A Objective 13:3n]
    Testing Preventive
    Include the probability and potential impact of pandemics in the scope of the risk assessment. CC ID 13241 Establish/Maintain Documentation Preventive
    Include physical assets in the scope of the risk assessment. CC ID 13075 Establish/Maintain Documentation Preventive
    Include the results of the risk assessment in the risk assessment report. CC ID 06481 Establish/Maintain Documentation Preventive
    Approve the results of the risk assessment as documented in the risk assessment report. CC ID 07109 Audits and Risk Management Preventive
    Update the risk assessment upon discovery of a new threat. CC ID 00708 Establish/Maintain Documentation Detective
    Review risks to the organization's audit function when changes in the supply chain occur. CC ID 01154 Audits and Risk Management Preventive
    Update the risk assessment upon changes to the risk profile. CC ID 11627 Establish/Maintain Documentation Detective
    Review the risk to the audit function when the audit personnel status changes. CC ID 01153 Audits and Risk Management Preventive
    Document any reasons for modifying or refraining from modifying the organization's risk assessment when the risk assessment has been reviewed. CC ID 13312 Establish/Maintain Documentation Preventive
    Create a risk assessment report based on the risk assessment results. CC ID 15695 Establish/Maintain Documentation Preventive
    Disseminate and communicate the approved risk assessment report to interested personnel and affected parties. CC ID 10633 Communicate Preventive
    Conduct external audits of risk assessments, as necessary. CC ID 13308
    [Determine whether the entity's risk management processes include the following governance mechanisms: Internal audit, independent reviews, and certifications. App A Objective 2:1f]
    Audits and Risk Management Detective
    Notify the organization upon completion of the external audits of the organization's risk assessment. CC ID 13313 Communicate Preventive
    Establish, implement, and maintain a risk assessment awareness and training program. CC ID 06453 Business Processes Preventive
    Disseminate and communicate information about risks to all interested personnel and affected parties. CC ID 06718
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. App A Objective 2:8b Bullet 6
    Determine whether board oversight includes the following: Ensuring board members have appropriate knowledge of risks to provide a credible challenge to management. App A Objective 2:3c
    {unapproved software}{unapproved service} Determine whether management understands and communicates the risks of shadow IT to entity personnel. Additionally, determine whether internal audit evaluates management's processes to monitor, identify, and remove unapproved devices, software, or services. Assess whether management performs the following: App A Objective 4:5]
    Behavior Preventive
    Evaluate the effectiveness of threat and vulnerability management procedures. CC ID 13491 Investigate Detective
    Correlate the business impact of identified risks in the risk assessment report. CC ID 00686
    [Review preliminary conclusions with the examiner-in-charge regarding the following: Potential impact of the examiner's conclusions on the entity's risk assessment(s). App A Objective 18:1d
    {URSIT composite rating}Review preliminary conclusions with the examiner-in-charge regarding the following: Proposed Uniform Rating System for IT (URSIT) support and delivery component rating and the potential impact of the examiner's conclusions on composite or other URSIT component ratings. App A Objective 18:1c]
    Audits and Risk Management Preventive
    Conduct a Business Impact Analysis, as necessary. CC ID 01147 Audits and Risk Management Detective
    Include recovery of the critical path in the Business Impact Analysis. CC ID 13224 Establish/Maintain Documentation Preventive
    Include acceptable levels of data loss in the Business Impact Analysis. CC ID 13264 Establish/Maintain Documentation Preventive
    Include Recovery Point Objectives in the Business Impact Analysis. CC ID 13223 Establish/Maintain Documentation Preventive
    Include the Recovery Time Objectives in the Business Impact Analysis. CC ID 13222 Establish/Maintain Documentation Preventive
    Include pandemic risks in the Business Impact Analysis. CC ID 13219 Establish/Maintain Documentation Preventive
    Include tolerance to downtime in the Business Impact Analysis report. CC ID 01172 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Business Impact Analysis to interested personnel and affected parties. CC ID 15300 Communicate Preventive
    Establish, implement, and maintain a risk register. CC ID 14828 Establish/Maintain Documentation Preventive
    Document organizational risk tolerance in a risk register. CC ID 09961
    [{risk metric}An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Risk tolerances and risk and performance metrics for AIO activities. App A Objective 2:8b Bullet 7]
    Establish/Maintain Documentation Preventive
    Align organizational risk tolerance to that of industry peers in the risk register. CC ID 09962 Business Processes Preventive
    Review the Business Impact Analysis, as necessary. CC ID 12774 Business Processes Preventive
    Analyze and quantify the risks to in scope systems and information. CC ID 00701
    [Considers appropriate methods to address shadow IT, including: Identifying security risks associated with shadow IT in use and determining whether there is malicious intent. App A Objective 4:5e Bullet 1
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: Containers, including the design for storing data outside of the container and implementation of vulnerability management processes, segmentation, and the ability to monitor containers. App A Objective 12:5c Bullet 3
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: Microservices, including a design process that allows for the use of microservices as an integrated component to overall IT operations and the ability to address the risks of security, reliability, and latency in the entity's development process. App A Objective 12:5c Bullet 4
    Evaluate whether, as part of ERM, there is the following: Consistent and current review of the entity's products, processes, applications, infrastructure, interconnectivity, and other related risks to business operations. App A Objective 2:8a
    This examination procedure may be performed in coordination with related examination procedures in the "Development and Acquisition," "Information Security," and "Outsourcing Technology Services" booklets. Determine whether management is aware of and implements risk mitigations for general risks (e.g., software vulnerabilities and unauthorized access) associated with software in the entity's infrastructure environment. With respect to specific software types, determine whether management does the following: App A Objective 13:6
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: VMs and the design of secure virtual infrastructures to provide the ability to oversee the interconnectivity and segmentation of VMs. App A Objective 12:5c Bullet 1
    Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: App A Objective 11:1
    With respect to specific software types, determine whether management does the following: For open source software: Identifies security issues with its use. App A Objective 13:6g Bullet 1
    With respect to specific software types, determine whether management does the following: For open source software: Evaluates implications of open source components in third-party software and addresses their use in contract provisions. App A Objective 13:6g Bullet 3
    Review the effectiveness of management's mitigation of the risks associated with the following: Smoke and fire mitigation strategies, including: Knowledge of potential risks of fire suppression systems. App A Objective 13:9b Bullet 7
    This examination procedure may be performed in coordination with related examination procedures in the "Business Continuity Management" booklet. Determine whether management developed, documented, and implemented environmental control policies, standards, and procedures to safeguard facilities, technology, data, and people. Specifically, determine whether management has effective environmental controls to identify and mitigate risks from infrastructure and operational issues. Evaluate whether remotely available environmental controls (including IoT devices used for environmental monitoring), whether by a third-party service provider or not, have appropriate access controls, monitoring of remote access activity, and regular review of privileges. Additionally, determine whether third-party service provider access for maintenance and administrative purposes are appropriately controlled. App A Objective 13:8
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Identification of risks and benefits of each type of deployment environment. App A Objective 12:5a
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: Hypervisors and the design of where the hypervisors sit and the connectivity between hypervisors and VMs. App A Objective 12:5c Bullet 2
    {power grid}Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Evaluation and mitigation of the risk from one grid or one provider in other ways (e.g., using generator(s) or batteries). App A Objective 13:9d Bullet 5
    {continuous improvement} Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and uses them to continuously improve the entity's operations. App A Objective 17:3]
    Audits and Risk Management Preventive
    Establish and maintain a Risk Scoping and Measurement Definitions Document. CC ID 00703 Audits and Risk Management Preventive
    Identify the material risks in the risk assessment report. CC ID 06482 Audits and Risk Management Preventive
    Assess the potential level of business impact risk associated with each business process. CC ID 06463
    [Determine whether management appropriately considers the uses and risks of data analytics and performs the following: App A Objective 3:9
    Evaluate whether, as part of ERM, there is the following: Consistent and current review of the entity's products, processes, applications, infrastructure, interconnectivity, and other related risks to business operations. App A Objective 2:8a
    Management understands the common risks and mitigating controls related to data governance and data management. (III.A, "Data Governance and Data Management") App A Objective 3]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with the business environment. CC ID 06464
    [Assess whether management does the following: Determines its reliance on people, processes, and technology, including third-party service providers, to assist in its assessment of risk. App A Objective 8:2a
    Evaluate whether, as part of ERM, there is the following: Consistent and current review of the entity's products, processes, applications, infrastructure, interconnectivity, and other related risks to business operations. App A Objective 2:8a]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with business information of in scope systems. CC ID 06465 Audits and Risk Management Detective
    Identify changes to in scope systems that could threaten communication between business units. CC ID 13173
    [Consider the following to identify changes: Changes to internal business processes. App A Objective 1:3g]
    Investigate Detective
    Assess the potential business impact risk of in scope systems caused by deliberate threats to their confidentiality, integrity, and availability. CC ID 06466 Audits and Risk Management Detective
    Assess the potential level of business impact risk caused by accidental threats to the confidentiality, integrity and availability of critical systems. CC ID 06467 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with reputational damage. CC ID 15335 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with insider threats. CC ID 06468 Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with external entities. CC ID 06469
    [Assess whether management does the following: Determines its reliance on people, processes, and technology, including third-party service providers, to assist in its assessment of risk. App A Objective 8:2a]
    Audits and Risk Management Detective
    Assess the potential level of business impact risk associated with natural disasters. CC ID 06470 Actionable Reports or Measurements Detective
    Assess the potential level of business impact risk associated with control weaknesses. CC ID 06471 Audits and Risk Management Detective
    Establish a risk acceptance level that is appropriate to the organization's risk appetite. CC ID 00706 Establish/Maintain Documentation Preventive
    Investigate alternative risk control strategies appropriate to the organization's risk appetite. CC ID 12887 Investigate Preventive
    Select the appropriate risk treatment option for each identified risk in the risk register. CC ID 06483 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties. CC ID 06849 Behavior Preventive
    Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary. CC ID 00704
    [Considers appropriate methods to address shadow IT, including: Reviewing policies, processes, and tools to understand any gaps that may allow shadow IT to occur. App A Objective 4:5e Bullet 6
    Regardless of entity size, determine whether management incorporated the following: Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. App A Objective 12:6b]
    Establish/Maintain Documentation Detective
    Document the results of the gap analysis. CC ID 16271 Establish/Maintain Documentation Preventive
    Prioritize and select controls based on the risk assessment findings. CC ID 00707 Audits and Risk Management Preventive
    Analyze the effect of threats on organizational strategies and objectives. CC ID 12850 Process or Activity Detective
    Analyze the effect of opportunities on organizational strategies and objectives. CC ID 12849 Process or Activity Detective
    Prioritize and categorize the effects of opportunities, threats and requirements on control activities. CC ID 12822 Audits and Risk Management Preventive
    Determine the effectiveness of risk control measures. CC ID 06601 Testing Detective
    Develop key indicators to inform management on the effectiveness of risk control measures. CC ID 12946 Audits and Risk Management Preventive
    Establish, implement, and maintain a risk treatment plan. CC ID 11983
    [Determine whether management oversight includes the following: Addressing risks self-identified by management, from AIO-related audits, and from other independent assessments. App A Objective 2:4b
    Verify whether management identifies and addresses all risks according to contracts and other agreements (e.g., SLAs). App A Objective 7:2
    Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: App A Objective 11:1
    With respect to specific software types, determine whether management does the following: For open source software: Implements security controls and procedures to mitigate risks, including the following: App A Objective 13:6g Bullet 2
    This examination procedure may be performed in coordination with related examination procedures in the "Business Continuity Management" booklet. Determine whether management developed, documented, and implemented environmental control policies, standards, and procedures to safeguard facilities, technology, data, and people. Specifically, determine whether management has effective environmental controls to identify and mitigate risks from infrastructure and operational issues. Evaluate whether remotely available environmental controls (including IoT devices used for environmental monitoring), whether by a third-party service provider or not, have appropriate access controls, monitoring of remote access activity, and regular review of privileges. Additionally, determine whether third-party service provider access for maintenance and administrative purposes are appropriately controlled. App A Objective 13:8
    {power grid}Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Evaluation and mitigation of the risk from one grid or one provider in other ways (e.g., using generator(s) or batteries). App A Objective 13:9d Bullet 5
    Additionally, determine whether management does the following: Addresses voice communications risks through development and acquisition processes, and in written policies, standards, and procedures. If the entity uses VoIP for voice communications, determine whether management performs a comprehensive risk assessment to ensure confidentiality, integrity, and availability in voice communications. App A Objective 13:3n]
    Establish/Maintain Documentation Preventive
    Include the date of the risk assessment in the risk treatment plan. CC ID 16321 Establish/Maintain Documentation Preventive
    Include the release status of the risk assessment in the risk treatment plan. CC ID 16320 Audits and Risk Management Preventive
    Identify the planned actions and controls that address high risk in the risk treatment plan. CC ID 12835 Audits and Risk Management Preventive
    Identify the current actions and controls that address high risk in the risk treatment plan. CC ID 12834 Audits and Risk Management Preventive
    Include the risk treatment strategy in the risk treatment plan. CC ID 12159 Establish/Maintain Documentation Preventive
    Revise the risk treatment strategies in the risk treatment plan, as necessary. CC ID 12552 Establish/Maintain Documentation Corrective
    Include an overview of the migration project plan in the risk treatment plan. CC ID 11982 Establish/Maintain Documentation Preventive
    Include change control processes in the risk treatment plan. CC ID 11981 Establish/Maintain Documentation Preventive
    Include a description of the processes to check for new vulnerabilities in the risk treatment plan. CC ID 11980 Establish/Maintain Documentation Preventive
    Include the implemented risk management controls in the risk treatment plan. CC ID 11979 Establish/Maintain Documentation Preventive
    Include requirements for monitoring and reporting in the risk treatment plan, as necessary. CC ID 13620 Establish/Maintain Documentation Preventive
    Include risk assessment results in the risk treatment plan. CC ID 11978 Establish/Maintain Documentation Preventive
    Include a description of usage in the risk treatment plan. CC ID 11977 Establish/Maintain Documentation Preventive
    Document all constraints applied to the risk treatment plan, as necessary. CC ID 13619 Establish/Maintain Documentation Preventive
    Disseminate and communicate the risk treatment plan to interested personnel and affected parties. CC ID 15694 Communicate Preventive
    Approve the risk treatment plan. CC ID 13495 Audits and Risk Management Preventive
    Integrate the corrective action plan based on the risk assessment findings with other risk management activities. CC ID 06457 Establish/Maintain Documentation Preventive
    Document and communicate a corrective action plan based on the risk assessment findings. CC ID 00705
    [Discuss findings with management and obtain proposed corrective action for significant deficiencies. App A Objective 18:2
    Discuss corrective action and communicate findings. App A Objective 18]
    Establish/Maintain Documentation Corrective
    Review and approve the risk assessment findings. CC ID 06485
    [Discuss findings with management and obtain proposed corrective action for significant deficiencies. App A Objective 18:2]
    Establish/Maintain Documentation Preventive
    Include risk responses in the risk management program. CC ID 13195 Establish/Maintain Documentation Preventive
    Document residual risk in a residual risk report. CC ID 13664 Establish/Maintain Documentation Corrective
    Review and approve material risks documented in the residual risk report, as necessary. CC ID 13672 Business Processes Preventive
    Establish, implement, and maintain an artificial intelligence risk management program. CC ID 16220 Establish/Maintain Documentation Preventive
    Include diversity and equal opportunity in the artificial intelligence risk management program. CC ID 16255 Establish/Maintain Documentation Preventive
    Analyze the impact of artificial intelligence systems on business operations. CC ID 16356 Business Processes Preventive
    Analyze the impact of artificial intelligence systems on society. CC ID 16317 Audits and Risk Management Detective
    Analyze the impact of artificial intelligence systems on individuals. CC ID 16316 Audits and Risk Management Detective
    Establish, implement, and maintain a cybersecurity risk management strategy. CC ID 11991 Establish/Maintain Documentation Preventive
    Include a risk prioritization approach in the Cybersecurity Risk Management Strategy. CC ID 12276 Establish/Maintain Documentation Preventive
    Include defense in depth strategies in the cybersecurity risk management strategy. CC ID 15582 Establish/Maintain Documentation Preventive
    Evaluate the cyber insurance market. CC ID 12695 Business Processes Preventive
    Evaluate the usefulness of cyber insurance to the organization. CC ID 12694 Business Processes Preventive
    Acquire cyber insurance, as necessary. CC ID 12693 Business Processes Preventive
    Establish, implement, and maintain a supply chain risk management policy. CC ID 14663 Establish/Maintain Documentation Preventive
    Include compliance requirements in the supply chain risk management policy. CC ID 14711 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the supply chain risk management policy. CC ID 14710 Establish/Maintain Documentation Preventive
    Include management commitment in the supply chain risk management policy. CC ID 14709 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management policy. CC ID 14708 Establish/Maintain Documentation Preventive
    Include the scope in the supply chain risk management policy. CC ID 14707 Establish/Maintain Documentation Preventive
    Include the purpose in the supply chain risk management policy. CC ID 14706 Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management policy to all interested personnel and affected parties. CC ID 14662 Communicate Preventive
    Establish, implement, and maintain a supply chain risk management plan. CC ID 14713 Establish/Maintain Documentation Preventive
    Include processes for monitoring and reporting in the supply chain risk management plan. CC ID 15619 Establish/Maintain Documentation Preventive
    Include dates in the supply chain risk management plan. CC ID 15617 Establish/Maintain Documentation Preventive
    Include implementation milestones in the supply chain risk management plan. CC ID 15615 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the supply chain risk management plan. CC ID 15613 Establish/Maintain Documentation Preventive
    Include supply chain risk management procedures in the risk management program. CC ID 13190
    [Evaluate whether, as part of ERM, there is the following: An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: App A Objective 2:8b]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the supply chain risk management procedures to all interested personnel and affected parties. CC ID 14712 Communicate Preventive
    Assign key stakeholders to review and approve supply chain risk management procedures. CC ID 13199 Human Resources Management Preventive
    Analyze supply chain risk management procedures, as necessary. CC ID 13198 Process or Activity Detective
    Disseminate and communicate the risk management policy to interested personnel and affected parties. CC ID 13792 Communicate Preventive
  • Harmonization Methods and Manual of Style
    114
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Harmonization Methods and Manual of Style CC ID 06095 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain terminological resources. CC ID 13317
    [Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Development of IT architecture policy and terminology. App A Objective 2:9a Bullet 8
    With respect to design objectives, determine whether management does the following: Uses defined terminology. App A Objective 12:4a]
    Establish/Maintain Documentation Preventive
    Use the latest version of the Phonetic Alphabet for phonetic transcription. CC ID 16253 Process or Activity Preventive
    Analyze Authority Documents for their content. CC ID 13322 Investigate Detective
    Analyze concepts within the framework of their subject field. CC ID 13373 Investigate Detective
    Compile a list of all of the terms in the subject field. CC ID 13385 Establish/Maintain Documentation Preventive
    Analyze concept fields for their partitive relationships. CC ID 13330 Investigate Preventive
    Analyze concept fields for hierarchical structure. CC ID 13369 Investigate Detective
    Analyze concept fields for associative relationships. CC ID 13371 Investigate Detective
    Analyze concept fields for their generic relationships. CC ID 13342 Investigate Detective
    Select and define the concept field. CC ID 13382 Establish/Maintain Documentation Preventive
    Use the concept field to develop the concept system. CC ID 13361 Investigate Detective
    Establish and maintain concept systems, as necessary. CC ID 13320 Establish/Maintain Documentation Preventive
    Subdivide hypernyms according to criterion of subdivisions in the concept system. CC ID 13374 Establish/Maintain Documentation Preventive
    Define objects as anything perceived or conceived. CC ID 13321 Establish/Maintain Documentation Preventive
    Identify the properties of each object. CC ID 13325 Establish/Maintain Documentation Preventive
    Identify the properties attributed to objects in the subject field. CC ID 13338 Establish/Maintain Documentation Preventive
    Assign properties to objects. CC ID 13341 Establish/Maintain Documentation Preventive
    Determine which properties of an object should be abstracted into characteristics. CC ID 13363 Investigate Detective
    Group objects that share the same properties into categories. CC ID 13326 Establish/Maintain Documentation Preventive
    Establish and maintain concepts. CC ID 13339 Establish/Maintain Documentation Preventive
    Enumerate subordinate concepts, as necessary. CC ID 16242 Establish/Maintain Documentation Preventive
    Extract objects as concepts. CC ID 13358 Investigate Detective
    Extract the properties of the object to define the characteristics of the concept. CC ID 13359 Investigate Detective
    Categorize objects into classes of concepts. CC ID 13323 Establish/Maintain Documentation Preventive
    Combine the characteristics of objects to form a concept. CC ID 13365 Investigate Detective
    Analyze the characteristics of concepts. CC ID 13334 Establish/Maintain Documentation Preventive
    Categorize characteristics according to their importance. CC ID 16229 Process or Activity Preventive
    Consider the expectations and objectives of the target audience when organizing concepts. CC ID 13329 Establish/Maintain Documentation Preventive
    Identify the context or subject field of the concept. CC ID 13337 Establish/Maintain Documentation Preventive
    Identify concepts by their characteristics. CC ID 13324 Establish/Maintain Documentation Preventive
    Compare the characteristics of related concepts by the intention of the concept. CC ID 13336 Establish/Maintain Documentation Preventive
    Analyze the characteristics of concepts in relation to the concept system found within the subject field. CC ID 13372 Investigate Detective
    Identify the characteristics that constitute the intension of the concept. CC ID 13345 Establish/Maintain Documentation Preventive
    List characteristics that delimit specific concepts from the generic concept. CC ID 13344 Establish/Maintain Documentation Preventive
    Analyze the similarities and differences of concepts. CC ID 13370 Investigate Detective
    Identify partitive concepts. CC ID 13335 Establish/Maintain Documentation Preventive
    Determine the position of the hypernym in the hierarchical relationship by means of the inheritance principle. CC ID 13362 Investigate Detective
    Determine the hypernym's relationship to partitive concepts, as necessary. CC ID 13404 Investigate Detective
    Document characteristics associated with concepts. CC ID 13343 Establish/Maintain Documentation Preventive
    Combine the characteristics of objects when creating or updating concepts. CC ID 13327 Establish/Maintain Documentation Preventive
    Establish and maintain definitions for concepts. CC ID 13360 Establish/Maintain Documentation Preventive
    Organize concepts into hierarchical relationships. CC ID 13379 Establish/Maintain Documentation Preventive
    Define the criterion of subdivisions in the concept system. CC ID 16230 Process or Activity Preventive
    Define the hypernym concepts prior to defining the hyponym concepts in a concept system. CC ID 13413 Establish/Maintain Documentation Preventive
    Use the relationships between concepts to determine the structure of the concept system. CC ID 13368 Investigate Detective
    Apply the characteristics of concepts when modelling concept systems. CC ID 13355 Investigate Detective
    Illustrate the structure of the concept system, as necessary. CC ID 13364 Establish/Maintain Documentation Preventive
    Establish and maintain terminological entries and their definitions. CC ID 13318 Establish/Maintain Documentation Preventive
    Research existing term definitions or citations containing the term, as necessary. CC ID 13418 Investigate Detective
    Standardize and harmonize terms in terminological entries. CC ID 13389 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain linguistic symbols. CC ID 16239 Establish/Maintain Documentation Preventive
    Include terminological entries that are drawn from existing dictionaries, as necessary. CC ID 13387 Establish/Maintain Documentation Preventive
    Refrain from changing the extensions of concepts when adapting existing definitions. CC ID 13417 Establish/Maintain Documentation Preventive
    Cite external dictionary references, if they are used. CC ID 13388 Establish/Maintain Documentation Preventive
    Avoid errors when citing authoritative sources. CC ID 16238 Establish/Maintain Documentation Preventive
    Establish and maintain designations for terminological entries, as necessary. CC ID 13340 Establish/Maintain Documentation Preventive
    Treat full forms as designations. CC ID 16236 Process or Activity Preventive
    Use the characteristics of the concept to select the designation. CC ID 13357 Investigate Detective
    Standardize and harmonize term designations. CC ID 13390 Establish/Maintain Documentation Preventive
    Document the history of designations. CC ID 16249 Establish/Maintain Documentation Preventive
    Consider the needs of the target audience when creating designations. CC ID 16275 Establish/Maintain Documentation Preventive
    Craft the designation to reflect the concept system. CC ID 16237 Establish/Maintain Documentation Preventive
    Refrain from changing designations unless absolutely necessary. CC ID 16247 Establish/Maintain Documentation Preventive
    Separate designations from definitions. CC ID 13328 Establish/Maintain Documentation Preventive
    Define the concept of a term as the noun with the subject being the term's designation. CC ID 13402 Establish/Maintain Documentation Preventive
    Treat abbreviations as designations. CC ID 13332 Establish/Maintain Documentation Preventive
    Indicate that a terminological entry is a preferred term, non-standard term, or deprecated term, as necessary. CC ID 13412 Establish/Maintain Documentation Preventive
    Establish and maintain definitions for terminological entries. CC ID 13319 Establish/Maintain Documentation Preventive
    Consider the needs of the target audience when creating definitions. CC ID 16232 Establish/Maintain Documentation Preventive
    Limit term definitions to a single concept. CC ID 13395 Establish/Maintain Documentation Preventive
    Use definition types that fit the purpose of the term definition. CC ID 13422 Establish/Maintain Documentation Preventive
    Create extensional definitions, as necessary. CC ID 16234 Process or Activity Preventive
    Create intensional definitions, as necessary. CC ID 13381 Establish/Maintain Documentation Preventive
    Begin adjectival designations of intensional definitions with the state or the function of the object. CC ID 13399 Establish/Maintain Documentation Preventive
    Begin verbal designations of intensional definitions with a verb. CC ID 13398 Establish/Maintain Documentation Preventive
    Begin nominal designations of intensional definitions with a noun. CC ID 13397 Establish/Maintain Documentation Preventive
    Include representations in intensional definitions, as necessary. CC ID 13383 Establish/Maintain Documentation Preventive
    Include hypernyms, followed by the term's delimiting characteristics in intensional definitions, as necessary. CC ID 13386 Establish/Maintain Documentation Preventive
    Include the concept, followed by the term's delimiting characteristics, in an intensional definition, as necessary. CC ID 13380 Establish/Maintain Documentation Preventive
    Create partitive definitions, as necessary. CC ID 13392 Establish/Maintain Documentation Preventive
    Limit partitive definitions to either the concept's hypernym or hyponym, but not both. CC ID 13416 Establish/Maintain Documentation Preventive
    Define term definitions as partitive concepts if it constitutes a portion of a comprehensive concept. CC ID 13406 Establish/Maintain Documentation Preventive
    Begin partitive definitions with formulations that indicate the partitive relationship. CC ID 13405 Establish/Maintain Documentation Preventive
    Standardize term definitions. CC ID 13391 Establish/Maintain Documentation Preventive
    Use formulas as definitions, as necessary. CC ID 13333 Establish/Maintain Documentation Preventive
    Use proper names as unique identifiers, as necessary. CC ID 16254 Establish/Maintain Documentation Preventive
    Include synonyms and antonyms of the term in the term definition. CC ID 13420 Establish/Maintain Documentation Preventive
    Include the subject field in a term definition if it is not indicated in the term's designation, as necessary. CC ID 13394 Establish/Maintain Documentation Preventive
    Include examples that contrast the characteristics of a term definition, as necessary. CC ID 13423 Establish/Maintain Documentation Preventive
    Include adjectives that form a part of the term in the term's definition, as necessary. CC ID 13426 Establish/Maintain Documentation Preventive
    Refrain from including hidden definitions not specific to the concept in the term definition. CC ID 13396 Establish/Maintain Documentation Preventive
    Use plain language when writing term definitions. CC ID 13419 Establish/Maintain Documentation Preventive
    Begin term definitions with the concept associated with the hypernym, as necessary. CC ID 13408 Establish/Maintain Documentation Preventive
    Refrain from including characteristics to hypernyms that belong to the term's hyponym. CC ID 13415 Establish/Maintain Documentation Preventive
    Refrain from describing the designation in the term definition. CC ID 13411 Establish/Maintain Documentation Preventive
    Define the concept as the noun and the rest of the definition will complete the predicate of the term definition. CC ID 13403 Establish/Maintain Documentation Preventive
    Include additional information not suited to a term's definition in the terminological entry's note. CC ID 13414 Establish/Maintain Documentation Preventive
    Include the history of the term in the term definition, as necessary. CC ID 13425 Establish/Maintain Documentation Preventive
    Limit the term's definition to a concept based within the appropriate concept system. CC ID 13407 Establish/Maintain Documentation Preventive
    Include the characteristics that constitute the intension of the concept in the term definition. CC ID 13409 Establish/Maintain Documentation Preventive
    Refrain from using synonyms of the term in its definition. CC ID 13331 Establish/Maintain Documentation Preventive
    Refrain from including meronyms in the term definition. CC ID 16245 Establish/Maintain Documentation Preventive
    Refrain from repeating a designation to introduce a definition. CC ID 16243 Establish/Maintain Documentation Preventive
    Determine the properties of terms that can be abstracted as characteristics. CC ID 13367 Investigate Detective
    Combine terms with definitions to form a complete sentence in a term definition, as necessary. CC ID 13401 Establish/Maintain Documentation Preventive
    Craft the definition to reflect the concept system in which the term is found. CC ID 13384 Establish/Maintain Documentation Preventive
    Analyze the characteristics of concepts included in the term's definition. CC ID 13366 Investigate Detective
    Use the characteristics of the concept when formulating a definition. CC ID 13356 Investigate Detective
    Include any hypernyms' characteristics that indicate its hierarchical relationship to the concept system in the term definition. CC ID 13410 Establish/Maintain Documentation Preventive
    Review term definitions before finalizing them. CC ID 13421 Establish/Maintain Documentation Preventive
    Test the validity of a term definition using the substitution principle. CC ID 13400 Establish/Maintain Documentation Preventive
    Test whether differentia should be included in a term's definition. CC ID 13424 Establish/Maintain Documentation Preventive
    Deprecate flawed terminological entries, as necessary. CC ID 13393 Establish/Maintain Documentation Corrective
  • Human Resources management
    232
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Human Resources management CC ID 00763 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain high level operational roles and responsibilities. CC ID 00806 Establish Roles Preventive
    Establish, implement, and maintain a security operations center. CC ID 14762
    [{security management} With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: App A Objective 14:1
    {physical control}Examiners should review for the following: Effective controls over the entity's operating centers, including physical and logical controls. VI.A Action Summary ¶ 2 Bullet 1]
    Human Resources Management Preventive
    Define the scope for the security operations center. CC ID 15713 Establish/Maintain Documentation Preventive
    Define and assign the Information Technology staff's roles and responsibilities. CC ID 00809
    [Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: App A Objective 2:9a
    Regardless of entity size, determine whether management incorporated the following: Identification of necessary roles to support the EA function. App A Objective 12:6c
    Evaluate the appropriateness of the entity's processes and controls, such as the following: Operating center responsibilities, including: App A Objective 14:1f
    {security management} With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: App A Objective 14:1
    Evaluate the effectiveness of the assignment of the following responsibilities: Operations-related responsibilities: App A Objective 2:9c
    The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity's goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and accountability for the administration of the day-to-day functions of the IT environment. II.A Action Summary ¶ 1]
    Establish Roles Preventive
    Define and assign the Archives and Records Management oversight's roles and responsibilities. CC ID 00697
    [Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. App A Objective 3:4
    Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: App A Objective 2:9b]
    Establish Roles Preventive
    Establish and maintain an Information Technology steering committee. CC ID 12706
    [Evaluate the effectiveness of the assignment of the following responsibilities: Operations-related responsibilities: Oversight of the IT environment. App A Objective 2:9c Bullet 1]
    Human Resources Management Preventive
    Assign the Information Technology steering committee to report to senior management. CC ID 12731 Human Resources Management Preventive
    Convene the Information Technology steering committee, as necessary. CC ID 12730 Human Resources Management Preventive
    Assign reviewing investments to the Information Technology steering committee, as necessary. CC ID 13625 Human Resources Management Preventive
    Define and assign workforce roles and responsibilities. CC ID 13267
    [Determine whether management assigned responsibilities for the AIO functions based on the complexity of the architecture needs and assess the effectiveness of the entity's separation of duties across the functions, particularly in situations where architecture responsibilities are combined with other functions. Evaluate the effectiveness of the assignment of the following responsibilities: App A Objective 2:9
    Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Responsibilities within the AIO functions through defining those responsibilities and determining the effectiveness of the IT strategic planning process. App A Objective 2:5b
    Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: Responsibilities. App A Objective 2:10b
    Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight of those activities. App A Objective 7:1
    Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight of those activities. App A Objective 7:1
    Review the following and evaluate their effectiveness: Definition of duties, responsibilities, expectations, and accountability. App A Objective 14:4b]
    Human Resources Management Preventive
    Establish, implement, and maintain cybersecurity roles and responsibilities. CC ID 13201 Human Resources Management Preventive
    Assign roles and responsibilities for physical security, as necessary. CC ID 13113
    [{security control}Evaluate the appropriateness of the entity's processes and controls, such as the following: Responsibilities for implementing security and environmental controls. App A Objective 14:1e
    {entity-owned operating center}Evaluate the appropriateness of the entity's processes and controls, such as the following: Responsibility for the physical location as well as the on-premise equipment and systems in entity-owned versus outsourced operating centers. App A Objective 14:1a]
    Establish Roles Preventive
    Document the use of external experts. CC ID 16263 Human Resources Management Preventive
    Define and assign roles and responsibilities for those involved in risk management. CC ID 13660
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Roles, responsibilities, procedures, and reporting mechanisms for risk management in AIO activities. App A Objective 2:8b Bullet 6
    Determine whether the entity's risk management processes include the following governance mechanisms: Delineation of other roles and responsibilities. App A Objective 2:1d]
    Human Resources Management Preventive
    Include the management structure in the duties and responsibilities for risk management. CC ID 13665
    [Determine whether the entity's risk management processes include the following governance mechanisms: Delineation of board and senior management responsibilities. App A Objective 2:1a]
    Human Resources Management Preventive
    Assign the roles and responsibilities for the change control program. CC ID 13118
    [Determine whether the entity's policies, standards, and procedures address change management, including each step of the change process. Assess whether the process includes the following: Identification of responsible staff, applicable stakeholder working groups, or entity committees. App A Objective 6:3c]
    Human Resources Management Preventive
    Identify and define all critical roles. CC ID 00777 Establish Roles Preventive
    Assign cybersecurity reporting responsibilities to qualified personnel. CC ID 12739 Establish Roles Preventive
    Assign responsibility for cyber threat intelligence. CC ID 12746 Human Resources Management Preventive
    Assign the role of security management to applicable controls. CC ID 06444 Establish Roles Preventive
    Assign the role of security leader to keep up to date on the latest threats. CC ID 12112 Human Resources Management Preventive
    Define and assign the data processor's roles and responsibilities. CC ID 12607 Human Resources Management Preventive
    Assign the data processor to assist the data controller in implementing security controls. CC ID 12677 Human Resources Management Preventive
    Assign the data processor to notify the data controller when personal data processing could infringe on regulations. CC ID 12617 Communicate Preventive
    Define and assign the data controller's roles and responsibilities. CC ID 00471 Establish Roles Preventive
    Assign the role of data controller to be the Point of Contact for the supervisory authority. CC ID 12616 Human Resources Management Preventive
    Assign the role of the Data Controller to cooperate with the supervisory authority. CC ID 12615 Human Resources Management Preventive
    Assign the data controller to facilitate the exercise of the data subject's rights. CC ID 12666 Human Resources Management Preventive
    Assign the role of data controller to applicable controls. CC ID 00354 Establish Roles Preventive
    Assign the role of data controller to provide advice, when requested. CC ID 12611 Human Resources Management Preventive
    Assign the role of data controller to additional personnel, as necessary. CC ID 00473 Establish Roles Preventive
    Assign the role of Information Technology operations to applicable controls. CC ID 00682 Establish Roles Preventive
    Assign the role of logical access control to applicable controls. CC ID 00772 Establish Roles Preventive
    Assign the role of asset physical security to applicable controls. CC ID 00770 Establish Roles Preventive
    Assign the role of data custodian to applicable controls. CC ID 04789 Establish Roles Preventive
    Assign the role of the Quality Management committee to applicable controls. CC ID 00769 Establish Roles Preventive
    Assign interested personnel to the Quality Management committee. CC ID 07193 Establish Roles Preventive
    Assign the roles and responsibilities for the asset management system. CC ID 14368 Establish/Maintain Documentation Preventive
    Assign personnel to a crime prevention unit and announce the members of the unit. CC ID 06348 Establish Roles Preventive
    Assign the role of fire protection management to applicable controls. CC ID 04891 Establish Roles Preventive
    Assign the role of Information Technology Service Continuity Management to applicable controls. CC ID 04894 Establish Roles Preventive
    Assign the role of the Computer Emergency Response Team to applicable controls. CC ID 04895 Establish Roles Preventive
    Assign the role of CRYPTO custodian to applicable controls. CC ID 06723 Establish Roles Preventive
    Define and assign the roles and responsibilities of security guards. CC ID 12543 Human Resources Management Preventive
    Define and assign roles and responsibilities for dispute resolution. CC ID 13626 Human Resources Management Preventive
    Define and assign the roles for Legal Support Workers. CC ID 13711 Human Resources Management Preventive
    Establish, implement, and maintain a personnel management program. CC ID 14018
    [{be effective}Examiners should review for the following: Personnel controls (e.g., hiring and retention practices, maintaining appropriate skillsets and knowledge, and activity monitoring processes) to maintain an effective workforce. VI.A Action Summary ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Categorize the gender of all employees. CC ID 15609 Human Resources Management Preventive
    Categorize all employees by racial groups and ethnic groups. CC ID 15627 Human Resources Management Preventive
    Establish, implement, and maintain a succession plan for organizational leaders and support personnel. CC ID 11822 Human Resources Management Preventive
    Establish and maintain Personnel Files for all employees. CC ID 12438 Human Resources Management Preventive
    Include credit check results in each employee's personnel file. CC ID 12447 Human Resources Management Preventive
    Include any criminal records in each employee's personnel file. CC ID 12446 Human Resources Management Preventive
    Include all employee information in each employee's personnel file. CC ID 12445 Human Resources Management Preventive
    Include a signed acknowledgment of the Acceptable Use policies in each employee's personnel file. CC ID 12444 Human Resources Management Preventive
    Include a Social Security or Personal Identifier Number in each employee's personnel file. CC ID 12441 Human Resources Management Preventive
    Include referral follow-up results in each employee's personnel file. CC ID 12440 Human Resources Management Preventive
    Include background check results in each employee's personnel file. CC ID 12439 Human Resources Management Preventive
    Establish, implement, and maintain onboarding procedures for new hires. CC ID 11760 Establish/Maintain Documentation Preventive
    Require all new hires to sign all documents in the new hire packet required by the Terms and Conditions of employment. CC ID 11761 Human Resources Management Preventive
    Require all new hires to sign the Code of Conduct. CC ID 06665 Establish/Maintain Documentation Preventive
    Require all new hires to sign Acceptable Use Policies. CC ID 06662 Establish/Maintain Documentation Preventive
    Require new hires to sign nondisclosure agreements. CC ID 06668 Establish/Maintain Documentation Preventive
    Train all new hires, as necessary. CC ID 06673 Behavior Preventive
    Establish, implement, and maintain a personnel security program. CC ID 10628 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a personnel security policy. CC ID 14025 Establish/Maintain Documentation Preventive
    Include compliance requirements in the personnel security policy. CC ID 14154 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the personnel security policy. CC ID 14114 Establish/Maintain Documentation Preventive
    Include management commitment in the personnel security policy. CC ID 14113 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the personnel security policy. CC ID 14112 Establish/Maintain Documentation Preventive
    Include the scope in the personnel security policy. CC ID 14111 Establish/Maintain Documentation Preventive
    Include the purpose in the personnel security policy. CC ID 14110 Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security policy to interested personnel and affected parties. CC ID 14109 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain personnel security procedures. CC ID 14058 Establish/Maintain Documentation Preventive
    Disseminate and communicate the personnel security procedures to interested personnel and affected parties. CC ID 14141 Communicate Preventive
    Establish, implement, and maintain security clearance level criteria. CC ID 00780 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain staff position risk designations. CC ID 14280 Human Resources Management Preventive
    Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies. CC ID 00782
    [{be sufficient}Examiners should review for the following: Sufficient resources with infrastructure knowledge, skills, and expertise. V Action Summary ¶ 2 Bullet 3
    {train}{be knowledgeable}Determine whether the entity has an IT support function. If there is, evaluate it for the following: Well-trained and knowledgeable IT support personnel. App A Objective 16:3c]
    Testing Detective
    Perform security skills assessments for all critical employees. CC ID 12102 Human Resources Management Detective
    Assign security clearance procedures to qualified personnel. CC ID 06812 Establish Roles Preventive
    Assign personnel screening procedures to qualified personnel. CC ID 11699 Establish Roles Preventive
    Establish, implement, and maintain personnel screening procedures. CC ID 11700
    [Determine whether management has processes for employee recruitment, hiring, and placement and provides for thorough applicant screening and background checks at the time of employment. Review the following and evaluate their effectiveness: App A Objective 14:4]
    Establish/Maintain Documentation Preventive
    Perform a background check during personnel screening. CC ID 11758
    [Determine whether management has processes for employee recruitment, hiring, and placement and provides for thorough applicant screening and background checks at the time of employment. Review the following and evaluate their effectiveness: App A Objective 14:4]
    Human Resources Management Detective
    Perform a personal identification check during personnel screening. CC ID 06721 Human Resources Management Preventive
    Perform a criminal records check during personnel screening. CC ID 06643 Establish/Maintain Documentation Preventive
    Include all residences in the criminal records check. CC ID 13306 Process or Activity Preventive
    Document any reasons a full criminal records check could not be performed. CC ID 13305 Establish/Maintain Documentation Preventive
    Perform a personal references check during personnel screening. CC ID 06645 Human Resources Management Preventive
    Perform a credit check during personnel screening. CC ID 06646 Human Resources Management Preventive
    Perform an academic records check during personnel screening. CC ID 06647 Establish/Maintain Documentation Preventive
    Perform a drug test during personnel screening. CC ID 06648 Testing Preventive
    Perform a resume check during personnel screening. CC ID 06659 Human Resources Management Preventive
    Perform a curriculum vitae check during personnel screening. CC ID 06660 Human Resources Management Preventive
    Allow personnel being screened to appeal findings and appeal decisions. CC ID 06720 Human Resources Management Preventive
    Disseminate and communicate screening results to interested personnel and affected parties. CC ID 16445 Communicate Preventive
    Perform personnel screening procedures, as necessary. CC ID 11763 Human Resources Management Preventive
    Document the personnel risk assessment results. CC ID 11764 Establish/Maintain Documentation Detective
    Establish, implement, and maintain security clearance procedures. CC ID 00783 Establish/Maintain Documentation Preventive
    Perform periodic background checks on designated roles, as necessary. CC ID 11759
    [Review the following and evaluate their effectiveness: Performance of background checks at an appropriate frequency. App A Objective 14:4a]
    Human Resources Management Detective
    Perform security clearance procedures, as necessary. CC ID 06644 Human Resources Management Preventive
    Establish and maintain security clearances. CC ID 01634 Human Resources Management Preventive
    Document the security clearance procedure results. CC ID 01635 Establish/Maintain Documentation Detective
    Identify and watch individuals that pose a risk to the organization. CC ID 10674 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain personnel status change and termination procedures. CC ID 06549 Establish/Maintain Documentation Preventive
    Terminate user accounts when notified that an individual is terminated. CC ID 11614 Technical Security Corrective
    Terminate access rights when notified of a personnel status change or an individual is terminated. CC ID 11826 Technical Security Corrective
    Assign an owner of the personnel status change and termination procedures. CC ID 11805 Human Resources Management Preventive
    Deny access to restricted data or restricted information when a personnel status change occurs or an individual is terminated. CC ID 01309 Data and Information Management Corrective
    Notify the security manager, in writing, prior to an employee's job change. CC ID 12283 Human Resources Management Preventive
    Notify all interested personnel and affected parties when personnel status changes or an individual is terminated. CC ID 06677
    [Consider the following to identify changes: Loss of, addition to, or change in duties of key personnel, as well as any key management changes. App A Objective 1:3e]
    Behavior Preventive
    Notify terminated individuals of applicable, legally binding post-employment requirements. CC ID 10630 Communicate Preventive
    Enforce the information security responsibilities and duties that remain valid after termination or change of employment. CC ID 11992 Human Resources Management Preventive
    Update contact information of any individual undergoing a personnel status change, as necessary. CC ID 12692 Human Resources Management Corrective
    Disseminate and communicate the personnel status change and termination procedures to all interested personnel and affected parties. CC ID 06676 Behavior Preventive
    Conduct exit interviews upon termination of employment. CC ID 14290 Human Resources Management Preventive
    Require terminated individuals to sign an acknowledgment of post-employment requirements. CC ID 10631 Establish/Maintain Documentation Preventive
    Verify completion of each activity in the employee termination checklist when an individual is terminated. CC ID 12449 Human Resources Management Detective
    Establish and maintain the staff structure in line with the strategic plan. CC ID 00764 Establish Roles Preventive
    Assign and staff all roles appropriately. CC ID 00784
    [{be appropriate}Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that App A Objective 3:6h
    Determine whether management defines the entity's authorization boundary(ies) and implements appropriate security controls according to the contents of the authorization boundary, including controls over the following: People and processes supporting the entity's missions and business functions. App A Objective 14:2e]
    Testing Detective
    Delegate authority for specific processes, as necessary. CC ID 06780
    [Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: Authority. App A Objective 2:10d]
    Behavior Preventive
    Implement a staff rotation plan. CC ID 12772
    [Review the following and evaluate their effectiveness: Implementation of rotation of duties. App A Objective 14:4e]
    Human Resources Management Preventive
    Rotate duties amongst the critical roles and positions. CC ID 06554 Establish Roles Preventive
    Place Information Technology operations in a position to support the business model. CC ID 00766
    [Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Review of the centralization processes for the IT functions and understanding of interrelationships between the entity's IT and business functions. App A Objective 2:9a Bullet 1]
    Business Processes Preventive
    Implement personnel supervisory practices. CC ID 00773
    [Review the following and evaluate their effectiveness: Reviewing and monitoring of activities performed during rotation of duties. App A Objective 14:4f
    {be independent}Review the following and evaluate their effectiveness: Independently monitoring activities. App A Objective 14:4d]
    Behavior Preventive
    Implement segregation of duties in roles and responsibilities. CC ID 00774
    [Determine whether management assigned responsibilities for the AIO functions based on the complexity of the architecture needs and assess the effectiveness of the entity's separation of duties across the functions, particularly in situations where architecture responsibilities are combined with other functions. Evaluate the effectiveness of the assignment of the following responsibilities: App A Objective 2:9
    Determine whether the entity's policies, standards, and procedures address change management, including each step of the change process. Assess whether the process includes the following: Incorporation of appropriate segregation of duties and monitoring throughout the change management process. App A Objective 6:3g
    Review the following and evaluate their effectiveness: Implementation of dual control and segregation of duties. App A Objective 14:4c]
    Testing Detective
    Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical. CC ID 06960 Technical Security Preventive
    Establish job categorization criteria, job recruitment criteria, and promotion criteria. CC ID 00781
    [Determine whether management has processes for employee recruitment, hiring, and placement and provides for thorough applicant screening and background checks at the time of employment. Review the following and evaluate their effectiveness: App A Objective 14:4]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compensation, reward, and recognition program. CC ID 12806 Human Resources Management Preventive
    Establish and maintain an annual report on compensation. CC ID 14801 Establish/Maintain Documentation Preventive
    Include the design characteristics of the remuneration system in the annual report on compensation. CC ID 14804 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compensation, reward, and recognition program to interested personnel and affected parties. CC ID 14800 Communicate Preventive
    Establish, implement, and maintain roles and responsibilities in the compensation, reward, and recognition program. CC ID 14798 Establish/Maintain Documentation Preventive
    Align the compensation, reward, and recognition program with the risk management program. CC ID 14797 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain remuneration standards, as necessary. CC ID 14794 Establish/Maintain Documentation Preventive
    Refrain from using employees' privacy choices to restrict employment. CC ID 12425 Human Resources Management Preventive
    Refrain from using employees' privacy choices to take punitive actions. CC ID 16815 Human Resources Management Preventive
    Use rewards and career development to motivate personnel. CC ID 06906 Behavior Preventive
    Disseminate and communicate the organization’s ethical culture in job recruitment criteria and promotion criteria. CC ID 12825 Human Resources Management Preventive
    Recognize personnel who reinforce desirable conduct with incentives. CC ID 12815 Human Resources Management Preventive
    Establish, implement, and maintain job applications. CC ID 16180 Establish/Maintain Documentation Preventive
    Include a space for the applicant's name on the job application. CC ID 16190 Human Resources Management Preventive
    Include a space for the applicant's current address on the job application. CC ID 16189 Human Resources Management Preventive
    Include a space for the applicant's social security number on the job application. CC ID 16188 Human Resources Management Preventive
    Include a space for the applicant's date of birth on the job application. CC ID 16186 Human Resources Management Preventive
    Include a space for previous employers and business relationships on the job application. CC ID 16185 Human Resources Management Preventive
    Include a space to explain formal disciplinary actions and sanctions on the job application. CC ID 16184 Human Resources Management Preventive
    Include a space for the start date on the job application. CC ID 16187 Human Resources Management Preventive
    Include a space to explain legal penalties on the job application. CC ID 16183 Human Resources Management Preventive
    Approve the wording of job applications. CC ID 16182 Human Resources Management Preventive
    Include a space for past aliases and other used names on job applications. CC ID 12301 Human Resources Management Preventive
    Include a space for previous addresses and previous residences on the job application. CC ID 12302 Human Resources Management Preventive
    Include a space to explain employment gaps on the job application. CC ID 12303 Human Resources Management Preventive
    Train all personnel and third parties, as necessary. CC ID 00785
    [Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Implementation of appropriate operational controls, such as: Provision of training to employees on approved solutions. App A Objective 11:1e Bullet 6
    {unauthorized device}As part of these processes, determine whether management does the following: Updates the related policy or procedures or provides additional training. App A Objective 13:2c
    Evaluate the appropriateness of the entity's processes and controls, such as the following: Operating center responsibilities, including: Training staff to operate and maintain the entity's equipment and systems. App A Objective 14:1f Bullet 1
    With respect to specific software types, determine whether management does the following: For mainframe security software: Maintains appropriate mainframe security expertise. App A Objective 13:6h Bullet 9]
    Behavior Preventive
    Establish, implement, and maintain an education methodology. CC ID 06671 Business Processes Preventive
    Support certification programs as viable training programs. CC ID 13268 Human Resources Management Preventive
    Include evidence of experience in applications for professional certification. CC ID 16193 Establish/Maintain Documentation Preventive
    Include supporting documentation in applications for professional certification. CC ID 16195 Establish/Maintain Documentation Preventive
    Submit applications for professional certification. CC ID 16192 Training Preventive
    Retrain all personnel, as necessary. CC ID 01362 Behavior Preventive
    Tailor training to meet published guidance on the subject being taught. CC ID 02217 Behavior Preventive
    Tailor training to be taught at each person's level of responsibility. CC ID 06674
    [Determine whether management appropriately considers the uses and risks of data analytics and performs the following: Obtains sufficient knowledge for management and personnel to interpret dashboards and reports. App A Objective 3:9e
    Determine whether the entity has an IT support function. If there is, evaluate it for the following: Appropriate training for IT support personnel to perform their duties, if IT support software is used. App A Objective 16:3d]
    Behavior Preventive
    Conduct cross-training or staff backup training to minimize dependency on critical individuals. CC ID 00786 Behavior Preventive
    Document all training in a training record. CC ID 01423 Establish/Maintain Documentation Detective
    Use automated mechanisms in the training environment, where appropriate. CC ID 06752 Behavior Preventive
    Conduct tests and evaluate training. CC ID 06672
    [Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Maintenance and use of IT architecture knowledge. App A Objective 2:9a Bullet 7
    Regardless of the type of externally developed software selected, determine whether management performed the following: Allocated resources to support the software (e.g., financial and personnel) and determined that personnel have the expertise to maintain and patch the software. App A Objective 13:5c Bullet 2]
    Testing Detective
    Hire third parties to conduct training, as necessary. CC ID 13167 Human Resources Management Preventive
    Review the current published guidance and awareness and training programs. CC ID 01245 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain training plans. CC ID 00828
    [For internally hosted software, determine whether management: Allocates resources for necessary training to maintain knowledge. App A Objective 13:7a Bullet 2]
    Establish/Maintain Documentation Preventive
    Train personnel to recognize conditions of diseases or sicknesses, as necessary. CC ID 14383 Training Detective
    Include prevention techniques in training regarding diseases or sicknesses. CC ID 14387 Training Preventive
    Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses. CC ID 14386 Training Preventive
    Train personnel to identify and communicate symptoms of exposure to disease or sickness. CC ID 14385 Training Detective
    Develop or acquire content to update the training plans. CC ID 12867 Training Preventive
    Designate training facilities in the training plan. CC ID 16200 Training Preventive
    Include portions of the visitor control program in the training plan. CC ID 13287 Establish/Maintain Documentation Preventive
    Include ethical culture in the training plan, as necessary. CC ID 12801 Human Resources Management Preventive
    Include in scope external requirements in the training plan, as necessary. CC ID 13041 Training Preventive
    Include duties and responsibilities in the training plan, as necessary. CC ID 12800 Human Resources Management Preventive
    Conduct bespoke roles and responsibilities training, as necessary. CC ID 13192 Training Preventive
    Include risk management in the training plan, as necessary. CC ID 13040 Training Preventive
    Conduct Archives and Records Management training. CC ID 00975 Behavior Preventive
    Conduct personal data processing training. CC ID 13757 Training Preventive
    Include in personal data processing training how to provide the contact information for the categories of personal data the organization may disclose. CC ID 13758 Training Preventive
    Include the cloud service usage standard in the training plan. CC ID 13039 Training Preventive
    Establish, implement, and maintain a security awareness program. CC ID 11746
    [Assess whether management performs the following: Includes shadow IT in security awareness training. App A Objective 4:5b]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness and training policy. CC ID 14022 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security awareness and training policy. CC ID 14092 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security awareness and training policy. CC ID 14091 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security awareness and training procedures. CC ID 14054 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security awareness and training procedures to interested personnel and affected parties. CC ID 14138 Communicate Preventive
    Include management commitment in the security awareness and training policy. CC ID 14049 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security awareness and training policy. CC ID 14048
    [Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that Is responsible for database configuration, access controls, and maintenance, as well as training. App A Objective 3:6h Bullet 1]
    Establish/Maintain Documentation Preventive
    Include the scope in the security awareness and training policy. CC ID 14047 Establish/Maintain Documentation Preventive
    Include the purpose in the security awareness and training policy. CC ID 14045 Establish/Maintain Documentation Preventive
    Include configuration management procedures in the security awareness program. CC ID 13967 Establish/Maintain Documentation Preventive
    Include media protection in the security awareness program. CC ID 16368 Training Preventive
    Document security awareness requirements. CC ID 12146 Establish/Maintain Documentation Preventive
    Include safeguards for information systems in the security awareness program. CC ID 13046 Establish/Maintain Documentation Preventive
    Include security policies and security standards in the security awareness program. CC ID 13045 Establish/Maintain Documentation Preventive
    Include physical security in the security awareness program. CC ID 16369 Training Preventive
    Include mobile device security guidelines in the security awareness program. CC ID 11803 Establish/Maintain Documentation Preventive
    Include updates on emerging issues in the security awareness program. CC ID 13184 Training Preventive
    Include cybersecurity in the security awareness program. CC ID 13183 Training Preventive
    Include implications of non-compliance in the security awareness program. CC ID 16425 Training Preventive
    Include the acceptable use policy in the security awareness program. CC ID 15487 Training Preventive
    Include training based on the participants' level of responsibility and access level in the security awareness program. CC ID 11802 Establish/Maintain Documentation Preventive
    Include a requirement to train all new hires and interested personnel in the security awareness program. CC ID 11800 Establish/Maintain Documentation Preventive
    Include remote access in the security awareness program. CC ID 13892 Establish/Maintain Documentation Preventive
    Document the goals of the security awareness program. CC ID 12145 Establish/Maintain Documentation Preventive
    Compare current security awareness assessment reports to the security awareness baseline. CC ID 12150 Establish/Maintain Documentation Preventive
    Establish and maintain management's commitment to supporting the security awareness program. CC ID 12151 Human Resources Management Preventive
    Establish and maintain a steering committee to guide the security awareness program. CC ID 12149 Human Resources Management Preventive
    Document the scope of the security awareness program. CC ID 12148 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security awareness baseline. CC ID 12147 Establish/Maintain Documentation Preventive
    Encourage interested personnel to obtain security certification. CC ID 11804 Human Resources Management Preventive
    Disseminate and communicate the security awareness program to all interested personnel and affected parties. CC ID 00823 Behavior Preventive
    Train all personnel and third parties on how to recognize and report security incidents. CC ID 01211 Behavior Preventive
    Train all personnel and third parties on how to recognize and report system failures. CC ID 13475 Training Preventive
    Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies. CC ID 01363 Establish/Maintain Documentation Preventive
    Monitor and measure the effectiveness of security awareness. CC ID 06262 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain an environmental management system awareness program. CC ID 15200 Establish/Maintain Documentation Preventive
    Conduct secure coding and development training for developers. CC ID 06822 Behavior Corrective
    Conduct tampering prevention training. CC ID 11875 Training Preventive
    Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training. CC ID 11877 Training Preventive
    Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training. CC ID 11876 Training Preventive
    Include how to report tampering and unauthorized substitution in the tampering prevention training. CC ID 11879 Training Preventive
    Include how to prevent physical tampering in the tampering prevention training. CC ID 11878 Training Preventive
    Include procedures on how to inspect devices in the tampering prevention training. CC ID 11990 Training Preventive
    Train interested personnel and affected parties to collect digital forensic evidence. CC ID 08658 Training Preventive
    Conduct crime prevention training. CC ID 06350 Behavior Preventive
    Analyze and evaluate training records to improve the training program. CC ID 06380 Monitor and Evaluate Occurrences Detective
  • Leadership and high level objectives
    432
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Leadership and high level objectives CC ID 00597 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a reporting methodology program. CC ID 02072
    [{be useful}Evaluate the following: Senior management and other stakeholders have input into the types of reports and metrics produced, and reports are understandable and useful to them. App A Objective 17:1a]
    Business Processes Preventive
    Establish, implement, and maintain communication protocols. CC ID 12245
    [Examiners should review for the following: Communication processes with business line management. VI.C Action Summary ¶ 2 Bullet 2
    Determine whether the entity's risk management processes include the following governance mechanisms: Communications. App A Objective 2:1g]
    Establish/Maintain Documentation Preventive
    Use secure communication protocols for telecommunications. CC ID 16458 Business Processes Preventive
    Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol. CC ID 12419 Establish/Maintain Documentation Preventive
    Assess the effectiveness of the communication methods used in the communication protocol. CC ID 12691 Process or Activity Detective
    Include external requirements in the organization's communication protocol. CC ID 12418 Establish/Maintain Documentation Preventive
    Include disseminating and communicating events surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12824 Communicate Preventive
    Include input from interested personnel and affected parties as a part of the organization’s communication protocol. CC ID 12417
    [Determine whether the IT environment and its products and services, whether internally or externally provided, are adaptable to change, and stakeholders from across the entity have input into the change process. App A Objective 6:1
    Evaluate whether management performs the following: Coordinates meetings between process owners from both business and technology functions to discuss known issues, changes in progress, and future changes. App A Objective 16:1d
    Examiners should review for the following: Stakeholder input into the types of reports and metrics produced. VI.D Action Summary ¶ 2 Bullet 2
    {be useful}Evaluate the following: Senior management and other stakeholders have input into the types of reports and metrics produced, and reports are understandable and useful to them. App A Objective 17:1a
    Evaluate the following: Operations management meets periodically with senior management and other stakeholders on monitoring and reporting. App A Objective 17:1c
    Additionally, evaluate whether management does the following: Meets with stakeholders to review IT and operations KPIs to determine whether they are appropriate indicators of the ability to meet the entity's strategic objectives. App A Objective 17:2g]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a corrective action plan to address barriers to stakeholder engagement. CC ID 15677 Process or Activity Preventive
    Identify barriers to stakeholder engagement. CC ID 15676 Process or Activity Preventive
    Identify alternative measures for collecting stakeholder input, as necessary. CC ID 15672 Communicate Preventive
    Include disseminating and communicating conditions surrounding instances of desirable conduct and undesirable conduct in the communication protocols. CC ID 12804 Communicate Preventive
    Include methods to obtain information from interested personnel and affected parties about performance variances in the communication protocol. CC ID 12856 Process or Activity Preventive
    Include disseminating and communicating desirable conduct in the communication protocols. CC ID 12803 Communicate Preventive
    Include disseminating and communicating undesirable conduct in communication protocols. CC ID 12802 Communicate Preventive
    Route notifications, as necessary. CC ID 12832 Process or Activity Preventive
    Substantiate notifications, as necessary. CC ID 12831 Process or Activity Preventive
    Analyze the flow of information to ensure it is being received by the correct processes. CC ID 12860 Business Processes Preventive
    Prioritize notifications, as necessary. CC ID 12830 Process or Activity Preventive
    Report to management and stakeholders on the findings and information gathered from all types of inquiries. CC ID 12797
    [Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Ownership of the entity's strategic use of data and communication of information and data analytics. App A Objective 2:9b Bullet 7
    Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that Is familiar with procedures to protect sensitive information, restores normal operations, and notifies the information security officer when necessary. App A Objective 3:6h Bullet 5]
    Actionable Reports or Measurements Preventive
    Disseminate and communicate internal controls with supply chain members. CC ID 12416
    [Evaluate whether management performs the following: Coordinates its processes with third-party service providers, when used, to ensure seamless functionality to the entity's lines of business. App A Objective 16:1c]
    Communicate Preventive
    Establish and maintain the organization's survey method. CC ID 12869 Process or Activity Preventive
    Document the findings from surveys. CC ID 16309 Establish/Maintain Documentation Preventive
    Provide a consolidated view of information in the organization's survey method. CC ID 12894 Process or Activity Preventive
    Establish, implement, and maintain warning procedures that follow the organization's communication protocol. CC ID 12407 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain alert procedures that follow the organization's communication protocol. CC ID 12406 Establish/Maintain Documentation Preventive
    Include the capturing and alerting of compliance violations in the notification system. CC ID 12962 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of unethical conduct in the notification system. CC ID 12932 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of performance variances in the notification system. CC ID 12929 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of weaknesses in the notification system. CC ID 12928 Monitor and Evaluate Occurrences Preventive
    Include the capturing and alerting of account activity in the notification system. CC ID 15314 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an internal reporting program. CC ID 12409
    [Considers the following when implementing and using data analytics: Documentation of the data types maintained, data owners and users, and purposes of reports. App A Objective 3:9f Bullet 1
    Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. App A Objective 12:3c
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. App A Objective 12:5d
    {information asset} Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. III.B Action Summary ¶ 1
    {information asset} Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. III.B Action Summary ¶ 1
    {information asset} Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") App A Objective 4
    {information asset} Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") App A Objective 4
    Determine the effectiveness and comprehensiveness of board and senior management reporting related to AIO. Evaluate whether the following activities are performed: App A Objective 2:13]
    Business Processes Preventive
    Include transactions and events as a part of internal reporting. CC ID 12413 Business Processes Preventive
    Disseminate and communicate management's choices for managing the organization as a part of internal reporting. CC ID 12412 Communicate Preventive
    Enforce a precision level for non-financial reporting based on user need and appropriate supply chain criteria. CC ID 12399 Establish/Maintain Documentation Preventive
    Define the thresholds for escalation in the internal reporting program. CC ID 14332 Establish/Maintain Documentation Preventive
    Define the thresholds for reporting in the internal reporting program. CC ID 14331 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an external reporting program. CC ID 12876 Communicate Preventive
    Provide identifying information about the organization to the responsible party. CC ID 16715 Communicate Preventive
    Identify the material topics required to be reported on. CC ID 15654 Business Processes Preventive
    Check the list of material topics for completeness. CC ID 15692 Investigate Preventive
    Prioritize material topics used in reporting. CC ID 15678 Communicate Preventive
    Review and approve the material topics, as necessary. CC ID 15670 Process or Activity Preventive
    Define the thresholds for reporting in the external reporting program. CC ID 15679 Establish/Maintain Documentation Preventive
    Include time requirements in the external reporting program. CC ID 16566 Communicate Preventive
    Include information about the organizational culture in the external reporting program. CC ID 15610 Establish/Maintain Documentation Preventive
    Include reporting to governing bodies in the external reporting plan. CC ID 12923 Communicate Preventive
    Submit confidential treatment applications to interested personnel and affected parties. CC ID 16592 Communicate Preventive
    Include the reasons for objections to public disclosure in confidential treatment applications. CC ID 16594 Establish/Maintain Documentation Preventive
    Include contact information for the interested personnel and affected parties the report was filed with in the confidential treatment application. CC ID 16595 Establish/Maintain Documentation Preventive
    Include the information that was omitted in the confidential treatment application. CC ID 16593 Establish/Maintain Documentation Preventive
    Analyze organizational objectives, functions, and activities. CC ID 00598 Monitor and Evaluate Occurrences Preventive
    Analyze the business environment in which the organization operates. CC ID 12798 Business Processes Preventive
    Identify the internal factors that may affect organizational objectives. CC ID 12957
    [{internal factor}Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Addressing internal and external factors. App A Objective 15:6b]
    Process or Activity Preventive
    Monitor for changes which affect organizational strategies in the internal business environment. CC ID 12863
    [Consider the following to identify changes: Any significant changes in business strategy or activities that could affect the AIO environment (e.g., new lines of business or a decision to move from in-house to a cloud service provider). App A Objective 1:3a
    Evaluate whether the following activities are performed: The board regularly monitors strategy, security, and resilience activities. App A Objective 2:13b]
    Monitor and Evaluate Occurrences Preventive
    Analyze the external environment in which the organization operates. CC ID 12799 Business Processes Preventive
    Identify the external forces that may affect organizational objectives. CC ID 12960
    [{industry trend}Determine whether the architecture design involves the following: Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. App A Objective 12:1d
    {internal factor}Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Addressing internal and external factors. App A Objective 15:6b]
    Process or Activity Preventive
    Include industry forces in the analysis of the external environment. CC ID 12904
    [Consider the following to identify changes: Changes based on industry changes or threat intelligence. App A Objective 1:3h]
    Business Processes Preventive
    Include threats in the analysis of the external environment. CC ID 12898
    [Consider the following to identify changes: Changes based on industry changes or threat intelligence. App A Objective 1:3h]
    Business Processes Preventive
    Include legal requirements in the analysis of the external environment. CC ID 12896
    [Considers the following as part of its service management planning: Applicable legal and regulatory requirements. App A Objective 16:1a Bullet 4]
    Business Processes Preventive
    Establish, implement, and maintain organizational objectives. CC ID 09959
    [Examiners should review for the following: Defined objectives for IT, operations, and key performance indicators (KPI). VI.D Action Summary ¶ 2 Bullet 3
    Determine whether oversight includes the following: Board and senior management consideration of the entity's business objectives, including functions performed by affiliates and third-party service providers. App A Objective 2:2a
    Determine whether oversight includes the following: Management identification and evaluation of AIO-related risks, definition of short- and long-term objectives, and creation of policies and procedures to mitigate those risks. App A Objective 2:2b
    Determine whether management defines objectives for IT and operations and KPIs to help management measure those objectives. Additionally, evaluate whether management does the following: App A Objective 17:2]
    Establish/Maintain Documentation Preventive
    Evaluate organizational objectives to determine impact on other organizational objectives. CC ID 12814 Process or Activity Preventive
    Identify events that may affect organizational objectives. CC ID 12961 Process or Activity Preventive
    Identify conditions that may affect organizational objectives. CC ID 12958 Process or Activity Preventive
    Identify requirements that could affect achieving organizational objectives. CC ID 12828
    [{industry trend}Determine whether the architecture design involves the following: Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. App A Objective 12:1d]
    Business Processes Preventive
    Identify opportunities that could affect achieving organizational objectives. CC ID 12826 Business Processes Preventive
    Prioritize organizational objectives. CC ID 09960
    [{business objective}Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: Alignment with the entity's strategic plan and support for the business and strategic objectives of the entity. App A Objective 12:3a]
    Business Processes Preventive
    Select financial reporting objectives consistent with accounting principles available to the organization. CC ID 12400 Business Processes Preventive
    Establish, implement, and maintain a value generation model. CC ID 15591 Establish/Maintain Documentation Preventive
    Disseminate and communicate the value generation model to all interested personnel and affected parties. CC ID 15607 Communicate Preventive
    Include value distribution in the value generation model. CC ID 15603 Establish/Maintain Documentation Preventive
    Include value retention in the value generation model. CC ID 15600 Establish/Maintain Documentation Preventive
    Include value generation procedures in the value generation model. CC ID 15599 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain value generation objectives. CC ID 15583 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain social responsibility objectives. CC ID 15611 Establish/Maintain Documentation Preventive
    Establish and maintain a Mission, Vision, and Values Statement. CC ID 12783 Establish/Maintain Documentation Preventive
    Include the vision statement in the Mission, Vision, and Values Statement. CC ID 12839 Establish/Maintain Documentation Preventive
    Include the mission statement in the Mission, Vision, and Values Statement. CC ID 12838 Establish/Maintain Documentation Preventive
    Include management commitment in the Mission, Vision, and Values Statement. CC ID 12808 Establish/Maintain Documentation Preventive
    Include the value statement in the Mission, Vision, and Values Statement. CC ID 12807 Establish/Maintain Documentation Preventive
    Include environmental factors in the Mission, Vision, and Values Statement. CC ID 15590 Establish/Maintain Documentation Preventive
    Include societal factors in the Mission, Vision, and Values Statement. CC ID 15605 Establish/Maintain Documentation Preventive
    Include stakeholder requirements in the Mission, Vision, and Values Statement. CC ID 15586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the Mission, Vision, and Values Statement to all interested personnel and affected parties. CC ID 15585 Communicate Preventive
    Disseminate and communicate organizational objectives to all interested personnel and affected parties. CC ID 13191 Communicate Preventive
    Document and communicate the linkage between organizational objectives, functions, activities, and general controls. CC ID 12398
    [Determine whether management oversight includes the following: Promoting alignment and integration between functions of AIO. App A Objective 2:4d]
    Establish/Maintain Documentation Preventive
    Identify threats that could affect achieving organizational objectives. CC ID 12827 Business Processes Preventive
    Identify how opportunities, threats, and external requirements are trending. CC ID 12829 Process or Activity Preventive
    Identify relationships between opportunities, threats, and external requirements. CC ID 12805 Process or Activity Preventive
    Review the organization's approach to managing information security, as necessary. CC ID 12005 Business Processes Preventive
    Identify all interested personnel and affected parties. CC ID 12845
    [For internally hosted software, determine whether management: Identifies personnel (e.g., internal or third-party) with relevant skills and expertise. App A Objective 13:7a Bullet 1]
    Process or Activity Detective
    Analyze and prioritize the requirements of interested personnel and affected parties. CC ID 12796
    [Considers the following when implementing and using data analytics: Determination of stakeholders' usage needs. App A Objective 3:9f Bullet 2
    {be external}{be internal}Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Identification of user needs for exchanging files, both internally and externally. App A Objective 11:1a]
    Business Processes Preventive
    Establish, implement, and maintain data governance and management practices. CC ID 14998
    [{be appropriate}Determine whether management has effective database management, including the following: Focuses on identifying, managing, and securing the data; identifying business uses; and providing appropriate access regardless of how the data are stored. App A Objective 3:6g
    Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. App A Objective 3:4
    Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. App A Objective 3:4
    Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Governance and use of information or data, protection of that data, and derivation of maximum value from it. App A Objective 2:9b Bullet 1
    Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Ownership of the entity's strategic use of data and communication of information and data analytics. App A Objective 2:9b Bullet 7
    Determine whether management governs and manages data based on the entity-assigned data classification. App A Objective 3:1
    Management understands the common risks and mitigating controls related to data governance and data management. (III.A, "Data Governance and Data Management") App A Objective 3
    Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. III.A Action Summary ¶ 1
    {physical form}Examiners should review for the following: Data management controls for safeguarding data in physical and digital form. III.A Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Address shortcomings of the data sets in the data governance and management practices. CC ID 15087 Establish/Maintain Documentation Preventive
    Include any shortcomings of the data sets in the data governance and management practices. CC ID 15086 Establish/Maintain Documentation Preventive
    Include bias for data sets in the data governance and management practices. CC ID 15085 Establish/Maintain Documentation Preventive
    Include a data strategy in the data governance and management practices. CC ID 15304 Establish/Maintain Documentation Preventive
    Include data monitoring in the data governance and management practices. CC ID 15303 Establish/Maintain Documentation Preventive
    Include an assessment of the data sets in the data governance and management practices. CC ID 15084 Establish/Maintain Documentation Preventive
    Include assumptions for the formulation of data sets in the data governance and management practices. CC ID 15083 Establish/Maintain Documentation Preventive
    Include data collection for data sets in the data governance and management practices. CC ID 15082 Establish/Maintain Documentation Preventive
    Include data preparations for data sets in the data governance and management practices. CC ID 15081 Establish/Maintain Documentation Preventive
    Include design choices for data sets in the data governance and management practices. CC ID 15080 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an information classification standard. CC ID 00601
    [Determine whether management has a comprehensive inventory of its electronic (or digital) and physical information assets, in accordance with the Information Security Standards. Evaluate whether management specifically identifies its information assets, determines the appropriate classification of those assets, and protects them according to the entity's data classification process. App A Objective 4:1]
    Establish/Maintain Documentation Preventive
    Take into account the accessibility to and location of the data or information when establishing information impact levels. CC ID 04787 Data and Information Management Preventive
    Take into account the organization's obligation to protect data or information when establishing information impact levels. CC ID 04786 Data and Information Management Preventive
    Take into account the context of use for data or information when establishing information impact levels. CC ID 04785
    [Identifies and understands the nature of the entity's data, including: Frequency, recurrence, and use of the data. App A Objective 3:5a Bullet 2
    {be appropriate}Determine whether management has effective database management, including the following: Focuses on identifying, managing, and securing the data; identifying business uses; and providing appropriate access regardless of how the data are stored. App A Objective 3:6g]
    Data and Information Management Preventive
    Take into account the potential aggregation of restricted data fields when establishing information impact levels. CC ID 04784 Data and Information Management Preventive
    Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard. CC ID 11997
    [Identifies and understands the nature of the entity's data, including: Sensitivity, criticality, and importance of the data. App A Objective 3:5a Bullet 1]
    Data and Information Management Preventive
    Take into account the distinguishability factor when establishing information impact levels. CC ID 04783 Data and Information Management Preventive
    Classify the criticality to unauthorized disclosure or modification of information in the information classification standard. CC ID 11996
    [Identifies and understands the nature of the entity's data, including: Sensitivity, criticality, and importance of the data. App A Objective 3:5a Bullet 1]
    Data and Information Management Preventive
    Classify the value of information in the information classification standard. CC ID 11995
    [Identifies and understands the nature of the entity's data, including: Sensitivity, criticality, and importance of the data. App A Objective 3:5a Bullet 1]
    Data and Information Management Preventive
    Classify the legal requirements of information in the information classification standard. CC ID 11994
    [Considers the following when implementing and using data analytics: Identification of data subject to applicable laws and regulations or other relevant industry standards. App A Objective 3:9f Bullet 7]
    Data and Information Management Preventive
    Establish, implement, and maintain a data classification scheme. CC ID 11628
    [Determine whether management identifies and classifies the entity's data effectively. Determine whether management does the following: App A Objective 3:5
    Considers the following when implementing and using data analytics: Documentation of the data types maintained, data owners and users, and purposes of reports. App A Objective 3:9f Bullet 1
    Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. App A Objective 3:3
    Verify that management implemented effective database security controls, such as the following: Classifies data maintained within the database. App A Objective 3:7i
    {Data classification}Examiners should review for the following: Data identification and classification processes. III.A Action Summary ¶ 2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Take into account the characteristics of the geographical, behavioral and functional setting for all datasets. CC ID 15046 Data and Information Management Preventive
    Approve the data classification scheme. CC ID 13858 Establish/Maintain Documentation Detective
    Disseminate and communicate the data classification scheme to interested personnel and affected parties. CC ID 16804 Communicate Preventive
    Establish and maintain an organizational data dictionary, including data syntax rules. CC ID 00600 Establish/Maintain Documentation Preventive
    Include the data source in the data dictionary. CC ID 13519
    [Determine whether management appropriately considers the uses and risks of data analytics and performs the following: Inventories the data sources, assesses the information type according to the entity's data classification policy, and appropriately secures those sources. App A Objective 3:9c]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an Information and Infrastructure Architecture model. CC ID 00599
    [Examiners should review for the following: Design of IT architecture (e.g., in-house, virtualization and cloud, or hybrid). IV Action Summary ¶ 2 Bullet 5
    Examiners should review for the following: Documentation of EA elements. IV Action Summary ¶ 2 Bullet 6
    Validating through audits and other independent assessments that the following are comprehensive, meet enterprise-wide business and strategic plan objectives, and can assist in the identification of AIO-related risk. Architectural designs and integration across the entity. App A Objective 2:4a Bullet 1
    Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Development of IT architecture policy and terminology. App A Objective 2:9a Bullet 8
    Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Development and maintenance of the enterprise model, including a common understanding, vocabulary, and blueprint for all stakeholders. App A Objective 2:9a Bullet 2
    Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Responsibility for designing the IT architecture and accommodating IT changes. App A Objective 2:9a Bullet 3
    An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Architecture designed to meet the entity's goals or objectives. App A Objective 2:8b Bullet 2
    In larger or more complex entities, determine whether management considered using EA to align its architecture with the entity's strategic plans and business functions. Describe management's implementation of EA and use of architecture frameworks, if appropriate. Regardless of entity size, determine whether management incorporated the following: App A Objective 12:6
    Determine whether management established enterprise-wide architecture principles that balance the mitigation of risks to various stakeholders and align with the entity's strategic goals and business objectives; meet the entity's needs for confidentiality, integrity, and availability; and adhere to the entity's policies, standards, and procedures. Determine whether the architecture design involves the following: App A Objective 12:1
    Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: App A Objective 12:3
    Determine whether the architecture design involves the following: Consideration of the entity's architecture requirements for its existing technology and any planned changes. App A Objective 12:1a
    Determine whether management has policies, standards, and procedures to govern the entity's architecture design process and whether the design process addresses the following: App A Objective 12:2
    Determine whether management has policies, standards, and procedures to govern the entity's architecture design process and whether the design process addresses the following: Implementation and maintenance of the architecture. App A Objective 12:2g
    {strategic objective} Management designs, applies, and aligns its IT architecture to meet the strategic and business objectives of the enterprise. (IV, "Architecture") App A Objective 12
    {strategic objective}{Information Technology architecture plan} Management should design, apply, and align its IT architecture to meet the strategic and business objectives of the enterprise. The architecture plan should meet the entity's needs for confidentiality, integrity, and availability to minimize operational and reputational risks resulting from poorly designed systems. IV Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain sustainable infrastructure planning. CC ID 00603
    [Management implements an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. (V, "Infrastructure") App A Objective 13
    {Information Technology infrastructure control program} Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel. IT infrastructure implementation practices should include redundancy and resilience for physical infrastructure elements and related products, services, and telecommunications. V Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Take into account the need for protecting information confidentiality during infrastructure planning. CC ID 06486 Behavior Preventive
    Monitor regulatory trends to maintain compliance. CC ID 00604
    [{industry trend}Determine whether the architecture design involves the following: Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. App A Objective 12:1d]
    Monitor and Evaluate Occurrences Detective
    Monitor for new Information Security solutions. CC ID 07078
    [The patch management program includes the following: Records of the system and software versions in place and regular monitoring of online and industry resources for information on product enhancements, security or other issues, patches, or upgrades. App A Objective 15:3b Bullet 3]
    Monitor and Evaluate Occurrences Detective
    Subscribe to a threat intelligence service to receive notification of emerging threats. CC ID 12135
    [The vulnerability management program includes the following: Processes to monitor industry third parties (e.g., US-CERT, NIST, and FS-ISAC) that report vulnerability exposures and address any relevant exposures within the entity's systems and software. App A Objective 15:3a Bullet 2]
    Technical Security Detective
    Disseminate and communicate emerging threats to all interested personnel and affected parties. CC ID 12185 Communicate Preventive
    Disseminate and communicate updated guidance documentation to interested personnel and affected parties upon discovery of a new threat. CC ID 12191 Communicate Corrective
    Establish, implement, and maintain a Quality Management framework. CC ID 07196 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Quality Management program. CC ID 07201 Establish/Maintain Documentation Preventive
    Correct errors and deficiencies in a timely manner. CC ID 13501
    [Review the effectiveness of management's mitigation of the risks associated with the following: Smoke and fire mitigation strategies, including: Inspections of facilities for potential fire hazards and resolution of identified deficiencies. App A Objective 13:9b Bullet 4]
    Business Processes Corrective
    Include data management procedures in the quality management system. CC ID 15052
    [{data tool}Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Use of data and reporting tools, maintenance of data quality, and promotion of data integrity. App A Objective 2:9b Bullet 6]
    Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the organizational compliance framework and Information Assurance controls. CC ID 01241
    [Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: Scope. App A Objective 2:10a]
    Establish/Maintain Documentation Preventive
    Define the scope of the security policy. CC ID 07145 Data and Information Management Preventive
    Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents. CC ID 00688
    [{information asset}Examiners should review for the following: Identification of the entity's information and technology assets. IV Action Summary ¶ 2 Bullet 1
    Determine whether management has a comprehensive inventory of its electronic (or digital) and physical information assets, in accordance with the Information Security Standards. Evaluate whether management specifically identifies its information assets, determines the appropriate classification of those assets, and protects them according to the entity's data classification process. App A Objective 4:1
    Determine whether management implemented policies, standards, and procedures to govern all aspects of ITAM, including information and technology assets. Assess whether those processes include the following: Identifying the technology assets the entity possesses and manages. App A Objective 4:2a
    Examiners should review for the following: Processes to identify, track, and monitor infrastructure components. V Action Summary ¶ 2 Bullet 1
    {be critical}An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Identification of infrastructure assets (e.g., hardware and software) and associated interconnectivity critical to business and IT operations. App A Objective 2:8b Bullet 4
    {information asset}{hardware inventory}{refrain from including} Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not fall into traditional hardware or software inventories. Evaluate whether management has a process to periodically review and update the inventories. Assess the adequacy of management's technology asset inventory process for the following: App A Objective 4:3
    Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Identification of the infrastructure, including the appropriate systems and software, necessary to support file exchange activities. App A Objective 11:1c
    {industry trend}Determine whether the architecture design involves the following: Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. App A Objective 12:1d]
    Business Processes Preventive
    Establish and maintain an Information Systems Assurance Categories Definitions document. CC ID 01608 Establish/Maintain Documentation Preventive
    Correlate Information Systems with applicable controls. CC ID 01621
    [Evaluate the effectiveness of the assignment of the following responsibilities: Operations-related responsibilities: Database administration, systems analysis, client support, systems administration, and network administration. App A Objective 2:9c Bullet 8]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a policy and procedure management program. CC ID 06285
    [{unauthorized device}As part of these processes, determine whether management does the following: Updates the related policy or procedures or provides additional training. App A Objective 13:2c
    Examiners should review for the following: Documentation of the architecture plan, including policies, standards, and procedures. IV Action Summary ¶ 2 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the effective date on all organizational policies. CC ID 06820 Establish/Maintain Documentation Preventive
    Include requirements in the organization’s policies, standards, and procedures. CC ID 12956 Establish/Maintain Documentation Preventive
    Include threats in the organization’s policies, standards, and procedures. CC ID 12953 Establish/Maintain Documentation Preventive
    Analyze organizational policies, as necessary. CC ID 14037 Establish/Maintain Documentation Detective
    Assess the impact of changes to organizational policies, standards, and procedures, as necessary. CC ID 14824 Business Processes Preventive
    Include opportunities in the organization’s policies, standards, and procedures. CC ID 12945 Establish/Maintain Documentation Preventive
    Establish and maintain an Authority Document list. CC ID 07113 Establish/Maintain Documentation Preventive
    Map in scope assets and in scope records to external requirements. CC ID 12189 Establish/Maintain Documentation Detective
    Document organizational procedures that harmonize external requirements, including all legal requirements. CC ID 00623
    [Considers the following when implementing and using data analytics: Identification of data analytics processes used to enable compliance with applicable laws and regulations. App A Objective 3:9f Bullet 8]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework. CC ID 01636 Establish/Maintain Documentation Preventive
    Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties. CC ID 12901 Communicate Preventive
    Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties. CC ID 01312 Establish/Maintain Documentation Preventive
    Classify controls according to their preventive, detective, or corrective status. CC ID 06436 Establish/Maintain Documentation Preventive
    Publish, disseminate, and communicate a Statement on Internal Control, as necessary. CC ID 06727 Establish/Maintain Documentation Preventive
    Include signatures of c-level executives in the Statement on Internal Control. CC ID 14778 Establish/Maintain Documentation Preventive
    Include management's assertions on the effectiveness of internal control in the Statement on Internal Control. CC ID 14771 Establish/Maintain Documentation Corrective
    Include confirmation of any significant weaknesses in the Statement on Internal Control. CC ID 06861 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the Statement on Internal Control. CC ID 14774 Establish/Maintain Documentation Preventive
    Include an assurance statement regarding the counterterror protective security plan in the Statement on Internal Control. CC ID 06866 Establish/Maintain Documentation Preventive
    Include limitations of internal control systems in the Statement on Internal Control. CC ID 14773 Establish/Maintain Documentation Preventive
    Include a description of the methodology used to evaluate internal controls in the Statement on Internal Control. CC ID 14772 Establish/Maintain Documentation Preventive
    Include the counterterror protective security plan test results in the Statement on Internal Control. CC ID 06867 Establish/Maintain Documentation Detective
    Assign legislative body jurisdiction to the organization's assets, as necessary. CC ID 06956 Establish Roles Preventive
    Approve all compliance documents. CC ID 06286 Establish/Maintain Documentation Preventive
    Align the Authority Document list with external requirements. CC ID 06288 Establish/Maintain Documentation Preventive
    Assign the appropriate roles to all applicable compliance documents. CC ID 06284 Establish Roles Preventive
    Identify and document the Designated Approval Authority for compliance documents. CC ID 07114 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a compliance exception standard. CC ID 01628 Establish/Maintain Documentation Preventive
    Include the authority for granting exemptions in the compliance exception standard. CC ID 14329 Establish/Maintain Documentation Preventive
    Include all compliance exceptions in the compliance exception standard. CC ID 01630 Establish/Maintain Documentation Detective
    Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document. CC ID 01631
    [{cannot be resolved}Establishment and maintenance of appropriate processes and controls, including: Documenting any interim actions, compensating controls, and risk acceptance for issues that cannot be immediately resolved. App A Objective 16:4b Bullet 9]
    Establish/Maintain Documentation Preventive
    Review the compliance exceptions in the exceptions document, as necessary. CC ID 01632 Business Processes Preventive
    Include when exemptions expire in the compliance exception standard. CC ID 14330 Establish/Maintain Documentation Preventive
    Assign the approval of compliance exceptions to the appropriate roles inside the organization. CC ID 06443 Establish Roles Preventive
    Include management of the exemption register in the compliance exception standard. CC ID 14328 Establish/Maintain Documentation Preventive
    Disseminate and communicate compliance documents to all interested personnel and affected parties. CC ID 06282 Behavior Preventive
    Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties. CC ID 06283 Behavior Preventive
    Estimate the costs of implementing the compliance framework. CC ID 07191 Business Processes Preventive
    Define the Information Assurance strategic roles and responsibilities. CC ID 00608
    [Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. III.A Action Summary ¶ 1]
    Establish Roles Preventive
    Establish and maintain a compliance oversight committee. CC ID 00765
    [Determine whether management identifies internal and external roles and responsibilities for AIO activities and implements processes to oversee those activities performed by third-party service providers. Assess whether management appropriately assigned and defined the responsibility and oversight of those activities. App A Objective 7:1
    Evaluate the appropriateness of the following: Reports to the board and senior management containing the results of audits or other independent reviews and an assessment of management's ability to oversee the entity's AIO functions and activities. Validate whether the review scope and frequency are appropriate for the complexity of the entity's AIO functions. App A Objective 2:11d
    The board is responsible for overseeing, and senior management is responsible for implementing and maintaining, a safe and sound operating environment that supports the entity's goals and objectives and complies with applicable laws and regulations. Management should establish responsibility and accountability for the administration of the day-to-day functions of the IT environment. II.A Action Summary ¶ 1]
    Establish Roles Detective
    Review and document the meetings and actions of the Board of Directors or audit committee in the Board Report. CC ID 01151
    [Evaluate whether the following activities are performed: Board minutes reflect significant AIO-related discussions, credible challenge, and approvals. App A Objective 2:13c
    Examiners should review for the following: Discussions regarding AIO with the board are captured in meeting minutes. II.A Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Detective
    Include recommendations for changes or updates to the information security program in the Board Report. CC ID 13180 Establish/Maintain Documentation Preventive
    Provide critical project reports to the compliance oversight committee in a timely manner. CC ID 01183 Establish/Maintain Documentation Detective
    Assign the review of project plans for critical projects to the compliance oversight committee. CC ID 01182 Establish Roles Preventive
    Assign the corporate governance of Information Technology to the compliance oversight committee. CC ID 01178 Establish Roles Preventive
    Assign the review of Information Technology policies and procedures to the compliance oversight committee. CC ID 01179 Establish Roles Preventive
    Involve the Board of Directors or senior management in Information Governance. CC ID 00609 Establish Roles Preventive
    Assign responsibility for enforcing the requirements of the Information Governance Plan to senior management. CC ID 12058 Human Resources Management Preventive
    Address Information Security during the business planning processes. CC ID 06495 Data and Information Management Preventive
    Document the requirements of stakeholders during the business planning process regarding Information Security. CC ID 06498 Establish/Maintain Documentation Preventive
    Assign reviewing and approving Quality Management standards to the appropriate oversight committee. CC ID 07192 Establish Roles Preventive
    Define and assign the Chief Executive's Information Assurance roles and responsibilities. CC ID 06089 Establish Roles Preventive
    Define and assign the Chief Financial Officer's Information Assurance roles and responsibilities. CC ID 06090 Establish Roles Preventive
    Define and assign the Chief of Risk's Information Assurance roles and responsibilities. CC ID 06092 Establish Roles Preventive
    Establish, implement, and maintain a strategic plan. CC ID 12784
    [Determine whether board oversight includes the following: Aligning AIO principles and practices with the board's strategic plans and risk appetite. App A Objective 2:3a]
    Establish/Maintain Documentation Preventive
    Determine progress toward the objectives of the strategic plan. CC ID 12944 Process or Activity Preventive
    Include acting with integrity in the strategic plan. CC ID 12870 Establish/Maintain Documentation Preventive
    Disseminate and communicate the strategic plan to all interested personnel and affected parties. CC ID 15592 Communicate Preventive
    Include the outsource partners in the strategic plan, as necessary. CC ID 13960 Establish/Maintain Documentation Preventive
    Align the cybersecurity program strategy with the organization's strategic plan. CC ID 14322 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a planning policy. CC ID 14673 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain planning procedures. CC ID 14698
    [Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Participation of senior management by supporting AIO activities, confirming that those activities are in the IT strategic plan, reviewing the strategic planning process, and incorporating changes. App A Objective 2:5a]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the planning procedures to interested personnel and affected parties. CC ID 14704 Communicate Preventive
    Disseminate and communicate the planning policy to interested personnel and affected parties. CC ID 14691 Communicate Preventive
    Include compliance requirements in the planning policy. CC ID 14688 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the planning policy. CC ID 14687 Establish/Maintain Documentation Preventive
    Include management commitment in the planning policy. CC ID 14686 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the planning policy. CC ID 14685 Establish/Maintain Documentation Preventive
    Include the scope in the planning policy. CC ID 14684 Establish/Maintain Documentation Preventive
    Include the purpose in the planning policy. CC ID 14683 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a security planning policy. CC ID 14027 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security planning policy. CC ID 14131 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security planning policy. CC ID 14130 Establish/Maintain Documentation Preventive
    Include management commitment in the security planning policy. CC ID 14129 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security planning policy. CC ID 14128 Establish/Maintain Documentation Preventive
    Include the scope in the security planning policy. CC ID 14127 Establish/Maintain Documentation Preventive
    Include the purpose in the security planning policy. CC ID 14126 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning policy to interested personnel and affected parties. CC ID 14125 Communicate Preventive
    Establish, implement, and maintain security planning procedures. CC ID 14060 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security planning procedures to interested personnel and affected parties. CC ID 14135 Communicate Preventive
    Establish, implement, and maintain a decision management strategy. CC ID 06913
    [Determine whether management has policies, standards, and procedures to govern the entity's architecture design process and whether the design process addresses the following: Definition of responsibilities and decision-making. App A Objective 12:2a
    Whether auditors or reviewers: Evaluate that management's AIO decisions align with the entity's business strategy, security, and resilience needs. App A Objective 2:11e Bullet 1
    Evaluate whether management does the following: Bases improvement decisions on the potential benefit and ease of implementation, with a focus on important IT processes and core competencies. App A Objective 17:4b]
    Establish/Maintain Documentation Preventive
    Align the reporting methodology with the decision management strategy. CC ID 15659 Business Processes Preventive
    Include an economic impact analysis in the decision management strategy. CC ID 14015 Establish/Maintain Documentation Preventive
    Include cost benefit analysis in the decision management strategy. CC ID 14014 Establish/Maintain Documentation Preventive
    Include criteria for compliance in the decision-making criteria. CC ID 12951 Establish/Maintain Documentation Preventive
    Include criteria for risk tolerance in the decision-making criteria. CC ID 12950 Establish/Maintain Documentation Preventive
    Include criteria for selecting objectives and strategies in the decision-making criteria. CC ID 12949 Establish/Maintain Documentation Preventive
    Include criteria for setting priorities in the decision-making criteria. CC ID 12938 Establish/Maintain Documentation Preventive
    Align organizational objectives with compliance objectives in the decision-making criteria. CC ID 12847 Process or Activity Preventive
    Align organizational objectives with performance targets in the decision-making criteria. CC ID 12843 Process or Activity Preventive
    Align organizational objectives with the acceptable residual risk in the decision-making criteria. CC ID 12841 Process or Activity Preventive
    Identify and document the events that initiate the decision management strategy. CC ID 06914 Establish/Maintain Documentation Detective
    Create additional decision-making criteria to achieve organizational objectives, as necessary. CC ID 12948 Process or Activity Preventive
    Involve knowledgeable and experienced individuals in the decision-making process. CC ID 06915 Behavior Preventive
    Take actions in accordance with the decision-making criteria. CC ID 12909 Process or Activity Preventive
    Document and evaluate the decision outcomes from the decision-making process. CC ID 06918 Establish/Maintain Documentation Preventive
    Disseminate and communicate the decision management strategy to all interested personnel and affected parties. CC ID 13991 Communicate Preventive
    Establish, implement, and maintain an information technology process framework. CC ID 13648 Establish/Maintain Documentation Preventive
    Include maturity models in the Information Technology process framework. CC ID 13652 Establish/Maintain Documentation Preventive
    Include relationships between Information Technology process structures in the Information Technology process framework. CC ID 13651 Establish/Maintain Documentation Preventive
    Include Information Technology process structures in the Information Technology process framework. CC ID 13650 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a tactical plan. CC ID 12785 Establish/Maintain Documentation Preventive
    Include acting with integrity in the tactical plan. CC ID 12871 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a Strategic Information Technology Plan. CC ID 00628
    [Examiners should review for the following: Assessment of future enterprise IT needs. IV Action Summary ¶ 2 Bullet 2
    Determine whether management oversight includes the following: Assessing and updating management's strategies and plans for AIO functions. App A Objective 2:4c
    Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Responsibilities within the AIO functions through defining those responsibilities and determining the effectiveness of the IT strategic planning process. App A Objective 2:5b
    Examiners should review for the following: Documentation of the architecture plan, including policies, standards, and procedures. IV Action Summary ¶ 2 Bullet 3]
    Establish/Maintain Documentation Preventive
    Include the Information Governance Plan in the Strategic Information Technology Plan. CC ID 10053
    [Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Definition of a data strategy, evaluation of data and its usage (including the consideration of data planning and the analytics platform), and development of metrics for monitoring data activities. App A Objective 2:9b Bullet 8]
    Establish/Maintain Documentation Preventive
    Engage information governance subject matter experts in the development of the Information Governance Plan. CC ID 10055 Human Resources Management Preventive
    Include the transparency goals in the Information Governance Plan. CC ID 10056 Establish/Maintain Documentation Preventive
    Include the information integrity goals in the Information Governance Plan. CC ID 10057 Establish/Maintain Documentation Preventive
    Include business continuity objectives in the Strategic Information Technology Plan. CC ID 06496 Establish/Maintain Documentation Preventive
    Align business continuity objectives with the business continuity policy. CC ID 12408 Establish/Maintain Documentation Preventive
    Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs. CC ID 00631
    [{business plan} Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: App A Objective 2:5
    Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Participation of senior management by supporting AIO activities, confirming that those activities are in the IT strategic plan, reviewing the strategic planning process, and incorporating changes. App A Objective 2:5a
    {business objective}Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: Alignment with the entity's strategic plan and support for the business and strategic objectives of the entity. App A Objective 12:3a
    {strategic objective}{Information Technology architecture plan} Management should design, apply, and align its IT architecture to meet the strategic and business objectives of the enterprise. The architecture plan should meet the entity's needs for confidentiality, integrity, and availability to minimize operational and reputational risks resulting from poorly designed systems. IV Action Summary ¶ 1]
    Business Processes Corrective
    Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan. CC ID 00630 Business Processes Preventive
    Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan. CC ID 06491 Establish/Maintain Documentation Preventive
    Include the references to the organization's Information Technology systems in the Strategic Information Technology Plan, as necessary. CC ID 13959
    [Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Impact of IT infrastructure by understanding the relationship between IT infrastructure and the entity's needs. App A Objective 2:5d
    With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Comparison of existing architecture with anticipated future changes. App A Objective 12:4b Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan. CC ID 00632 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan. CC ID 01609 Establish/Maintain Documentation Preventive
    Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan. CC ID 06497 Establish/Maintain Documentation Preventive
    Document the business case and return on investment in each Information Technology project plan. CC ID 06846 Establish/Maintain Documentation Preventive
    Escalate for management authorization any proposed projects where effective use of existing resources is overlooked. CC ID 06848 Business Processes Preventive
    Document all desired outcomes for a proposed project in the Information Technology project plan. CC ID 06916 Establish/Maintain Documentation Preventive
    Document the success criteria for the proposed project in the Information Technology project plan. CC ID 06917 Establish/Maintain Documentation Preventive
    Assign senior management to approve business cases. CC ID 13068 Human Resources Management Preventive
    Include milestones for each project phase in the Information Technology project plan. CC ID 12621 Establish/Maintain Documentation Preventive
    Document lessons learned at the conclusion of each Information Technology project. CC ID 13654 Establish/Maintain Documentation Corrective
    Establish, implement, and maintain a counterterror protective security plan. CC ID 06862 Establish/Maintain Documentation Preventive
    Include communications and awareness activities in the counterterror protective security plan. CC ID 06863 Establish/Maintain Documentation Preventive
    Include the protective security measures to implement after a change in the government response level in the counterterror protective security plan. CC ID 06864 Establish/Maintain Documentation Preventive
    Include a search plan in the counterterror protective security plan. CC ID 06865 Establish/Maintain Documentation Preventive
    Include an evacuation plan in the counterterror protective security plan. CC ID 06940 Establish/Maintain Documentation Preventive
    Include a continuity plan in the counterterror protective security plan. CC ID 07031 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan. CC ID 13673
    [{Information Technology plan}Determine whether management has policies, standards, and procedures to govern the entity's architecture design process and whether the design process addresses the following: Assessment of alignment with the entity's IT and strategic plans. App A Objective 12:2c
    Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: Alignment of the formality of the architecture plan and processes with number and complexity of the architecture initiatives. App A Objective 12:3d
    Determine whether the architecture design involves the following: Alignment with management's defined mission and any strategic initiatives for architecture. App A Objective 12:1c]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties. CC ID 00633 Establish/Maintain Documentation Preventive
    Monitor and evaluate the implementation and effectiveness of Information Technology Plans. CC ID 00634
    [Additionally, evaluate whether management does the following: Aligns KPIs with the entity's ERM processes and uses those KPIs to assess the performance of IT and operations across the entity. App A Objective 17:2a]
    Monitor and Evaluate Occurrences Detective
    Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans. CC ID 06839 Actionable Reports or Measurements Preventive
    Include key personnel status changes in the Information Technology Plan status reports. CC ID 06840 Actionable Reports or Measurements Preventive
    Include significant security risks in the Information Technology Plan status reports. CC ID 06939 Actionable Reports or Measurements Preventive
    Include significant risk mitigations in the Information Technology Plan status reports. CC ID 06841 Actionable Reports or Measurements Preventive
    Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors. CC ID 13094
    [Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Participation of senior management by supporting AIO activities, confirming that those activities are in the IT strategic plan, reviewing the strategic planning process, and incorporating changes. App A Objective 2:5a
    Evaluate the adequacy of the entity's documented and approved architecture plan. Consider whether management considers the following in relationship to the plan: Inclusion of processes for obtaining approvals, making changes to the plan, and reporting, as appropriate. App A Objective 12:3c]
    Human Resources Management Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program. CC ID 06492
    [Determine whether board oversight includes the following: Enabling appropriate management training on AIO to carry out its responsibilities and manage risk. App A Objective 2:3d]
    Business Processes Preventive
    Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security. CC ID 06493 Behavior Preventive
    Establish, implement, and maintain a financial management program. CC ID 13228
    [If an entity provides IT services internally or externally as a third-party service provider, determine whether management considers the following in the IT strategic planning process: Financial management for IT services to allocate the cost of providing services. App A Objective 2:7b]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain funds transfer procedures. CC ID 16754 Establish/Maintain Documentation Preventive
    Provide required information that is missing from a funds transfer to the responsible party. CC ID 16761 Communicate Preventive
    Return the funds from a funds transfer when required information is not received or discrepancies resolved. CC ID 16760 Business Processes Preventive
    Delay the funds transfer until all required information has been received or discrepancies resolved. CC ID 16759 Business Processes Preventive
    Refrain from making funds from a funds transfer available to the interested personnel until all required information is received. CC ID 16758 Business Processes Preventive
    Investigate discrepancies between the information received and the information verified for each funds transfer. CC ID 16757 Investigate Detective
    Attach the required information to each funds transfer. CC ID 16756 Business Processes Preventive
    Verify all required information is attached to each funds transfer. CC ID 16755 Business Processes Detective
    Establish, implement, and maintain protective measures for customers from a bank's insolvency or default. CC ID 16738 Business Processes Preventive
    Test the protective measures for effectiveness to prevent financial impact to responsible parties. CC ID 16750 Testing Preventive
    Include communication protocols in the financial management program. CC ID 16763 Establish/Maintain Documentation Preventive
    Include ongoing monitoring in the financial management program. CC ID 16762 Process or Activity Preventive
    Employ tools to manage settlement and funding flows. CC ID 16743 Process or Activity Preventive
    Refrain from setting up anonymous financial accounts. CC ID 16721 Business Processes Preventive
    Identify and maintain positions in financial accounts. CC ID 16751 Business Processes Preventive
    Establish, implement, and maintain a financial products and services disclosure policy. CC ID 16717 Establish/Maintain Documentation Preventive
    Require acknowledgment of receipt from the customer in the financial products and services disclosure policy. CC ID 16725 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a subsidiary compliance program. CC ID 16694 Process or Activity Preventive
    Establish, implement, and maintain financial resource management procedures. CC ID 16642 Establish/Maintain Documentation Preventive
    Document the rationale for the amount of financial resources being held. CC ID 16688 Establish/Maintain Documentation Preventive
    Supplement financial resources, as necessary. CC ID 16685 Business Processes Preventive
    Establish, implement, and maintain collateral procedures. CC ID 16653 Establish/Maintain Documentation Preventive
    Include the use of appropriate models in the collateral procedures. CC ID 16687 Establish/Maintain Documentation Preventive
    Define the collateral requirements in the collateral procedures. CC ID 16686 Establish/Maintain Documentation Preventive
    Test the collateral requirements for appropriateness. CC ID 16681 Testing Preventive
    Limit the types of assets accepted as collateral. CC ID 16602 Business Processes Preventive
    Avoid the use of concentrated holdings of assets. CC ID 16651 Business Processes Preventive
    Establish, implement, and maintain stress test plans for financial resources. CC ID 16644 Testing Preventive
    Include stress scenarios in the stress test plan. CC ID 16659 Testing Preventive
    Analyze the effectiveness of the stress test plan. CC ID 16657 Process or Activity Detective
    Perform stress testing in accordance with the stress test plan. CC ID 16652 Testing Preventive
    Disseminate and communicate the results of stress testing to interested personnel and affected parties. CC ID 16630 Communicate Preventive
    Identify and document the financial resources available for use. CC ID 16643 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain credit loss procedures. CC ID 16683 Establish/Maintain Documentation Preventive
    Include the allocation of credit losses in the credit loss procedures. CC ID 16684 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a securities trading program. CC ID 16626 Business Processes Preventive
    Include fairness and equitability standards in the securities trading program. CC ID 16690 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the securities trading program. CC ID 16689 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a capital restoration plan. CC ID 16613 Establish/Maintain Documentation Preventive
    Include performance guarantees in the capital restoration plan. CC ID 16616 Establish/Maintain Documentation Preventive
    Include corrective actions taken in the capital restoration plan. CC ID 16612 Establish/Maintain Documentation Preventive
    Include required information in the capital restoration plan. CC ID 16609 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain valuation procedures. CC ID 16634 Establish/Maintain Documentation Preventive
    Include investment information in approval requests for investments. CC ID 16590 Business Processes Preventive
    Establish, implement, and maintain capital withdrawal requirements. CC ID 16576 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain lending policies. CC ID 16608 Establish/Maintain Documentation Preventive
    Align the lending policy with the organization's risk acceptance level. CC ID 16716 Process or Activity Preventive
    Include the requirements for risk assessments in the lending policy. CC ID 16730 Establish/Maintain Documentation Preventive
    Include the requirements for sensitivity analyses in the lending policy. CC ID 16728 Establish/Maintain Documentation Preventive
    Include the requirements for feasibility studies in the lending policy. CC ID 16726 Establish/Maintain Documentation Preventive
    Include pricing structures in the lending policy. CC ID 16724 Establish/Maintain Documentation Preventive
    Include monitoring requirements in the lending policy. CC ID 16710 Establish/Maintain Documentation Preventive
    Include loan origination procedures in the lending policy. CC ID 16709 Establish/Maintain Documentation Preventive
    Include review procedures and approval procedures for exception loans in the lending policy. CC ID 16708 Establish/Maintain Documentation Preventive
    Include loan requirements in the lending policy. CC ID 16706 Establish/Maintain Documentation Preventive
    Include appraisals and evaluations in the lending policy. CC ID 16705 Establish/Maintain Documentation Preventive
    Include terms and conditions in the lending policy. CC ID 16695 Establish/Maintain Documentation Preventive
    Include the scope and distribution of loans in the lending policy. CC ID 16693 Establish/Maintain Documentation Preventive
    Include geographic areas in the lending policy. CC ID 16691 Establish/Maintain Documentation Preventive
    Include underwriting guidelines in the lending policy. CC ID 16619 Establish/Maintain Documentation Preventive
    Include credit review in the underwriting guidelines. CC ID 16765 Establish/Maintain Documentation Preventive
    Include loan-to-value ratio limits in the lending policy. CC ID 16618 Establish/Maintain Documentation Preventive
    Include documentation requirements in the lending policy. CC ID 16617 Establish/Maintain Documentation Preventive
    Include the purpose of the loan in the loan documentation. CC ID 16747 Establish/Maintain Documentation Preventive
    Include the source of repayment in the loan documentation. CC ID 16746 Establish/Maintain Documentation Preventive
    Include approval requirements in the lending policy. CC ID 16615 Establish/Maintain Documentation Preventive
    Include reporting requirements in the lending policy. CC ID 16614 Establish/Maintain Documentation Preventive
    Include loan portfolio diversification standards in the lending policy. CC ID 16611 Establish/Maintain Documentation Preventive
    Include loan administration procedures in the lending policy. CC ID 16610 Establish/Maintain Documentation Preventive
    Include loan participation agreements in the loan administration procedures. CC ID 16745 Establish/Maintain Documentation Preventive
    Include termination procedures in the loan participation agreement. CC ID 16753 Establish/Maintain Documentation Preventive
    Justify the safety and efficiency of the participation requirements in the loan participation agreement. CC ID 16752 Establish/Maintain Documentation Preventive
    Include servicing agreements in the loan administration procedures. CC ID 16744 Establish/Maintain Documentation Preventive
    Include claims processing in the loan administration procedures. CC ID 16742 Establish/Maintain Documentation Preventive
    Include forbearance management in the loan administration procedures. CC ID 16741 Establish/Maintain Documentation Preventive
    Include foreclosure management in the loan administration procedures. CC ID 16740 Establish/Maintain Documentation Preventive
    Include delinquency management in the loan administration procedures. CC ID 16739 Establish/Maintain Documentation Preventive
    Include customer due diligence in the loan administration procedures. CC ID 16736 Process or Activity Preventive
    Include the requirements for financial statements in the loan administration procedures. CC ID 16735 Establish/Maintain Documentation Preventive
    Include loan closing in the loan administration procedures. CC ID 16734 Establish/Maintain Documentation Preventive
    Include payoff statements in the loan administration procedures. CC ID 16733 Establish/Maintain Documentation Preventive
    Include payment processing in the loan administration procedures. CC ID 16732 Establish/Maintain Documentation Preventive
    Include loan reviews in the loan administration procedures. CC ID 16703 Establish/Maintain Documentation Preventive
    Include collections in the loan administration procedures. CC ID 16701 Establish/Maintain Documentation Preventive
    Include collateral inspections in the loan administration procedures. CC ID 16699 Establish/Maintain Documentation Preventive
    Include disbursements in the loan administration procedures. CC ID 16697 Establish/Maintain Documentation Preventive
    Review and approve lending policies. CC ID 16607 Business Processes Preventive
    Establish, implement, and maintain a dividend policy. CC ID 16569 Establish/Maintain Documentation Preventive
    Include compliance requirements in the dividend policy. CC ID 16570 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain margin systems. CC ID 16601 Business Processes Preventive
    Include valuation models in the margin system. CC ID 16663 Data and Information Management Preventive
    Include procedures for collecting price data in the margin system. CC ID 16662 Data and Information Management Preventive
    Include reliable sources for price data in the margin system. CC ID 16661 Data and Information Management Preventive
    Validate the margin system on a regular basis. CC ID 16660 Testing Detective
    Assess the properties of the margin model used in the margin system. CC ID 16658 Process or Activity Detective
    Monitor the performance of the margin system. CC ID 16655 Monitor and Evaluate Occurrences Detective
    Analyze the performance of the margin system. CC ID 16654 Process or Activity Detective
    Establish, implement, and maintain capital adequacy measures. CC ID 16568 Business Processes Preventive
    Establish, implement, and maintain escrow procedures for financial transactions. CC ID 16564 Establish/Maintain Documentation Preventive
    Determine the amount of assets to be held in escrow. CC ID 16575 Investigate Detective
    Disseminate and communicate the escrow procedures to interested personnel and affected parties. CC ID 16565 Communicate Preventive
    Establish, implement, and maintain a Capital Planning and Investment Control policy. CC ID 06279
    [With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Prioritization of investments. App A Objective 12:4b Bullet 2
    As part of the evaluation of question 5, determine whether management does the following: Balances resource investments. App A Objective 2:6c]
    Establish/Maintain Documentation Preventive
    Include risk management in the Capital Planning and Investment Control policy. CC ID 16764 Establish/Maintain Documentation Preventive
    Include debt rating requirements in the Capital Planning and Investment Control policy. CC ID 16692 Establish/Maintain Documentation Preventive
    Include divestiture requirements in the Capital Planning and Investment Control policy. CC ID 16591 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recordkeeping system for securities transactions. CC ID 16631 Establish/Maintain Documentation Preventive
    Include order tickets in the recordkeeping system for securities transactions. CC ID 16640 Data and Information Management Preventive
    Include receipts and deliveries of securities in the recordkeeping system for securities transactions. CC ID 16650 Data and Information Management Preventive
    Include debits and credits in the recordkeeping system for securities transactions. CC ID 16639 Data and Information Management Preventive
    Include a description of the transaction in the recordkeeping system for securities transactions. CC ID 16645 Data and Information Management Preventive
    Include chronological records of transactions in the recordkeeping system for securities transactions. CC ID 16638 Data and Information Management Preventive
    Include the name of the dealer in the recordkeeping system for securities transactions. CC ID 16637 Data and Information Management Preventive
    Include the execution price in the recordkeeping system for securities transactions. CC ID 16636 Data and Information Management Preventive
    Include the date and time of the transaction in the recordkeeping system for securities transactions. CC ID 16635 Data and Information Management Preventive
    Include the type of transaction in the recordkeeping system for securities transactions. CC ID 16633 Data and Information Management Preventive
    Include account information In the recordkeeping system for securities transactions. CC ID 16632 Data and Information Management Preventive
    Establish, implement, and maintain securities transaction notifications. CC ID 16600 Establish/Maintain Documentation Preventive
    Include the call date in the securities transaction notification. CC ID 16680 Establish/Maintain Documentation Preventive
    Include service charges and commissions in the securities transaction notification. CC ID 16702 Establish/Maintain Documentation Preventive
    Include the funds and securities in the possession of the organization in the securities transaction notification. CC ID 16679 Establish/Maintain Documentation Preventive
    Include the call price in the securities transaction notification. CC ID 16678 Establish/Maintain Documentation Preventive
    Include debits and credits in the securities transaction notification. CC ID 16677 Establish/Maintain Documentation Preventive
    Include transactions in the securities transaction notification. CC ID 16676 Establish/Maintain Documentation Preventive
    Include the credit rating of securities in the securities transaction notification. CC ID 16674 Establish/Maintain Documentation Preventive
    Include yield information in the securities transaction notification. CC ID 16673 Establish/Maintain Documentation Preventive
    Include redemption information in the securities transaction notification. CC ID 16672 Establish/Maintain Documentation Preventive
    Include the price calculated from the yield in the securities transaction notification. CC ID 16669 Establish/Maintain Documentation Preventive
    Include the type of call in the securities transaction notification. CC ID 16668 Establish/Maintain Documentation Preventive
    Include an account statement in the securities transaction notification. CC ID 16666 Establish/Maintain Documentation Preventive
    Include the yield to maturity in the securities transaction notification. CC ID 16665 Establish/Maintain Documentation Preventive
    Include the execution price in the securities transaction notification. CC ID 16664 Establish/Maintain Documentation Preventive
    Include the organization's role in the securities transaction notification. CC ID 16646 Establish/Maintain Documentation Preventive
    Include the name of the broker in the securities transaction notification. CC ID 16647 Establish/Maintain Documentation Preventive
    Include the name of the customer in the securities transaction notification. CC ID 16625 Establish/Maintain Documentation Preventive
    Include the organization's name in the securities transaction notification. CC ID 16624 Establish/Maintain Documentation Preventive
    Include confirmations in the securities transaction notification. CC ID 16623 Establish/Maintain Documentation Preventive
    Include remunerations in the securities transaction notification. CC ID 16622 Establish/Maintain Documentation Preventive
    Include requested information in the securities transaction notification. CC ID 16641 Establish/Maintain Documentation Preventive
    Disseminate and communicate securities transaction notifications to interested personnel and affected parties. CC ID 16621 Communicate Preventive
    Include the execution date in the securities transaction notification. CC ID 16620 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain financial reports. CC ID 14770 Establish/Maintain Documentation Preventive
    Structure financial reports in accordance with external requirements, as necessary. CC ID 14776 Establish/Maintain Documentation Preventive
    Include the report of independent Certified Public Accountants in the financial report. CC ID 14779 Establish/Maintain Documentation Preventive
    Include the business need justification for lost value in the financial report. CC ID 15588 Establish/Maintain Documentation Preventive
    Disseminate and communicate the financial report to interested personnel and affected parties. CC ID 16342 Communicate Preventive
    Include financial statements in the financial report, as necessary. CC ID 14775 Establish/Maintain Documentation Preventive
    Include capital deductions and adjustments in the financial statement. CC ID 16667 Establish/Maintain Documentation Preventive
    Include earnings per share or loss per share in the financial statement. CC ID 16597 Establish/Maintain Documentation Preventive
    Include material contingencies in the financial statement. CC ID 16596 Establish/Maintain Documentation Preventive
    Include notes to financial statements in the financial report, as necessary. CC ID 14780 Establish/Maintain Documentation Preventive
    Include information on loans to small businesses and small farms in the call report. CC ID 16731 Establish/Maintain Documentation Preventive
    Include assets and liabilities in the call report. CC ID 16729 Establish/Maintain Documentation Preventive
    Disseminate and communicate the call report to interested personnel and affected parties. CC ID 16727 Communicate Preventive
  • Monitoring and measurement
    378
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Monitoring and measurement CC ID 00636 IT Impact Zone IT Impact Zone
    Monitor the usage and capacity of critical assets. CC ID 14825
    [Considers the following when implementing and using data analytics: Implementation of access controls and activity monitoring over analytics tools and reports. App A Objective 3:9f Bullet 5]
    Monitor and Evaluate Occurrences Detective
    Monitor the usage and capacity of Information Technology assets. CC ID 00668
    [Examiners should review for the following: Processes to identify, track, and monitor infrastructure components. V Action Summary ¶ 2 Bullet 1
    {information asset}{hardware inventory}{refrain from including} Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not fall into traditional hardware or software inventories. Evaluate whether management has a process to periodically review and update the inventories. Assess the adequacy of management's technology asset inventory process for the following: App A Objective 4:3
    {information asset}{hardware inventory}{refrain from including} Determine whether management uses appropriate inventory mechanisms to effectively document, track, and oversee the entity's information and technology assets, including its hardware and software. As part of the technology asset inventory, determine whether management considers IT assets that do not fall into traditional hardware or software inventories. Evaluate whether management has a process to periodically review and update the inventories. Assess the adequacy of management's technology asset inventory process for the following: App A Objective 4:3
    Considers the following when reviewing new technology assets: Registers and tracks assets in the inventories and includes EOL information. App A Objective 4:4g Bullet 3
    {end-of-life} Assess whether each IT asset is captured in the entity's ITAM inventory, tracked throughout its operational life, and prepared for physical removal at the end of its useful life. Determine whether management implemented policies, standards, and procedures to identify assets and their EOL time frames, to track assets' EOLs, and to replace or upgrade the asset. Determine the effectiveness of EOL management through the following: App A Objective 4:4
    With respect to specific software types, determine whether management does the following: For core processing software: Monitors its use. App A Objective 13:6b Bullet 2
    Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Methods to monitor, condition, or stabilize the electricity source voltage and minimize effects of power fluctuations. App A Objective 13:9d Bullet 6]
    Monitor and Evaluate Occurrences Detective
    Monitor all outbound traffic from all systems. CC ID 12970
    [Additionally, determine whether the following security and monitoring mitigation strategies are in place: Monitors telecommunications traffic and periodically reviews network devices. App A Objective 13:3k]
    Monitor and Evaluate Occurrences Preventive
    Notify the interested personnel and affected parties before the storage unit will reach maximum capacity. CC ID 06773 Behavior Detective
    Monitor systems for errors and faults. CC ID 04544
    [Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: Containers, including the design for storing data outside of the container and implementation of vulnerability management processes, segmentation, and the ability to monitor containers. App A Objective 12:5c Bullet 3
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. App A Objective 12:5d]
    Monitor and Evaluate Occurrences Detective
    Report errors and faults to the appropriate personnel, as necessary. CC ID 14296
    [Examiners should review for the following: Operational support processes, controls, and mechanisms to report transmission and processing errors. VI.C Action Summary ¶ 2 Bullet 3
    As part of the entity's operational support processes, determine whether the following is performed: Operational support personnel report errors or problems with the systems or software and provide updates on resolution. App A Objective 16:2b]
    Communicate Corrective
    Compare system performance metrics to organizational standards and industry benchmarks. CC ID 00667 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain logging and monitoring operations. CC ID 00637
    [Determine whether management implements processes to monitor IT operations and periodically reports on the effectiveness of established controls to senior management and other stakeholders. Evaluate the following: App A Objective 17:1]
    Log Management Detective
    Establish, implement, and maintain an audit and accountability policy. CC ID 14035 Establish/Maintain Documentation Preventive
    Include compliance requirements in the audit and accountability policy. CC ID 14103 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the audit and accountability policy. CC ID 14102 Establish/Maintain Documentation Preventive
    Include the purpose in the audit and accountability policy. CC ID 14100 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the audit and accountability policy. CC ID 14098 Establish/Maintain Documentation Preventive
    Include management commitment in the audit and accountability policy. CC ID 14097 Establish/Maintain Documentation Preventive
    Include the scope in the audit and accountability policy. CC ID 14096 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability policy to interested personnel and affected parties. CC ID 14095 Communicate Preventive
    Establish, implement, and maintain audit and accountability procedures. CC ID 14057 Establish/Maintain Documentation Preventive
    Disseminate and communicate the audit and accountability procedures to interested personnel and affected parties. CC ID 14137 Communicate Preventive
    Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs. CC ID 06312
    [{information asset} Management should have appropriate ITAM processes to track, manage, and report on the entity's information and technology assets. III.B Action Summary ¶ 1
    {information asset} Management implements appropriate ITAM processes to track, manage, report on the entity's information and technology assets. (III.B, "IT Asset Management") App A Objective 4
    With respect to specific software types, determine whether management does the following: For APIs: Performs appropriate API logging and monitoring. App A Objective 13:6i Bullet 7]
    Log Management Preventive
    Review and approve the use of continuous security management systems. CC ID 13181 Process or Activity Preventive
    Protect continuous security management systems from unauthorized use. CC ID 13097 Configuration Preventive
    Monitor and evaluate system telemetry data. CC ID 14929 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an intrusion detection and prevention program. CC ID 15211 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain intrusion management operations. CC ID 00580 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain an intrusion detection and prevention policy. CC ID 15169 Establish/Maintain Documentation Preventive
    Install and maintain an Intrusion Detection System and/or Intrusion Prevention System. CC ID 00581
    [Additionally, determine whether the following security and monitoring mitigation strategies are in place: Deployment of IDS/IPS. App A Objective 13:3h Bullet 3]
    Configuration Preventive
    Protect each person's right to privacy and civil liberties during intrusion management operations. CC ID 10035 Behavior Preventive
    Do not intercept communications of any kind when providing a service to clients. CC ID 09985 Behavior Preventive
    Determine if honeypots should be installed, and if so, where the honeypots should be placed. CC ID 00582 Technical Security Detective
    Monitor systems for inappropriate usage and other security violations. CC ID 00585
    [Additionally, determine whether management does the following: Implements security and monitoring throughout the entity's network, analyzes incoming and outgoing data traffic, and alerts authorized personnel if anomalous activity is detected. Additionally, determine whether the following security and monitoring mitigation strategies are in place: App A Objective 13:3h
    Additionally, determine whether the following security and monitoring mitigation strategies are in place: Use of internal tools to detect, identify, and prevent misuse by entity personnel. App A Objective 13:3h Bullet 4
    Additionally, determine whether management does the following: Monitors incoming and internal data communications traffic for problems. App A Objective 13:3p
    Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Implementation of appropriate operational controls, such as: Use of detection controls. App A Objective 11:1e Bullet 2
    With respect to specific software types, determine whether management does the following: For mainframe security software: Implements real-time monitoring and alerting. App A Objective 13:6h Bullet 5
    With respect to specific software types, determine whether management does the following: For OS software: Restricts and monitors administrator access to the OS. App A Objective 13:6a Bullet 2]
    Monitor and Evaluate Occurrences Detective
    Monitor systems for blended attacks and multiple component incidents. CC ID 01225 Monitor and Evaluate Occurrences Detective
    Monitor systems for Denial of Service attacks. CC ID 01222 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized data transfers. CC ID 12971
    [Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Implementation of appropriate operational controls, such as: Monitoring for authorized file exchange. App A Objective 11:1e Bullet 1]
    Monitor and Evaluate Occurrences Preventive
    Address operational anomalies within the incident management system. CC ID 11633 Audits and Risk Management Preventive
    Monitor systems for access to restricted data or restricted information. CC ID 04721
    [Verify that management implemented effective database security controls, such as the following: Restricts and monitors data extraction. App A Objective 3:7j
    Management provides time and resources for scheduled preventive maintenance, which includes: Reviewing system activity logs to monitor access to programs or data during maintenance. App A Objective 15:1f Bullet 3]
    Monitor and Evaluate Occurrences Detective
    Assign roles and responsibilities for overseeing access to restricted data or restricted information. CC ID 11950 Human Resources Management Detective
    Detect unauthorized access to systems. CC ID 06798 Monitor and Evaluate Occurrences Detective
    Incorporate potential red flags into the organization's incident management system. CC ID 04652 Monitor and Evaluate Occurrences Detective
    Incorporate an Identity Theft Prevention Program into the organization's incident management system. CC ID 11634 Audits and Risk Management Preventive
    Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System. CC ID 06430 Monitor and Evaluate Occurrences Detective
    Alert interested personnel and affected parties when an incident causes an outage. CC ID 06808 Monitor and Evaluate Occurrences Detective
    Monitor systems for unauthorized mobile code. CC ID 10034 Monitor and Evaluate Occurrences Preventive
    Update the intrusion detection capabilities and the incident response capabilities regularly. CC ID 04653 Technical Security Preventive
    Implement honeyclients to proactively seek for malicious websites and malicious code. CC ID 10658 Technical Security Preventive
    Implement detonation chambers, where appropriate. CC ID 10670 Technical Security Preventive
    Define and assign log management roles and responsibilities. CC ID 06311 Establish Roles Preventive
    Document and communicate the log locations to the owning entity. CC ID 12047 Log Management Preventive
    Make logs available for review by the owning entity. CC ID 12046 Log Management Preventive
    Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information. CC ID 00638 Log Management Detective
    Establish, implement, and maintain an event logging policy. CC ID 15217
    [Implementation of policies, standards, and procedures for log management activities that address the following: Objectives for logging. App A Objective 15:7b Bullet 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain event logging procedures. CC ID 01335 Log Management Detective
    Include the system components that generate audit records in the event logging procedures. CC ID 16426 Data and Information Management Preventive
    Include a standard to collect and interpret event logs in the event logging procedures. CC ID 00643
    [Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the following: App A Objective 15:7
    Implementation of policies, standards, and procedures for log management activities that address the following: Types of logs to be collected. App A Objective 15:7b Bullet 2]
    Log Management Preventive
    Protect the event logs from failure. CC ID 06290 Log Management Preventive
    Overwrite the oldest records when audit logging fails. CC ID 14308 Data and Information Management Preventive
    Supply each in scope asset with audit reduction tool and report generation capabilities to support after-the-fact investigations without altering the event logs. CC ID 01427
    [Evaluate how management addresses the following: Consideration of tools to automate log analysis and extract important events or patterns. App A Objective 15:7d]
    Testing Preventive
    Provide predefined suspicious activity reports for suspicious activity discovered in the event log. CC ID 06774 Establish/Maintain Documentation Corrective
    Include identity information of suspects in the suspicious activity report. CC ID 16648 Establish/Maintain Documentation Preventive
    Compile the event logs of multiple components into a system-wide time-correlated audit trail. CC ID 01424
    [Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the following: App A Objective 15:7
    Establishment and maintenance of appropriate processes and controls, including: Implementing procedures to correlate events. App A Objective 16:4b Bullet 13]
    Audits and Risk Management Preventive
    Review and update event logs and audit logs, as necessary. CC ID 00596
    [Verify that management implemented effective database security controls, such as the following: Configures and reviews audit logs. App A Objective 3:7f
    Verify that management implemented effective database security controls, such as the following: Regularly monitors database activity logs. App A Objective 3:7g
    Implementation of policies, standards, and procedures for log management activities that address the following: Response time for log review. App A Objective 15:7b Bullet 4
    With respect to specific software types, determine whether management does the following: For productivity software: Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. App A Objective 13:6c Bullet 2]
    Log Management Detective
    Eliminate false positives in event logs and audit logs. CC ID 07047
    [Evaluate how management addresses the following: Identification and disposition of false positives and adjustment of logging parameters to minimize the volume of false positives in future log review. App A Objective 15:7a]
    Log Management Corrective
    Correlate log entries to security controls to verify the security control's effectiveness. CC ID 13207 Log Management Detective
    Identify cybersecurity events in event logs and audit logs. CC ID 13206 Technical Security Detective
    Follow up exceptions and anomalies identified when reviewing logs. CC ID 11925
    [Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the following: App A Objective 15:7
    Implementation of policies, standards, and procedures for log management activities that address the following: Escalation processes for anomalies. App A Objective 15:7b Bullet 6]
    Investigate Corrective
    Reproduce the event log if a log failure is captured. CC ID 01426 Log Management Preventive
    Document the event information to be logged in the event information log specification. CC ID 00639 Configuration Preventive
    Enable logging for all systems that meet a traceability criteria. CC ID 00640 Log Management Detective
    Enable the logging capability to capture enough information to ensure the system is functioning according to its intended purpose throughout its life cycle. CC ID 15001 Configuration Preventive
    Enable and configure logging on all network access controls. CC ID 01963
    [Additionally, determine whether management does the following: Implements security and monitoring throughout the entity's network, analyzes incoming and outgoing data traffic, and alerts authorized personnel if anomalous activity is detected. Additionally, determine whether the following security and monitoring mitigation strategies are in place: App A Objective 13:3h
    Additionally, determine whether the following security and monitoring mitigation strategies are in place: Use of software tools to protect against and monitor internet-accessible services or open ports. App A Objective 13:3h Bullet 1]
    Configuration Preventive
    Analyze firewall logs for the correct capturing of data. CC ID 00549 Log Management Detective
    Synchronize system clocks to an accurate and universal time source on all devices. CC ID 01340 Configuration Preventive
    Centralize network time servers to as few as practical. CC ID 06308 Configuration Preventive
    Disseminate and communicate information to customers about clock synchronization methods used by the organization. CC ID 13044 Communicate Preventive
    Define the frequency to capture and log events. CC ID 06313 Log Management Preventive
    Include logging frequencies in the event logging procedures. CC ID 00642 Log Management Preventive
    Review and update the list of auditable events in the event logging procedures. CC ID 10097 Establish/Maintain Documentation Preventive
    Monitor and evaluate system performance. CC ID 00651 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate monitoring capabilities with interested personnel and affected parties. CC ID 13156 Communicate Preventive
    Disseminate and communicate statistics on resource usage with interested personnel and affected parties. CC ID 13155 Communicate Preventive
    Monitor for and react to when suspicious activities are detected. CC ID 00586
    [{security process}Examiners should review for the following: Security and monitoring processes to analyze data traffic and detect anomalous activity. V Action Summary ¶ 2 Bullet 5
    Additionally, determine whether management does the following: Implements security and monitoring throughout the entity's network, analyzes incoming and outgoing data traffic, and alerts authorized personnel if anomalous activity is detected. Additionally, determine whether the following security and monitoring mitigation strategies are in place: App A Objective 13:3h
    Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that Monitors for anomalous database activities. App A Objective 3:6h Bullet 4]
    Monitor and Evaluate Occurrences Detective
    Erase payment applications when suspicious activity is confirmed. CC ID 12193 Technical Security Corrective
    Report a data loss event when non-truncated payment card numbers are outputted. CC ID 04741 Establish/Maintain Documentation Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of electronic information. CC ID 04727 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has control of printed records. CC ID 04728 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the unauthorized person has accessed information in either paper or electronic form. CC ID 04740 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner. CC ID 04729 Monitor and Evaluate Occurrences Corrective
    Report a data loss event after a security incident is detected and there are indications that the information has been or will likely be used in an unauthorized manner that could cause substantial economic impact. CC ID 04742 Monitor and Evaluate Occurrences Corrective
    Establish, implement, and maintain network monitoring operations. CC ID 16444 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate the effectiveness of detection tools. CC ID 13505 Investigate Detective
    Monitor and review retail payment activities, as necessary. CC ID 13541 Monitor and Evaluate Occurrences Detective
    Determine if high rates of retail payment activities are from Originating Depository Financial Institutions. CC ID 13546 Investigate Detective
    Review retail payment service reports, as necessary. CC ID 13545 Investigate Detective
    Assess customer satisfaction. CC ID 00652 Testing Detective
    Establish, implement, and maintain a continuous monitoring program for configuration management. CC ID 06757
    [Determine whether management has effective database management, including the following: Regularly monitors for new or changed databases and reports on misconfigured or out-of-compliance databases. App A Objective 3:6e]
    Establish/Maintain Documentation Detective
    Include the correlation and analysis of information obtained during testing in the continuous monitoring program. CC ID 14250 Process or Activity Detective
    Establish, implement, and maintain an automated configuration monitoring system. CC ID 07058 Monitor and Evaluate Occurrences Detective
    Monitor for and report when a software configuration is updated. CC ID 06746 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel when the software configuration is updated absent authorization. CC ID 04886 Monitor and Evaluate Occurrences Detective
    Monitor for firmware updates absent authorization. CC ID 10675 Monitor and Evaluate Occurrences Detective
    Implement file integrity monitoring. CC ID 01205 Monitor and Evaluate Occurrences Detective
    Identify unauthorized modifications during file integrity monitoring. CC ID 12096 Technical Security Detective
    Monitor for software configurations updates absent authorization. CC ID 10676 Monitor and Evaluate Occurrences Preventive
    Allow expected changes during file integrity monitoring. CC ID 12090 Technical Security Preventive
    Monitor for when documents are being updated absent authorization. CC ID 10677 Monitor and Evaluate Occurrences Preventive
    Include a change history and identify who made the changes in the file integrity monitoring report. CC ID 12091 Establish/Maintain Documentation Preventive
    Alert interested personnel and affected parties when an unauthorized modification to critical files is detected. CC ID 12045 Process or Activity Preventive
    Monitor and evaluate user account activity. CC ID 07066
    [{be independent}Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that Limits and independently monitors accounts belonging to DBAs. App A Objective 3:6i
    Verify that management implemented effective database security controls, such as the following: Tracks and monitors activity for default accounts that cannot be disabled or deleted. App A Objective 3:7b
    {be independent}Verify that management implemented effective database security controls, such as the following: Independently monitors DBA and privileged account activities. App A Objective 3:7h
    Verify that management implemented effective database security controls, such as the following: Monitors OS-level privileged account activities. App A Objective 3:7m
    With respect to specific software types, determine whether management does the following: For enterprise software: Monitors user activity. App A Objective 13:6d Bullet 3
    {be independent}With respect to specific software types, determine whether management does the following: For mainframe security software: Independently monitors privileged accounts (e.g., system and security administrators). App A Objective 13:6h Bullet 8]
    Monitor and Evaluate Occurrences Detective
    Develop and maintain a usage profile for each user account. CC ID 07067 Technical Security Preventive
    Log account usage to determine dormant accounts. CC ID 12118 Log Management Detective
    Log account usage times. CC ID 07099 Log Management Detective
    Generate daily reports of user logons during hours outside of their usage profile. CC ID 07068 Monitor and Evaluate Occurrences Detective
    Generate daily reports of users who have grossly exceeded their usage profile logon duration. CC ID 07069 Monitor and Evaluate Occurrences Detective
    Log account usage durations. CC ID 12117 Monitor and Evaluate Occurrences Detective
    Notify the appropriate personnel after identifying dormant accounts. CC ID 12125 Communicate Detective
    Log Internet Protocol addresses used during logon. CC ID 07100 Log Management Detective
    Report red flags when logon credentials are used on a computer different from the one in the usage profile. CC ID 07070 Monitor and Evaluate Occurrences Detective
    Report inappropriate usage of user accounts to the appropriate personnel. CC ID 14243 Communicate Detective
    Establish, implement, and maintain a risk monitoring program. CC ID 00658
    [An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Ongoing monitoring that identifies and evaluates changes in risk and periodic updates to the risk profile assessment. App A Objective 2:8b Bullet 5]
    Establish/Maintain Documentation Preventive
    Monitor the organization's exposure to threats, as necessary. CC ID 06494 Monitor and Evaluate Occurrences Preventive
    Monitor and evaluate environmental threats. CC ID 13481 Monitor and Evaluate Occurrences Detective
    Implement a fraud detection system. CC ID 13081 Business Processes Preventive
    Update or adjust fraud detection systems, as necessary. CC ID 13684 Process or Activity Corrective
    Monitor for new vulnerabilities. CC ID 06843
    [For open source software: Implements security controls and procedures to mitigate risks, including the following: Monitoring for vulnerabilities of the open source software employed by the entity. App A Objective 13:6g Bullet 2 Sub-Bullet 6
    {be appropriate} Determine whether management establishes procedures to stay abreast of system vulnerabilities and software vendor patches, tests patches in a segregated environment, and installs them when appropriate. Additionally, determine the effectiveness of the following: App A Objective 15:3]
    Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a compliance testing strategy. CC ID 00659
    [The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with applicable laws and regulations, and helps ensure adherence to contractual agreements and entity policies, standards, and procedures to mitigate risks. II.D Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy. CC ID 12833
    [{continuous improvement} Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and uses them to continuously improve the entity's operations. App A Objective 17:3
    {independent assurance report}{be independent}Review past reports for outstanding issues or previous problems. Consider the following: Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. App A Objective 1:1d]
    Testing Preventive
    Test compliance controls for proper functionality. CC ID 00660 Testing Detective
    Establish, implement, and maintain a system security plan. CC ID 01922
    [With respect to specific software types, determine whether management does the following: For mainframe security software: Uses security controls. App A Objective 13:6h Bullet 2
    With respect to specific software types, determine whether management does the following: For productivity software: Safeguards systems against security threats and employs IAM, configuration management, and log monitoring. App A Objective 13:6c Bullet 2
    Examiners should review for the following: Mainframe controls, if applicable, to address unique risks associated with mainframes. V Action Summary ¶ 2 Bullet 7]
    Testing Preventive
    Include a system description in the system security plan. CC ID 16467 Establish/Maintain Documentation Preventive
    Include a description of the operational context in the system security plan. CC ID 14301 Establish/Maintain Documentation Preventive
    Include the results of the security categorization in the system security plan. CC ID 14281 Establish/Maintain Documentation Preventive
    Include the information types in the system security plan. CC ID 14696 Establish/Maintain Documentation Preventive
    Include the security requirements in the system security plan. CC ID 14274 Establish/Maintain Documentation Preventive
    Include threats in the system security plan. CC ID 14693 Establish/Maintain Documentation Preventive
    Include network diagrams in the system security plan. CC ID 14273 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the system security plan. CC ID 14682 Establish/Maintain Documentation Preventive
    Include the results of the privacy risk assessment in the system security plan. CC ID 14676 Establish/Maintain Documentation Preventive
    Include remote access methods in the system security plan. CC ID 16441 Establish/Maintain Documentation Preventive
    Disseminate and communicate the system security plan to interested personnel and affected parties. CC ID 14275 Communicate Preventive
    Include a description of the operational environment in the system security plan. CC ID 14272 Establish/Maintain Documentation Preventive
    Include the security categorizations and rationale in the system security plan. CC ID 14270 Establish/Maintain Documentation Preventive
    Include the authorization boundary in the system security plan. CC ID 14257
    [Examiners should review for the following: Defined and appropriately administered authorization boundaries containing the entity's systems, software, and information. VI.A Action Summary ¶ 2 Bullet 2]
    Establish/Maintain Documentation Preventive
    Align the enterprise architecture with the system security plan. CC ID 14255 Process or Activity Preventive
    Include security controls in the system security plan. CC ID 14239 Establish/Maintain Documentation Preventive
    Create specific test plans to test each system component. CC ID 00661 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities in the test plan. CC ID 14299 Establish/Maintain Documentation Preventive
    Include the assessment team in the test plan. CC ID 14297 Establish/Maintain Documentation Preventive
    Include the scope in the test plans. CC ID 14293 Establish/Maintain Documentation Preventive
    Include the assessment environment in the test plan. CC ID 14271 Establish/Maintain Documentation Preventive
    Approve the system security plan. CC ID 14241 Business Processes Preventive
    Adhere to the system security plan. CC ID 11640 Testing Detective
    Review the test plans for each system component. CC ID 00662 Establish/Maintain Documentation Preventive
    Validate all testing assumptions in the test plans. CC ID 00663 Testing Detective
    Document validated testing processes in the testing procedures. CC ID 06200 Establish/Maintain Documentation Preventive
    Require testing procedures to be complete. CC ID 00664 Testing Detective
    Include error details, identifying the root causes, and mitigation actions in the testing procedures. CC ID 11827 Establish/Maintain Documentation Preventive
    Determine the appropriate assessment method for each testing process in the test plan. CC ID 00665 Testing Preventive
    Implement automated audit tools. CC ID 04882
    [With respect to specific software types, determine whether management does the following: For system auditing software: Uses system auditing software to augment audit personnel. App A Objective 13:6f Bullet 1]
    Acquisition/Sale of Assets or Services Preventive
    Assign senior management to approve test plans. CC ID 13071 Human Resources Management Preventive
    Analyze system audit reports and determine the need to perform more tests. CC ID 00666
    [{independent assurance report}{be independent}Review past reports for outstanding issues or previous problems. Consider the following: Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. App A Objective 1:1d]
    Testing Detective
    Monitor devices continuously for conformance with production specifications. CC ID 06201
    [Additionally, determine whether the following security and monitoring mitigation strategies are in place: Monitors telecommunications traffic and periodically reviews network devices. App A Objective 13:3k]
    Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a testing program. CC ID 00654
    [Validating through audits and other independent assessments that the following are comprehensive, meet enterprise-wide business and strategic plan objectives, and can assist in the identification of AIO-related risk. Infrastructure testing. App A Objective 2:4a Bullet 2
    {internal testing}With respect to design objectives, determine whether management does the following: Includes the following aspects in its architecture design: Testing internally and with third-party service providers, as appropriate. App A Objective 12:4c Bullet 9]
    Behavior Preventive
    Conduct Red Team exercises, as necessary. CC ID 12131 Technical Security Detective
    Establish, implement, and maintain a security assessment and authorization policy. CC ID 14031 Establish/Maintain Documentation Preventive
    Establish and maintain a scoring method for Red Team exercise results. CC ID 12136 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the security assessment and authorization policy. CC ID 14222 Establish/Maintain Documentation Preventive
    Include the scope in the security assessment and authorization policy. CC ID 14220 Establish/Maintain Documentation Preventive
    Include the purpose in the security assessment and authorization policy. CC ID 14219 Establish/Maintain Documentation Preventive
    Disseminate and communicate the security assessment and authorization policy to interested personnel and affected parties. CC ID 14218 Communicate Preventive
    Include management commitment in the security assessment and authorization policy. CC ID 14189 Establish/Maintain Documentation Preventive
    Include compliance requirements in the security assessment and authorization policy. CC ID 14183 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the security assessment and authorization policy. CC ID 14179 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain security assessment and authorization procedures. CC ID 14056 Establish/Maintain Documentation Preventive
    Disseminate and communicate security assessment and authorization procedures to interested personnel and affected parties. CC ID 14224 Communicate Preventive
    Employ third parties to carry out testing programs, as necessary. CC ID 13178
    [{internal testing}With respect to design objectives, determine whether management does the following: Includes the following aspects in its architecture design: Testing internally and with third-party service providers, as appropriate. App A Objective 12:4c Bullet 9]
    Human Resources Management Preventive
    Test security systems and associated security procedures, as necessary. CC ID 11901
    [Regardless of entity size, determine whether management incorporated the following: Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. App A Objective 12:6b
    With respect to specific software types, determine whether management does the following: For system auditing software: Uses the software to assist in the identification of gaps in infrastructure security and resilience. App A Objective 13:6f Bullet 2]
    Technical Security Detective
    Define the test requirements for each testing program. CC ID 13177 Establish/Maintain Documentation Preventive
    Test in scope systems for segregation of duties, as necessary. CC ID 13906 Testing Detective
    Include test requirements for the use of human subjects in the testing program. CC ID 16222 Testing Preventive
    Test the in scope system in accordance with its intended purpose. CC ID 14961
    [Regardless of entity size, determine whether management incorporated the following: Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. App A Objective 12:6b]
    Testing Preventive
    Perform network testing in accordance with organizational standards. CC ID 16448 Testing Preventive
    Test user accounts in accordance with organizational standards. CC ID 16421 Testing Preventive
    Identify risk management measures when testing in scope systems. CC ID 14960 Process or Activity Detective
    Scan organizational networks for rogue devices. CC ID 00536
    [Assess whether management performs the following: Has processes to monitor, identify, and remove shadow IT that can be evaluated by internal audit. App A Objective 4:5f
    Assess whether management performs the following: Considers the use of IT detection tools to monitor for and identify shadow IT. App A Objective 4:5c
    With respect to design objectives, determine whether management does the following: Includes considerations for avoiding the potential for shadow IT and the capability to monitor and alert for its use. App A Objective 12:4d
    With respect to design objectives, determine whether management does the following: Includes considerations for avoiding the potential for shadow IT and the capability to monitor and alert for its use. App A Objective 12:4d
    As part of these processes, determine whether management does the following: Identifies unauthorized technology assets and determines their disposition. App A Objective 13:2a
    Assess whether management performs the following: Establishes IT governance practices and security controls for shadow IT, including policies, standards, and procedures. App A Objective 4:5a
    Assess whether management performs the following: Considers appropriate methods to address shadow IT, including: App A Objective 4:5e
    {unapproved software}{unapproved service} Determine whether management understands and communicates the risks of shadow IT to entity personnel. Additionally, determine whether internal audit evaluates management's processes to monitor, identify, and remove unapproved devices, software, or services. Assess whether management performs the following: App A Objective 4:5
    Examiners should review for the following: Processes to prevent and detect unknown or unapproved technology (called shadow IT). III.B Action Summary ¶ 2 Bullet 4
    Examiners should review for the following: Development of appropriate design objectives, including changes, EOL, and identification of shadow IT. IV Action Summary ¶ 2 Bullet 4]
    Testing Detective
    Include mechanisms for emergency stops in the testing program. CC ID 14398 Establish/Maintain Documentation Preventive
    Scan the network for wireless access points. CC ID 00370 Testing Detective
    Document the business need justification for authorized wireless access points. CC ID 12044 Establish/Maintain Documentation Preventive
    Scan wireless networks for rogue devices. CC ID 11623 Technical Security Detective
    Test the wireless device scanner's ability to detect rogue devices. CC ID 06859 Testing Detective
    Implement incident response procedures when rogue devices are discovered. CC ID 11880 Technical Security Corrective
    Alert appropriate personnel when rogue devices are discovered on the network. CC ID 06428 Monitor and Evaluate Occurrences Corrective
    Deny network access to rogue devices until network access approval has been received. CC ID 11852 Configuration Preventive
    Isolate rogue devices after a rogue device has been detected. CC ID 07061
    [Assess whether management performs the following: Has processes to monitor, identify, and remove shadow IT that can be evaluated by internal audit. App A Objective 4:5f
    Considers appropriate methods to address shadow IT, including: Determining appropriate disposition of shadow IT. App A Objective 4:5e Bullet 5
    As part of these processes, determine whether management does the following: Identifies unauthorized technology assets and determines their disposition. App A Objective 13:2a]
    Configuration Corrective
    Establish, implement, and maintain conformity assessment procedures. CC ID 15032
    [Determine whether the entity's risk management processes include the following governance mechanisms: Internal audit, independent reviews, and certifications. App A Objective 2:1f]
    Establish/Maintain Documentation Preventive
    Share conformity assessment results with affected parties and interested personnel. CC ID 15113 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been issued. CC ID 15112 Communicate Preventive
    Notify affected parties and interested personnel of technical documentation assessment certificates that have been refused, withdrawn, suspended or restricted. CC ID 15111 Communicate Preventive
    Create technical documentation assessment certificates in an official language. CC ID 15110 Establish/Maintain Documentation Preventive
    Opt out of third party conformity assessments when the system meets harmonized standards. CC ID 15096 Testing Preventive
    Perform conformity assessments, as necessary. CC ID 15095 Testing Detective
    Establish, implement, and maintain a port scan baseline for all in scope systems. CC ID 12134 Technical Security Detective
    Define the test frequency for each testing program. CC ID 13176 Establish/Maintain Documentation Preventive
    Compare port scan reports for in scope systems against their port scan baseline. CC ID 12162 Establish/Maintain Documentation Detective
    Establish, implement, and maintain a stress test program for identification cards or badges. CC ID 15424 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a penetration test program. CC ID 01105 Behavior Preventive
    Disseminate and communicate the testing program to all interested personnel and affected parties. CC ID 11871 Communicate Preventive
    Align the penetration test program with industry standards. CC ID 12469 Establish/Maintain Documentation Preventive
    Assign penetration testing to a qualified internal resource or external third party. CC ID 06429 Establish Roles Preventive
    Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation. CC ID 11958 Testing Preventive
    Retain penetration test results according to internal policy. CC ID 10049 Records Management Preventive
    Retain penetration test remediation action records according to internal policy. CC ID 11629 Records Management Preventive
    Use dedicated user accounts when conducting penetration testing. CC ID 13728 Testing Detective
    Remove dedicated user accounts after penetration testing is concluded. CC ID 13729 Testing Corrective
    Perform penetration tests, as necessary. CC ID 00655 Testing Detective
    Perform internal penetration tests, as necessary. CC ID 12471 Technical Security Detective
    Perform external penetration tests, as necessary. CC ID 12470 Technical Security Detective
    Include coverage of all in scope systems during penetration testing. CC ID 11957 Testing Detective
    Test the system for broken access controls. CC ID 01319 Testing Detective
    Test the system for broken authentication and session management. CC ID 01320 Testing Detective
    Test the system for insecure communications. CC ID 00535 Testing Detective
    Test the system for cross-site scripting attacks. CC ID 01321 Testing Detective
    Test the system for buffer overflows. CC ID 01322 Testing Detective
    Test the system for injection flaws. CC ID 01323 Testing Detective
    Ensure protocols are free from injection flaws. CC ID 16401 Process or Activity Preventive
    Test the system for Denial of Service. CC ID 01326 Testing Detective
    Test the system for insecure configuration management. CC ID 01327 Testing Detective
    Perform network-layer penetration testing on all systems, as necessary. CC ID 01277 Testing Detective
    Test the system for cross-site request forgery. CC ID 06296 Testing Detective
    Perform application-layer penetration testing on all systems, as necessary. CC ID 11630 Technical Security Detective
    Perform penetration testing on segmentation controls, as necessary. CC ID 12498 Technical Security Detective
    Verify segmentation controls are operational and effective. CC ID 12545 Audits and Risk Management Detective
    Repeat penetration testing, as necessary. CC ID 06860 Testing Detective
    Test the system for covert channels. CC ID 10652 Testing Detective
    Estimate the maximum bandwidth of any covert channels. CC ID 10653 Technical Security Detective
    Reduce the maximum bandwidth of covert channels. CC ID 10655 Technical Security Corrective
    Test systems to determine which covert channels might be exploited. CC ID 10654 Testing Detective
    Establish, implement, and maintain a business line testing strategy. CC ID 13245 Establish/Maintain Documentation Preventive
    Include facilities in the business line testing strategy. CC ID 13253 Establish/Maintain Documentation Preventive
    Include electrical systems in the business line testing strategy. CC ID 13251 Establish/Maintain Documentation Preventive
    Include mechanical systems in the business line testing strategy. CC ID 13250 Establish/Maintain Documentation Preventive
    Include Heating Ventilation and Air Conditioning systems in the business line testing strategy. CC ID 13248 Establish/Maintain Documentation Preventive
    Include emergency power supplies in the business line testing strategy. CC ID 13247 Establish/Maintain Documentation Preventive
    Include environmental controls in the business line testing strategy. CC ID 13246 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability management program. CC ID 15721 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a vulnerability assessment program. CC ID 11636
    [{vulnerability management process}Examiners should review for the following: Effective vulnerability and patch management processes. VI.B Action Summary ¶ 2 Bullet 3
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Type of virtualization solution and design risks associated with the following elements: Containers, including the design for storing data outside of the container and implementation of vulnerability management processes, segmentation, and the ability to monitor containers. App A Objective 12:5c Bullet 3
    With internally developed software, evaluate whether management is responsible for maintaining the software, and entity personnel have the resources and expertise to stay abreast of vulnerabilities and develop software updates and patches. App A Objective 13:5a
    Additionally, determine the effectiveness of the following: Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program includes the following: App A Objective 15:3a]
    Establish/Maintain Documentation Preventive
    Perform vulnerability scans, as necessary. CC ID 11637
    [{hardware inventory}{software inventory}The vulnerability management program includes the following: Vulnerability scans of all systems and software in the entity's hardware, software, and telecommunications inventories. App A Objective 15:3a Bullet 4]
    Technical Security Detective
    Repeat vulnerability scanning, as necessary. CC ID 11646 Testing Detective
    Identify and document security vulnerabilities. CC ID 11857
    [Additionally, determine the effectiveness of the following: Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program includes the following: App A Objective 15:3a]
    Technical Security Detective
    Rank discovered vulnerabilities. CC ID 11940
    [Additionally, determine the effectiveness of the following: Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program includes the following: App A Objective 15:3a]
    Investigate Detective
    Use dedicated user accounts when conducting vulnerability scans. CC ID 12098
    [The vulnerability management program includes the following: Use of dedicated accounts for authenticated vulnerability scans. App A Objective 15:3a Bullet 6]
    Technical Security Preventive
    Assign vulnerability scanning to qualified personnel or external third parties. CC ID 11638 Technical Security Detective
    Record the vulnerability scanning activity in the vulnerability scan report. CC ID 12097 Establish/Maintain Documentation Preventive
    Disseminate and communicate the vulnerability scan results to interested personnel and affected parties. CC ID 16418 Communicate Preventive
    Maintain vulnerability scan reports as organizational records. CC ID 12092 Records Management Preventive
    Correlate vulnerability scan reports from the various systems. CC ID 10636 Technical Security Detective
    Perform internal vulnerability scans, as necessary. CC ID 00656 Testing Detective
    Perform vulnerability scans prior to installing payment applications. CC ID 12192 Technical Security Detective
    Implement scanning tools, as necessary. CC ID 14282
    [{be current}The vulnerability management program includes the following: Processes to periodically assess systems and software for vulnerabilities using scanners with current vulnerability lists. App A Objective 15:3a Bullet 3]
    Technical Security Detective
    Update the vulnerability scanners' vulnerability list. CC ID 10634
    [{be current}The vulnerability management program includes the following: Processes to periodically assess systems and software for vulnerabilities using scanners with current vulnerability lists. App A Objective 15:3a Bullet 3]
    Configuration Corrective
    Repeat vulnerability scanning after an approved change occurs. CC ID 12468 Technical Security Detective
    Perform external vulnerability scans, as necessary. CC ID 11624 Technical Security Detective
    Employ an approved third party to perform external vulnerability scans on the organization's systems. CC ID 12467 Business Processes Preventive
    Meet the requirements for a passing score during an external vulnerability scan or rescan. CC ID 12039 Testing Preventive
    Use automated mechanisms to compare new vulnerability scan reports with past vulnerability scan reports. CC ID 10635 Technical Security Detective
    Notify the interested personnel and affected parties after the failure of an automated security test. CC ID 06748 Behavior Corrective
    Perform vulnerability assessments, as necessary. CC ID 11828 Technical Security Corrective
    Review applications for security vulnerabilities after the application is updated. CC ID 11938 Technical Security Detective
    Test the system for unvalidated input. CC ID 01318 Testing Detective
    Test the system for proper error handling. CC ID 01324 Testing Detective
    Test the system for insecure data storage. CC ID 01325 Testing Detective
    Test the system for access control enforcement in all Uniform Resource Locators. CC ID 06297 Testing Detective
    Approve the vulnerability management program. CC ID 15722 Process or Activity Preventive
    Assign ownership of the vulnerability management program to the appropriate role. CC ID 15723 Establish Roles Preventive
    Perform penetration tests and vulnerability scans in concert, as necessary. CC ID 12111 Technical Security Preventive
    Test the system for insecure cryptographic storage. CC ID 11635 Technical Security Detective
    Perform self-tests on cryptographic modules within the system. CC ID 06537 Testing Detective
    Perform power-up tests on cryptographic modules within the system. CC ID 06538 Testing Detective
    Perform conditional tests on cryptographic modules within the system. CC ID 06539 Testing Detective
    Test in scope systems for compliance with the Configuration Baseline Documentation Record. CC ID 12130 Configuration Detective
    Recommend mitigation techniques based on vulnerability scan reports. CC ID 11639 Technical Security Corrective
    Disallow the use of payment applications when a vulnerability scan report indicates vulnerabilities are present. CC ID 12188 Configuration Corrective
    Recommend mitigation techniques based on penetration test results. CC ID 04881 Establish/Maintain Documentation Corrective
    Correct or mitigate vulnerabilities. CC ID 12497
    [Additionally, determine the effectiveness of the following: Management implements a vulnerability management program that identifies systems and software vulnerabilities, prioritizes the vulnerabilities and the affected systems in order of risk, and performs timely remediation according to the risk of the vulnerability. The vulnerability management program includes the following: App A Objective 15:3a
    The vulnerability management program includes the following: Processes to monitor industry third parties (e.g., US-CERT, NIST, and FS-ISAC) that report vulnerability exposures and address any relevant exposures within the entity's systems and software. App A Objective 15:3a Bullet 2]
    Technical Security Corrective
    Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated. CC ID 13859 Technical Security Corrective
    Establish, implement, and maintain a service management monitoring and metrics program. CC ID 13916
    [Considers the following as part of its service management planning: Metrics and measurements used to evaluate service management effectiveness. App A Objective 16:1a Bullet 6
    Examiners should review for the following: Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. VI.C Action Summary ¶ 2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Communicate trends in service management to all interested personnel and affected parties. CC ID 13926 Communicate Preventive
    Monitor service availability when implementing the service management monitoring and metrics program. CC ID 13921 Monitor and Evaluate Occurrences Detective
    Compare the performance metrics of service availability against their targets, as necessary. CC ID 13922 Monitor and Evaluate Occurrences Detective
    Establish, implement, and maintain a compliance monitoring policy. CC ID 00671 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics policy. CC ID 01654 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain an approach for compliance monitoring. CC ID 01653
    [Examiners should review for the following: Tracking mechanisms and processes are in place to monitor issues related to AIO to their resolution. II.A Action Summary ¶ 2 Bullet 3
    Additionally, evaluate whether management does the following: Automates the collection of KPIs, where possible. App A Objective 17:2c
    The vulnerability management program includes the following: Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. App A Objective 15:3a Bullet 7
    Additionally, evaluate whether management does the following: Regularly reviews KPI reports and provides appropriate reporting up to the board. App A Objective 17:2e]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain risk management metrics. CC ID 01656
    [{risk metric}An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Risk tolerances and risk and performance metrics for AIO activities. App A Objective 2:8b Bullet 7
    Evaluate whether the following activities are performed: Management measures performance and risks against defined baseline metrics. App A Objective 2:13d
    Additionally, evaluate whether management does the following: Aligns KPIs with the entity's ERM processes and uses those KPIs to assess the performance of IT and operations across the entity. App A Objective 17:2a
    Examiners should review for the following: KPIs that align with the entity's ERM processes. VI.D Action Summary ¶ 2 Bullet 4]
    Establish/Maintain Documentation Preventive
    Report on the percentage of critical assets for which an assurance strategy is implemented. CC ID 01657 Actionable Reports or Measurements Detective
    Report on the percentage of key organizational functions for which an assurance strategy is implemented. CC ID 01658 Actionable Reports or Measurements Detective
    Report on the percentage of key compliance requirements for which an assurance strategy has been implemented. CC ID 01659 Actionable Reports or Measurements Detective
    Report on the percentage of the Information System budget allocated to Information Security. CC ID 04571 Actionable Reports or Measurements Detective
    Identify information being used to support the performance of the governance, risk, and compliance capability. CC ID 12866 Business Processes Preventive
    Identify information being used to support performance reviews for risk optimization. CC ID 12865 Audits and Risk Management Preventive
    Monitor personnel and third parties for compliance to the organizational compliance framework. CC ID 04726
    [Review the following and evaluate their effectiveness: Reviewing and monitoring of activities performed during rotation of duties. App A Objective 14:4f
    If the entity has outsourcing arrangements, evaluate whether management does the following: Monitors third-party service providers as part of the entity's third-party risk management program. App A Objective 17:1d Bullet 1
    If the entity has outsourcing arrangements, evaluate whether management does the following: Monitors third-party service provider's ability to meet defined SLAs, compliance with identified action plans when they are not met, and remuneration of penalty fees when appropriate. App A Objective 17:1d Bullet 3]
    Monitor and Evaluate Occurrences Detective
    Identify and document instances of non-compliance with the compliance framework. CC ID 06499
    [Review preliminary conclusions with the examiner-in-charge regarding the following: Apparent violations of laws and regulations. App A Objective 18:1a
    Review preliminary conclusions with the examiner-in-charge regarding the following: Significant issues warranting inclusion in the ="term_primary-noun">report of examination. App A Objective 18:1b
    Whether auditors or reviewers: Identify and report AIO issues to senior management and the board. App A Objective 2:11e Bullet 3]
    Establish/Maintain Documentation Preventive
    Align enforcement reviews for non-compliance with organizational risk tolerance. CC ID 13063 Business Processes Detective
    Determine the causes of compliance violations. CC ID 12401
    [Considers appropriate methods to address shadow IT, including: Identifying security risks associated with shadow IT in use and determining whether there is malicious intent. App A Objective 4:5e Bullet 1
    Considers appropriate methods to address shadow IT, including: Identifying the reason for its use. App A Objective 4:5e Bullet 2
    If the entity has outsourcing arrangements, evaluate whether management does the following: Receives reports that include effectiveness of security controls, performance metrics, resolved versus outstanding issues, and root causes of problems in reports from third-party service providers. App A Objective 17:1d Bullet 2]
    Investigate Corrective
    Identify and document events surrounding non-compliance with the organizational compliance framework. CC ID 12935 Establish/Maintain Documentation Preventive
    Determine if multiple compliance violations of the same type could occur. CC ID 12402 Investigate Detective
    Correct compliance violations. CC ID 13515 Process or Activity Corrective
    Review the effectiveness of disciplinary actions carried out for compliance violations. CC ID 12403 Investigate Detective
    Carry out disciplinary actions when a compliance violation is detected. CC ID 06675 Behavior Corrective
    Align disciplinary actions with the level of compliance violation. CC ID 12404 Human Resources Management Preventive
    Establish, implement, and maintain disciplinary action notices. CC ID 16577 Establish/Maintain Documentation Preventive
    Include a copy of the order in the disciplinary action notice. CC ID 16606 Establish/Maintain Documentation Preventive
    Include the sanctions imposed in the disciplinary action notice. CC ID 16599 Establish/Maintain Documentation Preventive
    Include the effective date of the sanctions in the disciplinary action notice. CC ID 16589 Establish/Maintain Documentation Preventive
    Include the requirements that were violated in the disciplinary action notice. CC ID 16588 Establish/Maintain Documentation Preventive
    Include responses to charges from interested personnel and affected parties in the disciplinary action notice. CC ID 16587 Establish/Maintain Documentation Preventive
    Include the reasons for imposing sanctions in the disciplinary action notice. CC ID 16586 Establish/Maintain Documentation Preventive
    Disseminate and communicate the disciplinary action notice to interested personnel and affected parties. CC ID 16585 Communicate Preventive
    Include required information in the disciplinary action notice. CC ID 16584 Establish/Maintain Documentation Preventive
    Include a justification for actions taken in the disciplinary action notice. CC ID 16583 Establish/Maintain Documentation Preventive
    Include a statement on the conclusions of the investigation in the disciplinary action notice. CC ID 16582 Establish/Maintain Documentation Preventive
    Include the investigation results in the disciplinary action notice. CC ID 16581 Establish/Maintain Documentation Preventive
    Include a description of the causes of the actions taken in the disciplinary action notice. CC ID 16580 Establish/Maintain Documentation Preventive
    Include the name of the person responsible for the charges in the disciplinary action notice. CC ID 16579 Establish/Maintain Documentation Preventive
    Include contact information in the disciplinary action notice. CC ID 16578 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain compliance program metrics. CC ID 11625 Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a security program metrics program. CC ID 01660 Establish/Maintain Documentation Preventive
    Report on the policies and controls that have been implemented by management. CC ID 01670 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key management roles metrics standard. CC ID 11631 Establish/Maintain Documentation Preventive
    Report on the percentage of security management roles that have been assigned. CC ID 01671 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a key stakeholder metrics program. CC ID 01661 Establish/Maintain Documentation Preventive
    Report on the percentage of board meetings or committee meetings at which Information Assurance was on the agenda. CC ID 01672 Actionable Reports or Measurements Detective
    Establish, implement, and maintain a supply chain member metrics program. CC ID 01662 Establish/Maintain Documentation Preventive
    Report on the percentage of supply chain members for which all Information Assurance requirements have been implemented. CC ID 01675 Actionable Reports or Measurements Detective
    Report on the Service Level Agreement performance of supply chain members. CC ID 06838 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a Business Continuity metrics program. CC ID 01663 Establish/Maintain Documentation Preventive
    Report on the percentage of organizational units that have an established Business Continuity Plan. CC ID 01676 Actionable Reports or Measurements Detective
    Report on the percentage of organizational units with a documented Business Continuity Plan for which specific responsibilities have been assigned. CC ID 02057 Actionable Reports or Measurements Detective
    Report on the percentage of Business Continuity Plans that have been reviewed, tested, and updated. CC ID 02058 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an audit metrics program. CC ID 01664 Establish/Maintain Documentation Preventive
    Report on the percentage of needed internal audits that have been completed and reviewed. CC ID 01677 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security requirements from applicable laws and regulations that are included in the audit program. CC ID 02069 Actionable Reports or Measurements Detective
    Report on the percentage of needed external audits that have been completed and reviewed. CC ID 11632 Actionable Reports or Measurements Detective
    Report on the percentage of Information Security audits conducted in compliance with the approved audit program. CC ID 02070 Actionable Reports or Measurements Detective
    Report on the percentage of audit findings that have been resolved since the last audit. CC ID 01678 Actionable Reports or Measurements Detective
    Report on the percentage of management actions in response to audit findings and audit recommendations that were implemented in a timely way. CC ID 02071 Actionable Reports or Measurements Detective
    Establish, implement, and maintain an Information Security metrics program. CC ID 01665
    [Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Definition of a data strategy, evaluation of data and its usage (including the consideration of data planning and the analytics platform), and development of metrics for monitoring data activities. App A Objective 2:9b Bullet 8]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a metrics standard and template. CC ID 02157
    [Examiners should review for the following: Defined objectives for IT, operations, and key performance indicators (KPI). VI.D Action Summary ¶ 2 Bullet 3
    {risk metric}An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Risk tolerances and risk and performance metrics for AIO activities. App A Objective 2:8b Bullet 7
    Determine whether the entity's policies, standards, and procedures address change management, including each step of the change process. Assess whether the process includes the following: Identification of metrics to track the efficiency and success of the change. App A Objective 6:3e
    Determine whether management defines objectives for IT and operations and KPIs to help management measure those objectives. Additionally, evaluate whether management does the following: App A Objective 17:2
    Additionally, evaluate whether management does the following: Sets KPI benchmarks to achieve and analyzes deviations from those benchmarks. App A Objective 17:2b
    {be useful}Additionally, evaluate whether management does the following: Has a useful set of KPIs. App A Objective 17:2d]
    Establish/Maintain Documentation Preventive
    Monitor compliance with the Quality Control system. CC ID 01023
    [{service improvement}Examiners should review for the following: Strategies for service and process improvement and methods to measure the results of those improvement efforts. VI.D Action Summary ¶ 2 Bullet 8]
    Actionable Reports or Measurements Preventive
    Report on the percentage of complaints received about products or delivered services. CC ID 07199 Actionable Reports or Measurements Preventive
    Report on the percentage of Quality Assurance attained by Quality Improvement practices. CC ID 07202 Actionable Reports or Measurements Preventive
    Establish, implement, and maintain a log management program. CC ID 00673
    [Determine whether management has a log management process to use logs to identify, track, analyze, and resolve problems that occur during day-to-day operations. Describe how management collects and collates logs and how management uses logs to respond to issues. Evaluate how management addresses the following: App A Objective 15:7
    Evaluate how management addresses the following: Implementation of policies, standards, and procedures for log management activities that address the following: App A Objective 15:7b]
    Establish/Maintain Documentation Preventive
    Deploy log normalization tools, as necessary. CC ID 12141 Technical Security Preventive
    Restrict access to logs to authorized individuals. CC ID 01342
    [Implementation of policies, standards, and procedures for log management activities that address the following: Controls to restrict access to log settings. App A Objective 15:7b Bullet 3]
    Log Management Preventive
    Restrict access to audit trails to a need to know basis. CC ID 11641 Technical Security Preventive
    Refrain from recording unnecessary restricted data in logs. CC ID 06318 Log Management Preventive
    Back up audit trails according to backup procedures. CC ID 11642 Systems Continuity Preventive
    Back up logs according to backup procedures. CC ID 01344 Log Management Preventive
    Copy logs from all predefined hosts onto a log management infrastructure. CC ID 01346 Log Management Preventive
    Identify hosts with logs that are not being stored. CC ID 06314 Log Management Preventive
    Identify hosts with logs that are being stored at the system level only. CC ID 06315 Log Management Preventive
    Identify hosts with logs that should be stored at both the system level and the infrastructure level. CC ID 06316 Log Management Preventive
    Identify hosts with logs that are being stored at the infrastructure level only. CC ID 06317 Log Management Preventive
    Protect logs from unauthorized activity. CC ID 01345
    [Evaluate how management addresses the following: Implementation of controls to protect logs. App A Objective 15:7e]
    Log Management Preventive
    Perform testing and validating activities on all logs. CC ID 06322 Log Management Preventive
    Archive the audit trail in accordance with compliance requirements. CC ID 00674
    [Implementation of policies, standards, and procedures for log management activities that address the following: Retention time frames and storage policies of logs. App A Objective 15:7b Bullet 5]
    Log Management Preventive
    Enforce dual authorization as a part of information flow control for logs. CC ID 10098 Configuration Preventive
    Preserve the identity of individuals in audit trails. CC ID 10594 Log Management Preventive
    Establish, implement, and maintain a cross-organizational audit sharing agreement. CC ID 10595 Establish/Maintain Documentation Preventive
    Provide cross-organizational audit information based on the cross-organizational audit sharing agreement. CC ID 10596 Audits and Risk Management Preventive
    Monitor the performance of the governance, risk, and compliance capability. CC ID 12857
    [Examiners should review for the following: Implementation of processes to monitor and report on control effectiveness. VI.D Action Summary ¶ 2 Bullet 1
    Determine whether board oversight includes the following: Reviewing AIO operating results and performance (e.g., audit reporting, testing results, and management and assessment reports). App A Objective 2:3e
    {continuous improvement} Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and uses them to continuously improve the entity's operations. App A Objective 17:3]
    Monitor and Evaluate Occurrences Preventive
    Establish, implement, and maintain a corrective action plan. CC ID 00675
    [Examiners should review for the following: Implementation of corrective action plans when KPIs do not meet established targets. VI.D Action Summary ¶ 2 Bullet 6
    Discuss corrective action and communicate findings. App A Objective 18
    Additionally, evaluate whether management does the following: Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. App A Objective 17:2f
    Establishment and maintenance of appropriate processes and controls, including: Developing longer-term action plans to monitor and address issues. App A Objective 16:4b Bullet 10]
    Monitor and Evaluate Occurrences Detective
    Align corrective actions with the level of environmental impact. CC ID 15193 Business Processes Preventive
    Include risks and opportunities in the corrective action plan. CC ID 15178 Establish/Maintain Documentation Preventive
    Include environmental aspects in the corrective action plan. CC ID 15177 Establish/Maintain Documentation Preventive
    Include the completion date in the corrective action plan. CC ID 13272 Establish/Maintain Documentation Preventive
    Include monitoring in the corrective action plan. CC ID 11645
    [{previous audit}Review management's response to issues identified during or subsequent to the last examination. Consider the following: >Retesting to validate ">corrective action. App A Objective 1:2d
    Additionally, evaluate whether management does the following: Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. App A Objective 17:2f
    The vulnerability management program includes the following: Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. App A Objective 15:3a Bullet 7
    Establishment and maintenance of appropriate processes and controls, including: Developing longer-term action plans to monitor and address issues. App A Objective 16:4b Bullet 10]
    Monitor and Evaluate Occurrences Detective
    Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary. CC ID 00676
    [Examiners should review for the following: Processes for reporting KPIs to the board. VI.D Action Summary ¶ 2 Bullet 5
    Examiners should review for the following: Implementation of processes to monitor and report on control effectiveness. VI.D Action Summary ¶ 2 Bullet 1
    Evaluate whether the following activities are performed: Management reports to the board periodically on the status of AIO initiatives, progress, issues, and metrics. App A Objective 2:13a
    Examiners should review for the following: Board regularly receives reports on AIO functions and activities from management. II.A Action Summary ¶ 2 Bullet 1
    The vulnerability management program includes the following: Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. App A Objective 15:3a Bullet 7
    Additionally, evaluate whether management does the following: Regularly reviews KPI reports and provides appropriate reporting up to the board. App A Objective 17:2e
    Evaluate the following: The operations team reports performance metrics to senior management and other stakeholders. App A Objective 17:1b
    Determine whether management implements processes to monitor IT operations and periodically reports on the effectiveness of established controls to senior management and other stakeholders. Evaluate the following: App A Objective 17:1]
    Actionable Reports or Measurements Corrective
    Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis. CC ID 12330
    [Establishment and maintenance of appropriate processes and controls, including: Reporting on the progress of the action plans to senior management. App A Objective 16:4b Bullet 11
    As part of the entity's operational support processes, determine whether the following is performed: Operational support personnel report errors or problems with the systems or software and provide updates on resolution. App A Objective 16:2b]
    Monitor and Evaluate Occurrences Preventive
    Report known security issues to interested personnel and affected parties on a regular basis. CC ID 12329
    [Determine whether the entity's risk management processes include the following governance mechanisms: Board and senior management reporting. App A Objective 2:1h
    Evaluate whether the following activities are performed: Management reports to the board periodically on the status of AIO initiatives, progress, issues, and metrics. App A Objective 2:13a
    Whether auditors or reviewers: Identify and report AIO issues to senior management and the board. App A Objective 2:11e Bullet 3
    Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Communication of challenges to the board and senior management. App A Objective 2:9a Bullet 4]
    Monitor and Evaluate Occurrences Preventive
  • Operational and Systems Continuity
    267
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational and Systems Continuity CC ID 00731 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a business continuity program. CC ID 13210
    [Management adequately considers and implements resilience as part of the entity's risk mitigation strategy for AIO. (III.F, "Resilience") App A Objective 8
    Assess whether management does the following: Ensures the entity's business strategy and reliance on business functions drive the design for the entity's resilience. App A Objective 8:2b
    {service process} Management should develop and implement service and support processes. These processes should be designed to support an entity's strategic goals and objectives by preventing issues, ensuring continuous reliability and resilience, and supporting users (e.g., business lines, personnel, and customers). VI.C Action Summary ¶ 1
    {Information Technology infrastructure control program} Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel. IT infrastructure implementation practices should include redundancy and resilience for physical infrastructure elements and related products, services, and telecommunications. V Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Involve auditors in reviewing and testing the business continuity program. CC ID 13211 Testing Detective
    Evaluate the effectiveness of auditors reviewing and testing the business continuity program. CC ID 13212 Investigate Detective
    Evaluate the effectiveness of auditors reviewing and testing business continuity capabilities. CC ID 13218 Investigate Detective
    Establish, implement, and maintain a business continuity policy. CC ID 12405 Establish/Maintain Documentation Preventive
    Include compliance requirements in the business continuity policy. CC ID 14237 Establish/Maintain Documentation Preventive
    Include coordination amongst entities in the business continuity policy. CC ID 14235 Establish/Maintain Documentation Preventive
    Include management commitment in the business continuity policy. CC ID 14233 Establish/Maintain Documentation Preventive
    Include the scope in the business continuity policy. CC ID 14231 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the business continuity policy. CC ID 14190 Establish/Maintain Documentation Preventive
    Disseminate and communicate the business continuity policy to interested personnel and affected parties. CC ID 14198 Communicate Preventive
    Include the purpose in the business continuity policy. CC ID 14188 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a business continuity testing policy. CC ID 13235 Establish/Maintain Documentation Preventive
    Include testing cycles and test scope in the business continuity testing policy. CC ID 13236 Establish/Maintain Documentation Preventive
    Include documentation requirements in the business continuity testing policy. CC ID 14377 Establish/Maintain Documentation Preventive
    Include reporting requirements in the business continuity testing policy. CC ID 14397 Establish/Maintain Documentation Preventive
    Include test requirements for crisis management in the business continuity testing policy. CC ID 13240 Establish/Maintain Documentation Preventive
    Include test requirements for support functions in the business continuity testing policy. CC ID 13239 Establish/Maintain Documentation Preventive
    Include test requirements for business lines, as necessary, in the business continuity testing policy. CC ID 13238 Establish/Maintain Documentation Preventive
    Include test requirements for the business continuity function in the business continuity testing policy. CC ID 13237 Establish/Maintain Documentation Preventive
    Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy. CC ID 13257 Establish/Maintain Documentation Preventive
    Include data recovery in the business continuity testing strategy. CC ID 13262 Establish/Maintain Documentation Preventive
    Include testing critical applications in the business continuity testing strategy. CC ID 13261 Establish/Maintain Documentation Preventive
    Include testing peak transaction volumes from alternate facilities in the business continuity testing strategy. CC ID 13265 Testing Detective
    Include reconciling transaction data in the business continuity testing strategy. CC ID 13260 Establish/Maintain Documentation Preventive
    Include addressing telecommunications circuit diversity in the business continuity testing strategy. CC ID 13252 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a continuity framework. CC ID 00732 Establish/Maintain Documentation Preventive
    Establish and maintain the scope of the continuity framework. CC ID 11908
    [Assess whether management does the following: Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilience includes having: App A Objective 8:2f]
    Establish/Maintain Documentation Preventive
    Identify all stakeholders critical to the continuity of operations. CC ID 12741 Systems Continuity Detective
    Include network security in the scope of the continuity framework. CC ID 16327 Establish/Maintain Documentation Preventive
    Explain any exclusions to the scope of the continuity framework. CC ID 12236 Establish/Maintain Documentation Preventive
    Refrain from including exclusions that could affect business continuity. CC ID 12740 Records Management Preventive
    Include the organization's business products and services in the scope of the continuity framework. CC ID 12235 Establish/Maintain Documentation Preventive
    Include business units in the scope of the continuity framework. CC ID 11898 Establish/Maintain Documentation Preventive
    Include business functions in the scope of the continuity framework. CC ID 12699
    [Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. App A Objective 8:1]
    Establish/Maintain Documentation Preventive
    Include information security continuity in the scope of the continuity framework. CC ID 12009
    [Assess whether management does the following: Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilience includes having: App A Objective 8:2f]
    Systems Continuity Preventive
    Include affected party’s needs and interests in the scope of the continuity framework. CC ID 12698 Systems Continuity Preventive
    Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework. CC ID 12242 Establish/Maintain Documentation Preventive
    Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework. CC ID 11907 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a shelter in place plan. CC ID 16260 Establish/Maintain Documentation Preventive
    Designate safe rooms in the shelter in place plan. CC ID 16276 Establish/Maintain Documentation Preventive
    Include Quality Management in the continuity framework. CC ID 12239 Establish/Maintain Documentation Preventive
    Establish and maintain a system continuity plan philosophy. CC ID 00734 Establish/Maintain Documentation Preventive
    Define the executive vision of the continuity planning process. CC ID 01243 Establish/Maintain Documentation Preventive
    Include a pandemic plan in the continuity plan. CC ID 06800 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain continuity roles and responsibilities. CC ID 00733 Establish Roles Preventive
    Coordinate continuity planning with other business units responsible for related plans. CC ID 01386 Systems Continuity Preventive
    Include continuity wrap-up procedures and continuity normalization procedures during continuity planning. CC ID 00761 Establish/Maintain Documentation Preventive
    Re-accredit the continuity procedures after an emergency occurs. CC ID 01246 Systems Continuity Corrective
    Monitor disaster forecasting organizations for when disaster events are discovered. CC ID 06373 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate information regarding disaster relief resources to interested personnel and affected parties. CC ID 16573 Communicate Preventive
    Evaluate all possible continuity risks and impacts as a part of the continuity framework. CC ID 06374 Systems Continuity Detective
    Assess risks related to fault tolerance and redundancy of critical assets. CC ID 13053 Systems Continuity Preventive
    Establish, implement, and maintain a continuity plan. CC ID 00752 Establish/Maintain Documentation Preventive
    Report changes in the continuity plan to senior management. CC ID 12757 Communicate Corrective
    Activate the continuity plan if the damage assessment report indicates the activation criterion has been met. CC ID 01373 Systems Continuity Corrective
    Identify all stakeholders in the continuity plan. CC ID 13256 Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties upon activation of the continuity plan. CC ID 16777 Communicate Preventive
    Maintain normal security levels when an emergency occurs. CC ID 06377 Systems Continuity Preventive
    Execute fail-safe procedures when an emergency occurs. CC ID 07108 Systems Continuity Preventive
    Lead or manage business continuity and system continuity, as necessary. CC ID 12240 Human Resources Management Preventive
    Include a business continuity testing policy in the continuity plan, as necessary. CC ID 13234 Establish/Maintain Documentation Preventive
    Allocate financial resources to implement the continuity plan, as necessary. CC ID 12993 Establish/Maintain Documentation Preventive
    Allocate personnel to implement the continuity plan, as necessary. CC ID 12992 Human Resources Management Preventive
    Include the in scope system's location in the continuity plan. CC ID 16246 Systems Continuity Preventive
    Include the system description in the continuity plan. CC ID 16241 Systems Continuity Preventive
    Establish, implement, and maintain redundant systems. CC ID 16354 Configuration Preventive
    Refrain from adopting impromptu measures when continuity procedures exist. CC ID 13093 Behavior Preventive
    Include identification procedures in the continuity plan, as necessary. CC ID 14372 Establish/Maintain Documentation Preventive
    Include the continuity strategy in the continuity plan. CC ID 13189 Establish/Maintain Documentation Preventive
    Restore systems and environments to be operational. CC ID 13476 Systems Continuity Corrective
    Include roles and responsibilities in the continuity plan, as necessary. CC ID 13254 Establish/Maintain Documentation Preventive
    Document and use the lessons learned to update the continuity plan. CC ID 10037
    [Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. App A Objective 8:1]
    Establish/Maintain Documentation Preventive
    Implement alternate security mechanisms when the means of implementing the security function is unavailable. CC ID 10605 Technical Security Preventive
    Monitor and evaluate business continuity management system performance. CC ID 12410
    [Evaluate whether the following activities are performed: The board regularly monitors strategy, security, and resilience activities. App A Objective 2:13b
    Evaluate whether this operational resilience includes having: Ongoing monitoring and evaluation capabilities (e.g., monitoring for indicators of an APT). App A Objective 8:2f Bullet 4]
    Monitor and Evaluate Occurrences Detective
    Coordinate continuity planning with governmental entities, as necessary. CC ID 13258 Process or Activity Preventive
    Record business continuity management system performance for posterity. CC ID 12411 Monitor and Evaluate Occurrences Preventive
    Coordinate continuity planning with community organizations, as necessary. CC ID 13259 Process or Activity Preventive
    Coordinate and incorporate supply chain members' continuity plans, as necessary. CC ID 13242 Establish/Maintain Documentation Preventive
    Include incident management procedures in the continuity plan. CC ID 13244
    [Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. App A Objective 8:1]
    Establish/Maintain Documentation Preventive
    Include the use of virtual meeting tools in the continuity plan. CC ID 14390 Establish/Maintain Documentation Preventive
    Include scenario analyses of various contingency scenarios in the continuity plan. CC ID 13057 Establish/Maintain Documentation Preventive
    Include the annual statement based on the continuity plan review in the continuity plan. CC ID 12775 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of the organization's legal counsel in the continuity plan. CC ID 16233 Establish Roles Preventive
    Establish, implement, and maintain the continuity procedures. CC ID 14236 Establish/Maintain Documentation Corrective
    Disseminate and communicate the continuity procedures to interested personnel and affected parties. CC ID 14055 Communicate Preventive
    Document the uninterrupted power requirements for all in scope systems. CC ID 06707
    [Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Appropriate power configurations based on the entity's power needs. App A Objective 13:9d Bullet 3]
    Establish/Maintain Documentation Preventive
    Install an Uninterruptible Power Supply sized to support all critical systems. CC ID 00725
    [Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Use of independent electrical feeds drawing from separate power grids and automatic fail-over to a live power source, where multiple feeds or backup power generators are used. App A Objective 13:9d Bullet 4]
    Configuration Preventive
    Install a generator sized to support the facility. CC ID 06709
    [{be independent}Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Use of alternative power sources independent of local power grids. App A Objective 13:9d Bullet 7]
    Configuration Preventive
    Establish, implement, and maintain a fuel supply large enough to support the generators during an emergency. CC ID 06376 Acquisition/Sale of Assets or Services Preventive
    Document all supporting information in the continuity plan, such as purpose, scope, and requirements. CC ID 01371 Establish/Maintain Documentation Preventive
    Include notifications to alternate facilities in the continuity plan. CC ID 13220 Establish/Maintain Documentation Preventive
    Approve the continuity plan requirements before documenting the continuity plan. CC ID 12778 Systems Continuity Preventive
    Document the concept of operations in the continuity plan, including a line of succession. CC ID 01372 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain the organization's call tree. CC ID 01167 Testing Detective
    Establish, implement, and maintain damage assessment procedures. CC ID 01267 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a recovery plan. CC ID 13288
    [{be secure}Additionally, determine whether management does the following: Maintains standard images of the entity's servers and stores them securely. Uses clean (i.e., trusted) images to restore the server if a server needs to be rebuilt and documents, reviews, and approves deviations from the standard image. App A Objective 13:3g
    Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. App A Objective 3:3
    Evaluate whether management integrates the entity's AIO functions into the entity's BCM program to mitigate threats, respond to and recover from disruptions, and incorporate lessons learned to strengthen the entity's resilience. App A Objective 8:1
    As part of its backup and replication processes, determine whether management maintains the following: Capability to restore operations to a previous trusted state. App A Objective 15:4a Bullet 6
    Examiners should review for the following: Appropriate preventive maintenance or operational restoration processes for equipment within the facilities that support the entity's business objectives. VI.B Action Summary ¶ 2 Bullet 1]
    Establish/Maintain Documentation Preventive
    Notify interested personnel and affected parties of updates to the recovery plan. CC ID 13302 Communicate Preventive
    Include procedures to restore network connectivity in the recovery plan. CC ID 16250 Establish/Maintain Documentation Preventive
    Include addressing backup failures in the recovery plan. CC ID 13298 Establish/Maintain Documentation Preventive
    Include procedures to verify completion of the data backup procedure in the recovery plan. CC ID 13297 Establish/Maintain Documentation Preventive
    Include the roles and responsibilities of responders in the recovery plan. CC ID 13296 Human Resources Management Preventive
    Include the procedures for the storage of information necessary to recover functionality in the recovery plan. CC ID 13295 Establish/Maintain Documentation Preventive
    Include the backup procedures for information necessary to recover functionality in the recovery plan. CC ID 13294 Establish/Maintain Documentation Preventive
    Include the criteria for activation in the recovery plan. CC ID 13293 Establish/Maintain Documentation Preventive
    Include escalation procedures in the recovery plan. CC ID 16248 Establish/Maintain Documentation Preventive
    Include procedures to preserve data before beginning the recovery process in the recovery plan. CC ID 13292 Establish/Maintain Documentation Preventive
    Determine the cause for the activation of the recovery plan. CC ID 13291 Investigate Detective
    Test the recovery plan, as necessary. CC ID 13290 Testing Detective
    Test the backup information, as necessary. CC ID 13303 Testing Detective
    Document lessons learned from testing the recovery plan or an actual event. CC ID 13301 Establish/Maintain Documentation Detective
    Disseminate and communicate the recovery plan to interested personnel and affected parties. CC ID 14859 Communicate Preventive
    Include restoration procedures in the continuity plan. CC ID 01169
    [Determine whether management has effective database management, including the following: Has appropriate staff (e.g., DBAs) that Is familiar with procedures to protect sensitive information, restores normal operations, and notifies the information security officer when necessary. App A Objective 3:6h Bullet 5]
    Establish Roles Preventive
    Include risk prioritized recovery procedures for each business unit in the recovery plan. CC ID 01166 Establish/Maintain Documentation Preventive
    Include the recovery plan in the continuity plan. CC ID 01377 Establish/Maintain Documentation Preventive
    Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties. CC ID 12758 Communicate Preventive
    Disseminate and communicate business functions across multiple facilities separated by geographic separation. CC ID 10662 Systems Continuity Preventive
    Disseminate and communicate processing activities across multiple facilities using geographic separation. CC ID 10663 Systems Continuity Preventive
    Disseminate and communicate electronic media storage devices across multiple facilities using geographic separation. CC ID 10664 Systems Continuity Preventive
    Use out-of-band channels for the physical delivery or electronic transmission of information, as necessary. CC ID 10665 Systems Continuity Corrective
    Establish, implement, and maintain organizational facility continuity plans. CC ID 02224 Establish/Maintain Documentation Preventive
    Identify telecommunication facilities critical to the continuity of operations. CC ID 12732
    [Additionally, determine whether management does the following: Understands the limitations of the entity's third-party telecommunications providers' infrastructure. App A Objective 13:3b]
    Systems Continuity Detective
    Install and maintain redundant telecommunication feeds for critical assets. CC ID 00726
    [Additionally, determine whether management does the following: Implements appropriate redundancy capabilities for the entity's telecommunications infrastructure. App A Objective 13:3a
    Additionally, determine whether management does the following: Implements redundant telecommunications services and establishes work-around procedures for situations where needed. App A Objective 13:3q
    {server redundancy} Determine whether the entity's IT infrastructure implementation includes considerations for server and data redundancy and resilience of telecommunications lines. App A Objective 13:1
    Additionally, determine whether management does the following: Designs and builds telecommunications infrastructure components for resilience (e.g., implement route diversity), including selecting infrastructure components and telecommunications providers that help avoid a single point of failure. App A Objective 13:3m]
    Configuration Preventive
    Install and maintain redundant power supplies for critical facilities. CC ID 06355
    [Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Consideration of long-term alternate power supply to provide operational capability during extended power outages. App A Objective 13:9d Bullet 2
    Review the effectiveness of management's mitigation of the risks associated with the following: Power issues mitigation, including: Use of independent electrical feeds drawing from separate power grids and automatic fail-over to a live power source, where multiple feeds or backup power generators are used. App A Objective 13:9d Bullet 4]
    Configuration Preventive
    Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches. CC ID 01439 Physical and Environmental Protection Preventive
    Install and maintain dedicated power lines to critical facilities. CC ID 06357
    [Review the effectiveness of management's mitigation of the risks associated with the following: Smoke and fire mitigation strategies, including: Devices and systems for smoke detection, fire suppression, and fire detection supported by an independent energy source. App A Objective 13:9b Bullet 3]
    Physical and Environmental Protection Preventive
    Run primary power lines and secondary power lines via diverse path feeds to organizational facilities, as necessary. CC ID 06696 Configuration Preventive
    Install electro-magnetic shielding around all electrical cabling. CC ID 06358 Physical and Environmental Protection Preventive
    Install electrical grounding equipment. CC ID 06359 Physical and Environmental Protection Preventive
    Implement redundancy in life-safety systems. CC ID 02228 Physical and Environmental Protection Preventive
    Include bomb threat procedures and bomb procedures in the organizational facility continuity plan. CC ID 02229 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain system continuity plan strategies. CC ID 00735
    [Assess whether management does the following: Uses infrastructure that supports varying levels of resilience depending on the criticality of the systems and software to ongoing business operations. App A Objective 8:2d
    Regardless of entity size, determine whether management incorporated the following: Evaluation of approaches to implement and build security and resilience throughout its architecture. App A Objective 12:6a
    Regardless of entity size, determine whether management incorporated the following: Analysis of the functionality, including security and resilience, of legacy systems and identification of gaps. App A Objective 12:6b
    Determine whether management designs, implements, and operates its IT systems and processes to provide resilience for critical business activities. Assess whether management does the following: App A Objective 8:2]
    Establish/Maintain Documentation Preventive
    Include emergency operating procedures in the continuity plan. CC ID 11694 Establish/Maintain Documentation Preventive
    Include a system acquisition process for critical systems in the emergency mode operation plan. CC ID 01369 Establish/Maintain Documentation Preventive
    Define and prioritize critical business functions. CC ID 00736 Establish/Maintain Documentation Detective
    Review and prioritize the importance of each business unit. CC ID 01165 Systems Continuity Preventive
    Review and prioritize the importance of each business process. CC ID 11689 Establish/Maintain Documentation Preventive
    Document the mean time to failure for system components. CC ID 10684 Systems Continuity Preventive
    Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities. CC ID 12759 Audits and Risk Management Preventive
    Establish, implement, and maintain Recovery Time Objectives for all in scope services. CC ID 12241 Systems Continuity Preventive
    Establish, implement, and maintain Recovery Point Objectives for all in scope systems. CC ID 15719 Systems Continuity Preventive
    Reconfigure restored systems to meet the Recovery Point Objectives. CC ID 01256 Configuration Corrective
    Establish, implement, and maintain Recovery Time Objectives for all in scope systems. CC ID 11688 Establish/Maintain Documentation Preventive
    Reconfigure restored systems to meet the Recovery Time Objectives. CC ID 11693 Process or Activity Corrective
    Define and prioritize critical business records. CC ID 11687 Establish/Maintain Documentation Preventive
    Identify all critical business records. CC ID 00737 Records Management Detective
    Include the protection of personnel in the continuity plan. CC ID 06378 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical personnel list. CC ID 00739 Establish/Maintain Documentation Detective
    Identify alternate personnel for each person on the critical personnel list. CC ID 12771 Human Resources Management Preventive
    Define the triggering events for when to activate the pandemic plan. CC ID 06801 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a critical third party list. CC ID 06815 Establish/Maintain Documentation Preventive
    Disseminate and communicate critical third party dependencies to interested personnel and affected parties. CC ID 06816 Behavior Preventive
    Establish, implement, and maintain a critical resource list. CC ID 00740 Establish/Maintain Documentation Detective
    Define and maintain continuity Service Level Agreements for all critical resources. CC ID 00741
    [Assess whether management does the following: Addresses resilience in operations to prevent data loss, protect sensitive customer information from unauthorized disclosure or manipulation, minimize disruption to service delivery, and prevent the loss of situational awareness of the entity's operations. Evaluate whether this operational resilience includes having: App A Objective 8:2f
    Evaluate whether this operational resilience includes having: Service delivery and support processes (e.g., resilience in supply chain). App A Objective 8:2f Bullet 3]
    Establish/Maintain Documentation Preventive
    Establish and maintain a core supply inventory required to support critical business functions. CC ID 04890 Establish/Maintain Documentation Preventive
    Include workstation continuity procedures in the continuity plan. CC ID 01378 Establish/Maintain Documentation Preventive
    Include server continuity procedures in the continuity plan. CC ID 01379 Establish/Maintain Documentation Preventive
    Include website continuity procedures in the continuity plan. CC ID 01380 Establish/Maintain Documentation Preventive
    Post all required information on organizational websites and ensure all hyperlinks are working. CC ID 04579 Data and Information Management Preventive
    Include near-line capabilities in the continuity plan. CC ID 01383 Establish/Maintain Documentation Preventive
    Include online capabilities in the continuity plan. CC ID 11690 Establish/Maintain Documentation Preventive
    Include mainframe continuity procedures in the continuity plan. CC ID 01382 Establish/Maintain Documentation Preventive
    Include telecommunications continuity procedures in the continuity plan. CC ID 11691
    [Additionally, determine whether management does the following: Implements redundant telecommunications services and establishes work-around procedures for situations where needed. App A Objective 13:3q]
    Establish/Maintain Documentation Preventive
    Include system continuity procedures in the continuity plan. CC ID 01268
    [Evaluate whether this operational resilience includes having: Operational processes (e.g., vulnerability and patch management). App A Objective 8:2f Bullet 2]
    Establish/Maintain Documentation Preventive
    Include Internet Service Provider continuity procedures in the continuity plan. CC ID 00743 Establish/Maintain Documentation Detective
    Include Local Area Network continuity procedures in the continuity plan. CC ID 01381 Establish/Maintain Documentation Preventive
    Include Wide Area Network continuity procedures in the continuity plan. CC ID 01294 Establish/Maintain Documentation Preventive
    Include priority-of-service provisions in the telecommunications Service Level Agreements. CC ID 01396 Establish/Maintain Documentation Preventive
    Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers. CC ID 01397
    [Additionally, determine whether management does the following: Designs and builds telecommunications infrastructure components for resilience (e.g., implement route diversity), including selecting infrastructure components and telecommunications providers that help avoid a single point of failure. App A Objective 13:3m]
    Testing Detective
    Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards. CC ID 01399 Testing Detective
    Require telecommunications service providers to have adequate continuity plans. CC ID 01400 Testing Detective
    Include emergency power continuity procedures in the continuity plan. CC ID 01254 Establish/Maintain Documentation Preventive
    Include evacuation procedures in the continuity plan. CC ID 12773 Systems Continuity Preventive
    Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan. CC ID 01374 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain at-risk structure removal or relocation procedures. CC ID 01247 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain physical hazard segregation or removal procedures. CC ID 01248 Physical and Environmental Protection Corrective
    Designate an alternate facility in the continuity plan. CC ID 00742
    [{server redundancy} Determine whether the entity's IT infrastructure implementation includes considerations for server and data redundancy and resilience of telecommunications lines. App A Objective 13:1]
    Establish/Maintain Documentation Detective
    Separate the alternate facility from the primary facility through geographic separation. CC ID 01394 Physical and Environmental Protection Preventive
    Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs. CC ID 01391 Establish/Maintain Documentation Preventive
    Include technical preparation considerations for backup operations in the continuity plan. CC ID 01250 Establish/Maintain Documentation Preventive
    Include a backup rotation scheme in the backup policy. CC ID 16219 Establish/Maintain Documentation Preventive
    Include naming conventions in the backup policy. CC ID 16218 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain backup procedures for in scope systems. CC ID 01258
    [Examiners should review for the following: Backup and replication processes that facilitate recovery. VI.B Action Summary ¶ 2 Bullet 4
    With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Storage, backup, and capacity needs to accommodate the entity's strategic plans. App A Objective 12:4b Bullet 5
    {physical control}Additionally, determine whether management does the following: Implements physical and logical controls in the VoIP environment, evaluates options for backup systems, and considers control solutions specific to VoIP, such as VoIP-ready firewalls. App A Objective 13:3o
    This examination procedure may be coordinated with the examination procedures in the "Business Continuity Management" and "Information Security" booklets. Determine whether management implements backup methods, including replication, based on the risk and criticality of the systems and data. App A Objective 15:4
    As part of its backup and replication processes, determine whether management maintains the following: Policies, standards, and procedures. App A Objective 15:4a Bullet 1
    As part of its backup and replication processes, determine whether management maintains the following: VM versioning, replication, and life cycle policies for backup processes. App A Objective 15:4a Bullet 8
    As part of its backup and replication processes, determine whether management maintains the following: VM versioning, replication, and life cycle policies for backup processes. App A Objective 15:4a Bullet 8]
    Systems Continuity Preventive
    Determine which data elements to back up. CC ID 13483 Data and Information Management Detective
    Document the backup method and backup frequency on a case-by-case basis in the backup procedures. CC ID 01384
    [As part of its backup and replication processes, determine whether management maintains the following: Procedures to verify adherence to backup schedules. App A Objective 15:4a Bullet 4]
    Systems Continuity Preventive
    Establish and maintain off-site electronic media storage facilities. CC ID 00957 Physical and Environmental Protection Preventive
    Separate the off-site electronic media storage facilities from the primary facility through geographic separation. CC ID 01390 Testing Detective
    Configure the off-site electronic media storage facilities to utilize timely and effective recovery operations. CC ID 01392 Configuration Preventive
    Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur. CC ID 01393 Establish/Maintain Documentation Preventive
    Review the security of the off-site electronic media storage facilities, as necessary. CC ID 00573 Systems Continuity Detective
    Store backup media at an off-site electronic media storage facility. CC ID 01332
    [{offsite backup}As part of its backup and replication processes, determine whether management maintains the following: Backups of configurations and data off-site and on a separate system or media. App A Objective 15:4a Bullet 7]
    Data and Information Management Preventive
    Transport backup media in lockable electronic media storage containers. CC ID 01264 Data and Information Management Preventive
    Store backup media in a fire-rated container which is not collocated with the operational system. CC ID 14289 Systems Continuity Preventive
    Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility. CC ID 01257 Data and Information Management Preventive
    Store backup vital records in a manner that is accessible for emergency retrieval. CC ID 12765 Systems Continuity Preventive
    Establish, implement, and maintain security controls to protect offsite data. CC ID 16259 Data and Information Management Preventive
    Perform backup procedures for in scope systems. CC ID 11692 Process or Activity Preventive
    Perform full backups in accordance with organizational standards. CC ID 16376 Data and Information Management Preventive
    Perform incremental backups in accordance with organizational standards. CC ID 16375 Data and Information Management Preventive
    Back up all records. CC ID 11974 Systems Continuity Preventive
    Use virtual machine snapshots for full backups and changed block tracking (CBT) for incremental backups. CC ID 16374 Data and Information Management Preventive
    Document the Recovery Point Objective for triggering backup operations and restoration operations. CC ID 01259 Establish/Maintain Documentation Preventive
    Encrypt backup data. CC ID 00958
    [{backup data}As part of its backup and replication processes, determine whether management maintains the following: Data encryption and access controls to protect backup or replicated data from unauthorized access, destruction, or corruption. App A Objective 15:4a Bullet 9]
    Configuration Preventive
    Log the execution of each backup. CC ID 00956 Establish/Maintain Documentation Preventive
    Test backup media for media integrity and information integrity, as necessary. CC ID 01401
    [As part of its backup and replication processes, determine whether management maintains the following: Processes to regularly test backup copies for readability. App A Objective 15:4a Bullet 5
    As part of its backup and replication processes, determine whether management maintains the following: Documented periodic physical reviews to confirm that all relevant backup material is available. App A Objective 15:4a Bullet 3]
    Testing Detective
    Test backup media at the alternate facility in addition to testing at the primary facility. CC ID 06375 Testing Detective
    Test each restored system for media integrity and information integrity. CC ID 01920 Testing Detective
    Include stakeholders when testing restored systems, as necessary. CC ID 13066 Testing Corrective
    Digitally sign disk images, as necessary. CC ID 06814 Establish/Maintain Documentation Preventive
    Include emergency communications procedures in the continuity plan. CC ID 00750 Establish/Maintain Documentation Preventive
    Include managing multiple responding organizations in the emergency communications procedure. CC ID 01249 Establish/Maintain Documentation Preventive
    Expedite emergency communications' fiscal decisions in accordance with accounting principles. CC ID 01266 Systems Continuity Preventive
    Maintain contact information for key third parties in a readily accessible manner. CC ID 12764 Establish/Maintain Documentation Preventive
    Log important conversations conducted during emergencies with third parties. CC ID 12763 Log Management Preventive
    Identify the appropriate staff to route external communications to in the emergency communications procedures. CC ID 12762 Communicate Preventive
    Identify who can speak to the media in the emergency communications procedures. CC ID 12761 Communicate Corrective
    Use available financial resources for the efficaciousness of the service continuity strategy. CC ID 01370 Testing Detective
    Include the ability to obtain additional liquidity in the continuity plan. CC ID 12770 Acquisition/Sale of Assets or Services Preventive
    Minimize system continuity requirements. CC ID 00753 Establish/Maintain Documentation Preventive
    Include purchasing insurance in the continuity plan. CC ID 00762 Establish/Maintain Documentation Preventive
    Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography. CC ID 06682 Acquisition/Sale of Assets or Services Preventive
    Obtain an insurance policy to cover business products and services delivered to clients. CC ID 06683 Acquisition/Sale of Assets or Services Preventive
    Review the insurance coverage of the insurance policy, as necessary. CC ID 12688 Business Processes Detective
    Review the beneficiaries of the insurance policy. CC ID 16563 Business Processes Detective
    Determine the adequacy of errors and omissions insurance in the organization's insurance policy. CC ID 13281 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for items in transit in the organization's insurance policy. CC ID 13283 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for employee fidelity in the organization's insurance policy. CC ID 13282 Establish/Maintain Documentation Detective
    Determine the adequacy of insurance coverage for assets in the organization's insurance policy. CC ID 14827 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for Information Technology assets in the organization's insurance policy. CC ID 13279 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for facilities in the organization's insurance policy. CC ID 13280 Establish/Maintain Documentation Preventive
    Determine the adequacy of insurance coverage for printed records in the organization's insurance policy. CC ID 13278 Establish/Maintain Documentation Preventive
    Determine the adequacy of media reconstruction in the organization's insurance policy. CC ID 13277 Establish/Maintain Documentation Detective
    Validate information security continuity controls regularly. CC ID 12008 Systems Continuity Preventive
    Disseminate and communicate the continuity plan to interested personnel and affected parties. CC ID 00760 Establish/Maintain Documentation Preventive
    Store an up-to-date copy of the continuity plan at the alternate facility. CC ID 01171 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a business continuity plan testing program. CC ID 14829
    [With respect to specific software types, determine whether management does the following: For system auditing software: Uses the software to assist in the identification of gaps in infrastructure security and resilience. App A Objective 13:6f Bullet 2]
    Testing Preventive
    Establish, implement, and maintain a continuity test plan. CC ID 04896 Establish/Maintain Documentation Preventive
    Include success criteria for testing the plan in the continuity test plan. CC ID 14877 Establish/Maintain Documentation Preventive
    Include recovery procedures in the continuity test plan. CC ID 14876 Establish/Maintain Documentation Preventive
    Include test scripts in the continuity test plan. CC ID 14875 Establish/Maintain Documentation Preventive
    Include test objectives and scope of testing in the continuity test plan. CC ID 14874 Establish/Maintain Documentation Preventive
    Include escalation procedures in the continuity test plan, as necessary. CC ID 14400 Establish/Maintain Documentation Preventive
    Include the succession plan in the continuity test plan, as necessary. CC ID 14401 Establish/Maintain Documentation Preventive
    Include contact information in the continuity test plan. CC ID 14399 Establish/Maintain Documentation Preventive
    Include testing all system components in the continuity test plan. CC ID 13508 Establish/Maintain Documentation Preventive
    Include test scenarios in the continuity test plan. CC ID 13506 Establish/Maintain Documentation Preventive
    Include test dates or test frequency in the continuity test plan, as necessary. CC ID 13243 Establish/Maintain Documentation Preventive
    Test the continuity plan, as necessary. CC ID 00755 Testing Detective
    Include coverage of all major components in the scope of testing the continuity plan. CC ID 12767 Testing Preventive
    Include third party recovery services in the scope of testing the continuity plan. CC ID 12766 Testing Preventive
    Validate the emergency communications procedures during continuity plan tests. CC ID 12777 Testing Preventive
    Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan. CC ID 12769 Testing Preventive
    Involve senior management, as necessary, when testing the continuity plan. CC ID 13793 Testing Detective
    Test the continuity plan under conditions that simulate a disaster or disruption. CC ID 00757 Testing Detective
    Analyze system interdependence during continuity plan tests. CC ID 13082
    [Implementation of entity processes to plan for and manage events, incidents, and problems, including: Conducting testing to identify interdependencies. App A Objective 16:4a Bullet 2]
    Testing Detective
    Validate the evacuation plans during continuity plan tests. CC ID 12760 Testing Preventive
    Test the continuity plan at the alternate facility. CC ID 01174 Testing Detective
    Include predefined goals and realistic conditions during off-site testing. CC ID 01175 Establish/Maintain Documentation Preventive
    Coordinate testing the continuity plan with all applicable business units and critical business functions. CC ID 01388 Testing Preventive
    Review all third party's continuity plan test results. CC ID 01365 Testing Detective
    Automate the off-site testing to more thoroughly test the continuity plan. CC ID 01389 Testing Detective
    Document the continuity plan test results and provide them to interested personnel and affected parties. CC ID 06548 Actionable Reports or Measurements Preventive
    Approve the continuity plan test results. CC ID 15718 Systems Continuity Preventive
    Retest the continuity plan after correcting reported deficiencies documented in the continuity plan test results. CC ID 06553 Testing Detective
    Conduct full recovery and restoration of service testing for high impact systems at the alternate facility. CC ID 01404 Testing Detective
    Conduct external audits of the Business Continuity Plan testing program. CC ID 13216 Testing Detective
  • Operational management
    761
    KEY:    Primary Verb     Primary Noun     Secondary Verb     Secondary Noun     Limiting Term
    Mandated - bold    Implied - italic    Implementation - regular TYPE CLASS
    Operational management CC ID 00805 IT Impact Zone IT Impact Zone
    Establish, implement, and maintain a capacity management plan. CC ID 11751
    [Examiners should review for the following: Capacity management processes that support the entity's current and future strategic objectives. VI.B Action Summary ¶ 2 Bullet 6
    With respect to design objectives, determine whether management does the following: Evaluates its needs and considers: Storage, backup, and capacity needs to accommodate the entity's strategic plans. App A Objective 12:4b Bullet 5
    If an entity provides IT services internally or externally as a third-party service provider, determine whether management considers the following in the IT strategic planning process: Demand management, which balances customer demand for services with the capacity to meet that demand. App A Objective 2:7d
    Evaluate the effectiveness of the assignment of the following responsibilities: Operations-related responsibilities: Management of the capacity, performance, and availability of the components used in an entity's infrastructure. App A Objective 2:9c Bullet 2
    {be adequate}With respect to specific software types, determine whether management does the following: For core processing software: Selects core processing software with adequate capacity. App A Objective 13:6b Bullet 3
    {be sufficient}{be appropriate}Determine whether management has effective database management, including the following: Ensures databases are appropriately located and structured, have sufficient capacity, and are resilient. App A Objective 3:6d
    Evaluate whether management has a process to determine appropriate deployment environments (e.g., in-house or serviced, virtualization and cloud, or hybrid) as part of the design process. Determine whether the process includes the following considerations: Placement and selection of storage, design of network topology, availability of bandwidth, and need for management reporting systems, as well as implementation of monitoring tools. App A Objective 12:5d
    Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: App A Objective 15:6]
    Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a capacity planning baseline. CC ID 13492 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain future system capacity forecasting methods. CC ID 01617
    [Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Meeting between IT management and business line management to determine future projects that may impact capacity needs. App A Objective 15:6h
    Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Analysis of capacity trends (e.g., increasing capacity usage) to understand capacity usage. App A Objective 15:6d]
    Business Processes Preventive
    Align critical Information Technology resource availability planning with capacity planning. CC ID 01618
    [Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Integration with the budgeting and strategic planning processes. App A Objective 15:6a]
    Business Processes Preventive
    Limit any effects of a Denial of Service attack. CC ID 06754
    [With respect to specific software types, determine whether management does the following: For core processing software: Chooses software that can support usage spikes, expected peak usage times, and future growth. App A Objective 13:6b Bullet 4]
    Technical Security Preventive
    Implement network redundancy, as necessary. CC ID 13048 Systems Continuity Preventive
    Forecast system workloads. CC ID 00938 Testing Detective
    Establish, implement, and maintain workload forecasting tools. CC ID 00936 Systems Design, Build, and Implementation Preventive
    Utilize resource capacity management controls. CC ID 00939 Testing Detective
    Perform system capacity testing. CC ID 01616
    [Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Routine assessment of capacity against baselines to ensure adequate performance in the following: App A Objective 15:6c
    Additionally, evaluate whether the processes provide for the following: Routine assessment of capacity against baselines to ensure adequate performance in the following: Additional data storage capacity. App A Objective 15:6c Bullet 3
    Additionally, evaluate whether the processes provide for the following: Routine assessment of capacity against baselines to ensure adequate performance in the following: Voice and data communication bandwidth. App A Objective 15:6c Bullet 4
    Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Verification through testing to ensure systems and software meet the entity's demands during periods of high volume. App A Objective 15:6g]
    Testing Detective
    Perform system performance reviews. CC ID 11866
    [Additionally, evaluate whether the processes provide for the following: Routine assessment of capacity against baselines to ensure adequate performance in the following: Platform processing speed. App A Objective 15:6c Bullet 1
    Additionally, evaluate whether the processes provide for the following: Routine assessment of capacity against baselines to ensure adequate performance in the following: Primary working memory for each platform's CPU. App A Objective 15:6c Bullet 2
    Determine whether management implements adequate capacity management processes. Additionally, evaluate whether the processes provide for the following: Evaluation of third-party service providers' performance in combination with internal performance to determine whether capacity can meet existing and future demands. App A Objective 15:6j]
    Testing Detective
    Follow the resource workload schedule. CC ID 00941 Business Processes Detective
    Manage cloud services. CC ID 13144
    [Assess whether management does the following: Avoids making assumptions on the resilience of the entity's systems simply because they are operating in the cloud. App A Objective 8:2g
    Assess whether management does the following: Identifies assets, applications, and services located in the cloud, if operating in the cloud. App A Objective 8:2h
    Determine whether management considers risks related to exchange files and implements effective mitigation, such as the following: Implementation of appropriate operational controls, such as: Consideration of solutions that provide visibility into cloud applications. App A Objective 11:1e Bullet 4
    Determine whether management implements appropriate IAM processes and does the following: Considers its implementation of cloud services and addresses the unique access control requirements for cloud environments, as appropriate. App A Objective 14:3c
    The vulnerability management program includes the following: Systems and software operating in the cloud for which the entity is responsible as well as those managed by the entity on its premises. App A Objective 15:3a Bullet 1
    Evaluate the following: If an entity has outsourcing arrangements in the cloud, determine whether management explores the use of tools designed for cloud computing. App A Objective 17:1e]
    Business Processes Preventive
    Refrain from implementing network elements in a public cloud. CC ID 16382 Technical Security Preventive
    Protect clients' hosted environments. CC ID 11862 Physical and Environmental Protection Preventive
    Notify cloud customers of the geographic locations of the cloud service organization and its assets. CC ID 13037 Communicate Preventive
    Establish, implement, and maintain cloud service agreements. CC ID 13157 Establish/Maintain Documentation Preventive
    Include the asset removal policy in the cloud service agreement. CC ID 13161 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain cloud management procedures. CC ID 13149 Technical Security Preventive
    Establish, implement, and maintain a migration process and/or strategy to transfer systems from one asset to another. CC ID 16384 Process or Activity Preventive
    Define and enforce the deployment requirements for applications and virtual network devices in a public cloud. CC ID 16383 Process or Activity Preventive
    Include cloud security requirements in the cloud management procedures. CC ID 16366 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a cloud service usage standard. CC ID 13143 Establish/Maintain Documentation Preventive
    Use strong data encryption when storing information within a cloud service. CC ID 16411 Technical Security Preventive
    Include the roles and responsibilities of cloud service users in the cloud service usage standard. CC ID 13984 Establish/Maintain Documentation Preventive
    Include information security requirements in the cloud service usage standard. CC ID 13148 Establish/Maintain Documentation Preventive
    Monitor managing cloud services. CC ID 13150 Monitor and Evaluate Occurrences Detective
    Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties. CC ID 13159 Communicate Preventive
    Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties. CC ID 13147 Communicate Preventive
    Document the organization's business processes. CC ID 13035
    [{information Technology environment} Determine whether management documents and maintains accurate representations (e.g., network diagrams, data flow diagrams, business process flow diagrams, and business process narratives) of the current IT and business environments and employs processes to update the representations. App A Objective 5:1
    Determine whether management defines the entity's authorization boundary(ies) and implements appropriate security controls according to the contents of the authorization boundary, including controls over the following: People and processes supporting the entity's missions and business functions. App A Objective 14:2e
    Considers the following as part of its service management planning: Services offered and SLA, OLA, or contractual provisions. App A Objective 16:1a Bullet 1
    {Information Technology environment} Management understands the documentation maintained to represent the entity's IT and business environment. (III.C, "IT and Business Environment Representations") App A Objective 5
    Examiners should review for the following: Effective planning processes for service management that consider services offered, SLAs and contractual provisions, known limitations, and metrics and measurements. VI.C Action Summary ¶ 2 Bullet 1]
    Establish/Maintain Documentation Detective
    Correlate business processes and applications. CC ID 16300 Business Processes Preventive
    Disseminate and communicate the business process documentation to interested personnel and affected parties. CC ID 13038 Communicate Preventive
    Establish, implement, and maintain a Governance, Risk, and Compliance framework. CC ID 01406
    [Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: App A Objective 2:10
    Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: Guidance to develop and maintain effective processes related to AIO. App A Objective 2:10e
    Evaluate the appropriateness of the following: Review of the entity's AIO functions and activities and management's ability to oversee and control AIO-related risks. App A Objective 2:11a
    Assess whether management performs the following: Establishes IT governance practices and security controls for shadow IT, including policies, standards, and procedures. App A Objective 4:5a
    {Information Technology infrastructure control program} Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to safeguard facilities, technology, data, and personnel. IT infrastructure implementation practices should include redundancy and resilience for physical infrastructure elements and related products, services, and telecommunications. V Action Summary ¶ 1]
    Establish/Maintain Documentation Preventive
    Include enterprise architecture in the Governance, Risk, and Compliance framework. CC ID 13266
    [Validating through audits and other independent assessments that the following are comprehensive, meet enterprise-wide business and strategic plan objectives, and can assist in the identification of AIO-related risk. Architectural designs and integration across the entity. App A Objective 2:4a Bullet 1
    In larger or more complex entities, determine whether management considered using EA to align its architecture with the entity's strategic plans and business functions. Describe management's implementation of EA and use of architecture frameworks, if appropriate. Regardless of entity size, determine whether management incorporated the following: App A Objective 12:6
    In larger or more complex entities, determine whether management considered using EA to align its architecture with the entity's strategic plans and business functions. Describe management's implementation of EA and use of architecture frameworks, if appropriate. Regardless of entity size, determine whether management incorporated the following: App A Objective 12:6
    {business objective}Determine whether the board and senior management evaluate whether the IT strategic plan aligns with the enterprise-wide business and strategic plan, as well as established priorities and whether the planning addresses the following: Evaluation of architecture, including the entity's current architecture and whether it meets enterprise-wide business and strategic plan objectives. App A Objective 2:5c]
    Establish/Maintain Documentation Preventive
    Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties. CC ID 06955
    [Evaluate whether the following activities are performed: Management reports to the board periodically on the status of AIO initiatives, progress, issues, and metrics. App A Objective 2:13a]
    Behavior Preventive
    Establish, implement, and maintain security requirements based on applicable regulations. CC ID 16283 Establish/Maintain Documentation Preventive
    Acquire resources necessary to support Governance, Risk, and Compliance. CC ID 12861 Acquisition/Sale of Assets or Services Preventive
    Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework. CC ID 12853 Establish/Maintain Documentation Preventive
    Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities. CC ID 12915
    [Determine whether management implemented a process to continuously manage technology to support operational needs and mitigate AIO-related risks. Determine whether the entity's risk management processes include the following governance mechanisms: App A Objective 2:1
    An effective risk management process for initiating and overseeing all AIO-related activities, including those that are outsourced, that includes: Infrastructure that supports the entity's strategic objectives. App A Objective 2:8b Bullet 3
    Management implements an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. (V, "Infrastructure") App A Objective 13
    Management promotes and provides effective governance of AIO functions through defined responsibilities, accountability, and adequate resources to support these functions. (II, "Architecture, Infrastructure, and Operations Governance") App A Objective 2]
    Process or Activity Preventive
    Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities. CC ID 12895
    [Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Review of the centralization processes for the IT functions and understanding of interrelationships between the entity's IT and business functions. App A Objective 2:9a Bullet 1
    As part of the evaluation of question 5, determine whether management does the following: Evaluates whether past and current IT performance demonstrates an ability to support IT strategic plans. App A Objective 2:6a
    {business objective}Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Analysis of whether the entity's products and services meet enterprise-wide business and strategic plan objectives from a data perspective. App A Objective 2:9b Bullet 5
    With respect to specific software types, determine whether management does the following: For productivity software: Considers the use of it to enable personnel to perform their job functions. App A Objective 13:6c Bullet 1
    Evaluate the effectiveness of the assignment of the following responsibilities: Architecture-related responsibilities: Maintenance of representations (e.g., blueprints, network diagrams, and topologies) of the IT environment, review of existing infrastructure and operations to determine IT systems capabilities and needs. App A Objective 2:9a Bullet 5]
    Process or Activity Preventive
    Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives. CC ID 12809 Audits and Risk Management Preventive
    Assign accountability for maintaining the Governance, Risk, and Compliance framework. CC ID 12523
    [Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: Accountability. App A Objective 2:10c
    Management promotes and provides effective governance of AIO functions through defined responsibilities, accountability, and adequate resources to support these functions. (II, "Architecture, Infrastructure, and Operations Governance") App A Objective 2]
    Human Resources Management Preventive
    Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework. CC ID 12524 Human Resources Management Preventive
    Establish, implement, and maintain a compliance policy. CC ID 14807 Establish/Maintain Documentation Preventive
    Include the standard of conduct and accountability in the compliance policy. CC ID 14813 Establish/Maintain Documentation Preventive
    Include the scope in the compliance policy. CC ID 14812 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the compliance policy. CC ID 14811 Establish/Maintain Documentation Preventive
    Include a commitment to continual improvement in the compliance policy. CC ID 14810 Establish/Maintain Documentation Preventive
    Disseminate and communicate the compliance policy to interested personnel and affected parties. CC ID 14809 Communicate Preventive
    Include management commitment in the compliance policy. CC ID 14808 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a governance policy. CC ID 15587 Establish/Maintain Documentation Preventive
    Disseminate and communicate the governance policy to all interested personnel and affected parties. CC ID 15625 Communicate Preventive
    Include a commitment to continuous improvement in the governance policy. CC ID 15595 Establish/Maintain Documentation Preventive
    Include roles and responsibilities in the governance policy. CC ID 15594 Establish/Maintain Documentation Preventive
    Establish, implement, and maintain a positive information control environment. CC ID 00813
    [Determine whether management has data governance and data management processes that include defining responsibility and processes for governing data, including the identification, management, and oversight of any metadata, and promoting a culture that takes a data-centric approach. App A Objective 3:4
    Management should promote a culture that takes a data-centric approach for AIO functions and define responsibility and controls as part of data governance and data management processes. III.A Action Summary ¶ 1]
    Business Processes Preventive
    Make compliance and governance decisions in a timely manner. CC ID 06490 Behavior Preventive
    Establish, implement, and maintain an internal control framework. CC ID 00820
    [Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. App A Objective 3:3
    {security management} With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: App A Objective 14:1]
    Establish/Maintain Documentation Preventive
    Define the scope for the internal control framework. CC ID 16325 Business Processes Preventive
    Review the relevance of information supporting internal controls. CC ID 12420 Business Processes Detective
    Measure policy compliance when reviewing the internal control framework. CC ID 06442 Actionable Reports or Measurements Corrective
    Assign ownership of the internal control framework to the appropriate organizational role. CC ID 06437 Establish Roles Preventive
    Assign resources to implement the internal control framework. CC ID 00816 Business Processes Preventive
    Define and assign the roles and responsibilities for interested personnel and affected parties when establishing, implementing, and maintaining the internal control framework. CC ID 07146 Establish Roles Preventive
    Establish, implement, and maintain a baseline of internal controls. CC ID 12415 Business Processes Preventive
    Include the business need justification for excluding controls in the baseline of internal controls. CC ID 16129 Establish/Maintain Documentation Preventive
    Include the implementation status of controls in the baseline of internal controls. CC ID 16128 Establish/Maintain Documentation Preventive
    Leverage actionable information to support internal controls. CC ID 12414 Business Processes Preventive
    Include procedures for continuous quality improvement in the internal control framework. CC ID 00819
    [{service improvement}Examiners should review for the following: Strategies for service and process improvement and methods to measure the results of those improvement efforts. VI.D Action Summary ¶ 2 Bullet 8
    Management should develop processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. VI.D Action Summary ¶ 1
    {be ongoing}Maintains a process to measure the results of continuous improvement efforts and includes the following: Ongoing practice of process improvement. App A Objective 17:4c Bullet 1
    Management develops processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. (VI.D, "Ongoing Monitoring and Evaluation Processes") App A Objective 17
    {continuous improvement} Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and uses them to continuously improve the entity's operations. App A Objective 17:3
    Determine whether management has a continuous improvement process in place to recommend changes to the entity's IT environment. Evaluate whether management does the following: App A Objective 17:4
    Evaluate whether management does the following: Develops improvement strategies for operations and prioritizes projects. App A Objective 17:4a
    Maintains a process to measure the results of continuous improvement efforts and includes the following: Enterprise-wide practice of service improvement that augments the ability to provide value to its stakeholders and customers. App A Objective 17:4c Bullet 2]
    Establish/Maintain Documentation Preventive
    Include continuous service account management procedures in the internal control framework. CC ID 13860 Establish/Maintain Documentation Preventive
    Include threat assessment in the internal control framework. CC ID 01347 Establish/Maintain Documentation Preventive
    Automate threat assessments, as necessary. CC ID 06877 Configuration Preventive
    Include vulnerability management and risk assessment in the internal control framework. CC ID 13102 Establish/Maintain Documentation Preventive
    Automate vulnerability management, as necessary. CC ID 11730 Configuration Preventive
    Include personnel security procedures in the internal control framework. CC ID 01349 Establish/Maintain Documentation Preventive
    Include continuous security warning monitoring procedures in the internal control framework. CC ID 01358 Establish/Maintain Documentation Preventive
    Include incident alert thresholds in the continuous security warning monitoring procedures. CC ID 13205 Establish/Maintain Documentation Preventive
    Include security information sharing procedures in the internal control framework. CC ID 06489 Establish/Maintain Documentation Preventive
    Share security information with interested personnel and affected parties. CC ID 11732 Communicate Preventive
    Evaluate information sharing partners, as necessary. CC ID 12749 Process or Activity Preventive
    Include security incident response procedures in the internal control framework. CC ID 01359 Establish/Maintain Documentation Preventive
    Include incident response escalation procedures in the internal control framework. CC ID 11745 Establish/Maintain Documentation Preventive
    Include continuous user account management procedures in the internal control framework. CC ID 01360
    [Verify that management implemented effective database security controls, such as the following: Restricts account access and limits privileges and permissions. App A Objective 3:7c]
    Establish/Maintain Documentation Preventive
    Include emergency response procedures in the internal control framework. CC ID 06779 Establish/Maintain Documentation Detective
    Authorize and document all exceptions to the internal control framework. CC ID 06781 Establish/Maintain Documentation Preventive
    Disseminate and communicate the internal control framework to all interested personnel and affected parties. CC ID 15229 Communicate Preventive
    Establish, implement, and maintain an information security program. CC ID 00812
    [Determine whether management does the following: Uses the results of the data classification process to implement controls to safeguard data, including sensitive data. App A Objective 3:5b
    {be appropriate}Determine whether management has effective database management, including the following: Focuses on identifying, managing, and securing the data; identifying business uses; and providing appropriate access regardless of how the data are stored. App A Objective 3:6g
    Verify that management implemented effective database security controls, such as the following: App A Objective 3:7
    Assess whether management performs the following: Employs appropriate data protection and data loss prevention tools. App A Objective 4:5d
    Evaluate the effectiveness of the assignment of the following responsibilities: Data-related responsibilities: Governance and use of information or data, protection of that data, and derivation of maximum value from it. App A Objective 2:9b Bullet 1
    {security management} With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: App A Objective 14:1
    The vulnerability management program includes