This Control directly supports the implied Control(s):
Analyze organizational objectives, functions, and activities., CC ID: 00598
This Control has the following implementation support Control(s):
Monitor for new Information Security solutions., CC ID: 07078
Subscribe to a threat intelligence service to receive notification of emerging threats., CC ID: 12135
Disseminate and communicate emerging threats to all interested personnel and affected parties., CC ID: 12185
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
T41.3: The organization shall keep up with current trends in security technology and evaluate the compatibility, stability, and usability before implementing a security technology.
T43.9: The organization shall keep up with the latest trends in security technologies used to connect to the Internet a… (T41.3, T43.9, T49.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
ensure technology and business-model neutrality; (Art 98(2)(d), DIRECTIVE (EU) 2015/2366 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC)
The organization must implement a regulatory compliance program that tracks applicable laws and regulations in the jurisdictions where the organization conducts business. (CORE - 4(a), URAC Health Utilization Management Standards, Version 6)
Establish a process to monitor the business sector, industry, technology, infrastructure, legal and regulatory environment trends. Incorporate the consequences of these trends into the development of the IT technology infrastructure plan. (PO3.3 Monitor Future Trends and Regulations, CobiT, Version 4.1)
Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use. (12.3.3 Bullet 2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use. (12.3.3 Bullet 2, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
Active monitoring of industry trends regarding continued viability of all cryptographic cipher suites and protocols in use. (12.3.3 Bullet 2, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
The information security governance framework should include a process that requires the governing body to monitor the extent of overall compliance with information security-related legislation and regulation. (SG.01.01.05c-2, The Standard of Good Practice for Information Security)
The information security function should monitor current, new, and emerging general business trends (e.g., prospects for growth, internationalization, merger / acquisitions, joint ventures, divestitures, consumerization, outsourcing, and cloud computing). (CF.01.02.05a, The Standard of Good Practice for Information Security)
The information security function should monitor current, new, and emerging industry / international information security-related standards (e.g., iso/iec 27001 and 27002, cobit, nist sp 800-53, and itil). (CF.01.02.05d, The Standard of Good Practice for Information Security)
The information security function should monitor current, new, and emerging legislation or regulations related to Information Security (e.g., those concerning data breach notification, data privacy, digital signatures, and industry-specific standards such as basel iii and the Payment Card Industry D… (CF.01.02.05e, The Standard of Good Practice for Information Security)
The information security governance framework should include a process that requires the governing body to monitor the extent of overall compliance with information security-related legislation and regulation. (SG.01.01.05c-2, The Standard of Good Practice for Information Security, 2013)
The information security function should monitor current, new, and emerging general business trends (e.g., prospects for growth, internationalization, merger / acquisitions, joint ventures, divestitures, consumerization, outsourcing, and cloud computing). (CF.01.02.05a, The Standard of Good Practice for Information Security, 2013)
The information security function should monitor current, new, and emerging industry / international information security-related standards (e.g., iso/iec 27001 and 27002, cobit, nist sp 800-53, and itil). (CF.01.02.05d, The Standard of Good Practice for Information Security, 2013)
The information security function should monitor current, new, and emerging legislation or regulations related to Information Security (e.g., those concerning data breach notification, data privacy, digital signatures, and industry-specific standards such as basel iii and the Payment Card Industry D… (CF.01.02.05e, The Standard of Good Practice for Information Security, 2013)
fulfilment of its compliance obligations; (§ 9.3 ¶ 2 d) 3), ISO 14001:2015 - Environmental management systems â Requirements with guidance for use, Third Edition)
Organizations should have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure on-going compliance. Organizations should have processes to evaluate the impact of the identified changes and implement any changes in the management of the co… (§ 4.5.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
legal and regulatory requirements, (§ 9.3 ¶ 4 d) 4), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
Service providers should create a capability to monitor, develop, and track trends in the ICT disaster recovery industry. (§ 9.2.3, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
short-, medium- and long-term trends including social responsibility and sustainability trends; (§ 6.9.3.2 ¶ 2 d) 2), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
identify new and changed compliance obligations to ensure ongoing compliance; (§ 4.5 ¶ 2 a), ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
facilitating the identification of compliance obligations; (§ 5.3.2 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems â Requirements with guidance for use, First Edition, Edition 1)
results of evaluation of compliance with legal requirements and other requirements; (§ 9.3 ¶ 2 d) 3), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
monitoring and measurement results; (§ 9.3 ¶ 2 d) 2), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
customer and applicable statutory and regulatory requirements are determined, understood and consistently met; (5.1.2 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
facilitating the identification of compliance obligations; (§ 5.3.2 ¶ 2 bullet 1, ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
identify new and changed compliance obligations to ensure on-going compliance; (§ 6.3 ¶ 2 a), ISO/DIS 37301, Compliance management systems â Requirements with guidance for use, DRAFT)
The organization should identify trends that may require the privacy policies and procedures to be updated. (Table Ref 10.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
The federal bureau of investigation criminal justice information services division shall track all reported security incidents and trends. (§ 5.3.1.1.1(5), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
Identification of the entity's IT assets, external constraints, industry IT architecture trends, and the entity's needs for the desired future state. (App A Objective 12:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Determine whether management adjusts the information security program for institutional changes and changes in legislation, regulation, regulatory policy, guidance, and industry practices. Review whether management has processes to do the following: (App A Objective 4.5, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Maintain awareness of new legal and regulatory requirements or changes to industry practices. (App A Objective 4.5.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Regulatory compliance; and (App A Tier 1 Objectives and Procedures Objective 2:3 Bullet 5, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Evaluate financial institution adherence to bankcard company rules and bylaws and regulatory requirements. (App A Tier 1 Objectives and Procedures Objective 6:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
Are current laws being monitored for changes governing the use of digital signatures? (IT - Authentication Q 22, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
The organization must establish and maintain policies and procedures for contacting groups and associations inside the security community which facilitate ongoing personnel security education and training; advise on the latest recommended security practices, techniques, and technologies; and share c… (App F § AT-5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
Monitors federal privacy laws and policy for changes that affect the privacy program; (AR-1b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Legal, regulatory, and contractual requirements regarding cybersecurity â including privacy and civil liberties obligations â are understood and managed (GV.OC-03, The NIST Cybersecurity Framework, v2.0)
