Back

Establish, implement, and maintain a testing program.


CONTROL ID
00654
CONTROL TYPE
Behavior
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Conduct Red Team exercises, as necessary., CC ID: 12131
  • Establish, implement, and maintain a security assessment and authorization policy., CC ID: 14031
  • Test security systems and associated security procedures, as necessary., CC ID: 11901
  • Employ third parties to carry out testing programs, as necessary., CC ID: 13178
  • Define the test requirements for each testing program., CC ID: 13177
  • Test in scope systems for segregation of duties, as necessary., CC ID: 13906
  • Test the in scope system in accordance with its intended purpose., CC ID: 14961
  • Identify risk management measures when testing in scope systems., CC ID: 14960
  • Scan organizational networks for rogue devices., CC ID: 00536
  • Include mechanisms for emergency stops in the testing program., CC ID: 14398
  • Establish, implement, and maintain conformity assessment procedures., CC ID: 15032
  • Establish, implement, and maintain a port scan baseline for all in scope systems., CC ID: 12134
  • Define the test frequency for each testing program., CC ID: 13176
  • Establish, implement, and maintain a stress test program for identification cards or badges., CC ID: 15424
  • Establish, implement, and maintain a penetration test program., CC ID: 01105
  • Disseminate and communicate the testing program to all interested personnel and affected parties., CC ID: 11871
  • Establish, implement, and maintain a business line testing strategy., CC ID: 13245
  • Establish, implement, and maintain a vulnerability assessment program., CC ID: 11636
  • Perform penetration tests and vulnerability scans in concert, as necessary., CC ID: 12111
  • Test the system for insecure cryptographic storage., CC ID: 11635
  • Test in scope systems for compliance with the Configuration Baseline Documentation Record., CC ID: 12130
  • Recommend mitigation techniques based on vulnerability scan reports., CC ID: 11639
  • Recommend mitigation techniques based on penetration test results., CC ID: 04881
  • Correct or mitigate vulnerabilities., CC ID: 12497


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The forms and features of the internal controls and the account settlement and financial reporting processes must be considered when determining a method to assess the status of operational internal controls. To determine a method to make an assessment of the internal control status, the following m… (App 5 § 1, Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § II.3(4): When deficiencies that relate to key controls are identified that are very likely to have a material impact, it should be determined that material weaknesses in internal control over financial reporting do exist. Standard § II.3(6): If management cannot conduct sufficient asses… (Standard § II.3(4), Standard § II.3(6), Practice Standard § II.2(2), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • A methodology for system testing should be established. The scope of tests should cover business logic, security controls and system performance under various stress-load scenarios and recovery conditions. (§ 6.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Based on the FI’s risk analysis, the FI should rigorously test specific application modules and security safeguards with a combination of source code review, exception testing and compliance review to identify errant coding practices and systems vulnerabilities that could lead to security problems… (§ 6.3.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should ensure the results of all testing that was conducted are documented in the test report, and signed off by the relevant stakeholders. (§ 5.7.6, Technology Risk Management Guidelines, January 2021)
  • It is essential for the FI to establish a comprehensive strategy to perform application security validation and testing. The FI may use a mixture of static, dynamic and interactive application security testing methods (refer to Annex A on Application Security Testing) to validate the security of the… (§ 6.1.6, Technology Risk Management Guidelines, January 2021)
  • The objectives, scope and rules of engagement should be defined before the commencement of the exercise, and the exercise should be conducted in a controlled manner under close supervision to ensure the activities carried out by the red team do not disrupt the FI's production systems. (§ 13.4.2, Technology Risk Management Guidelines, January 2021)
  • The organization should conduct testing of the security measures at random intervals of no more than 6 months apart. (Control: 1037, Australian Government Information Security Manual: Controls)
  • The organization should conduct assurance testing after changes to vulnerabilities and threats and after material changes to Information Technology assets. (¶ 81, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should conduct security reviews (internal vulnerability assessments, external vulnerability assessments, and code reviews) when developing secure software. (Attach D ¶ 2(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • security testing, including penetration testing; (16(e)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • security testing (including reviews) to identify vulnerabilities and confirm information security requirements have been met. The nature of testing would be commensurate with the scope of the change and the sensitivity and criticality of the impacted information asset (refer to Attachment H for exam… (47(a)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • In order to systematically test information security controls, an APRA-regulated entity would normally outline the population of information security controls across the regulated entity, including any group of which it is a part, and maintain a program of testing which validates the design and oper… (78., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity must test the effectiveness of its information security controls through a systematic testing program. The nature and frequency of the systematic testing must be commensurate with: (27., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • The schedule of testing would typically ensure that all aspects of the IT security control environment are assessed over time, commensurate with the sensitivity and criticality of the IT assets. In APRA's view, annual testing (as a minimum) would be normal for IT assets exposed to 'un-trusted' envir… (¶ 82, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The system should be tested for vulnerabilities on an ongoing basis to promote and maintain the security of the system. (§ 2.7.38, Australian Government ICT Security Manual (ACSI 33))
  • Financial institutions should establish and implement an information security testing framework that validates the robustness and effectiveness of their information security measures and ensure that this framework considers threats and vulnerabilities, identified through threat monitoring and ICT an… (3.4.6 42, Final Report EBA Guidelines on ICT and security risk management)
  • monitoring, auditing and testing; (Art. 16.1(d), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Art. 32.1.(d), Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • Unscheduled reviews after essential changes to the requirements or environment. The essentiality must be assessed by the cloud provider and documented comprehensibly for audits (Section 5.12 DLL-02 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • The business impact analysis as well as the business continuity plans and contingency plans are verified, updated and tested at regular intervals (at least once a year) or after essential organisational or environment-related changes. The tests also involve affected customers (tenants) and relevant … (Section 5.14 BCM-04 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • A methodology for testing applications prior to their first use and after material modifications shall be defined and introduced. The scope of the tests shall include the functionality of the application, the security controls and system performance under various stress scenarios. The organisational… (II.6.41, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Both vulnerability testing and penetration testing are called for. The penetration tests should assess both external and insider threats. The ISF Standard calls for a comprehensive assessment of the security of the enterprise. Additionally, penetration tests should be performed. (§ X.3, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The organization must routinely test internal security systems and processes. (§ 1a, American Express Data Security Standard (DSS))
  • How is security testing managed for CSP infrastructure vs. client environments? (Appendix D, Regularly Monitor and Test Networks Bullet 11, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • How is testing for wireless technologies performed and managed? (Appendix D, Regularly Monitor and Test Networks Bullet 7, Information Supplement: PCI DSS Cloud Computing Guidelines, Version 2.0)
  • Examine the documented procedures to verify there are procedures for inspecting devices, along with the inspection frequency. (Testing Procedures § 9.9.2.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Regularly test security systems and processes (§ 11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the entity has a documented process to detect and identify wireless access points on a quarterly basis. (§ 11.1.a Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Regularly test security systems and processes (PCI DSS Requirements § 11, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are: - Documented, - In use, and - Known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Payment applications must have the ability to be implemented into a secure network environment and not interfere with any PCI DSS compliance requirements. (§ 8.1, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. (§ 3 Principle 16 Points of Focus: Considers Rate of Change, COSO Internal Control - Integrated Framework (2013))
  • When an auditor performs physical control tests, he/she can answer audit questions like: Are privacy controls implemented consistently across the organization?, Are documents that contain private information securely stored?, Are proper procedures being used to dispose of private information?, Are d… (§ 5.6 (Physical Control Tests), § 5.6 (Social Engineering Tests), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization must periodically evaluate the organizational resilience management plans, procedures, and capabilities via testing, assessments, post-incident reports, lessons learned, exercises, and performance evaluations. Whenever there are significant changes in any of these components, the pr… (§ 4.5, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should clearly plan the penetration testing goals. (Critical Control 20.7, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • A program for the systematic monitoring and evaluation to ensure that standards of quality and security baselines are being met shall be established for all software developed by the organization. Quality evaluation and acceptance criteria for information systems, upgrades, and new versions shall be… (CCC-03, Cloud Controls Matrix, v3.0)
  • Implement a testing strategy, including criteria for acceptance of new information systems, upgrades and new versions, which provides application security assurance and maintains compliance while enabling organizational speed of delivery goals. Automate when applicable and possible. (AIS-05, Cloud Controls Matrix, v4.0)
  • Approval of IT Systems. Organizations should ensure that approval takes place for all or selected IT systems that they meet the requirements of the IT system security policy and the IT security plan. This approval process should be based on techniques such as security compliance checking, security t… (¶ 10.4, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 8.1.5(7) Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards… (¶ 8.1.5(7), ¶ 10.3.7, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Protection Against Malicious Code. Users need to be aware that malicious code may be introduced into their environment through network connections. Malicious code may not be detected before damage is done unless suitable safeguards are implemented. Malicious code may result in compromise of security… (¶ 13.6, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Organizations should consider, where appropriate, using laboratories whose testing techniques have been either accredited by a national accreditation body or approved by the regulators. If accreditation or approval is not possible or available, then the organization can consider other suitable metho… (9.1.1 ¶ 7, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • A vulnerability analysis should be performed by the developer and an independent evaluator. The vulnerability analysis document should include the following: a description of the procedures used to determine the ways a user could violate the security policy; the status of identified vulnerabilities;… (§ 19.4, ISO 15408-2 Common Criteria for Information Technology Security Evaluation Part 2, 2008)
  • A vulnerability analysis should be performed by the developer and an independent evaluator. The vulnerability analysis document should include the following: a description of the procedures used to determine the ways a user could violate the security policy; the status of identified vulnerabilities;… (§ 19.4, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • Security functions that have a strength of function claim should be analyzed to ensure the function meets or exceeds the minimum strength level. The strength of function analysis should be examined to ensure all assumptions, assertions, algorithms, calculations, and principles are correct. (§ 11.9.1, § 12.10.2, § 13.10.2, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Tests, test plans, test strategies, test objectives, and test results should make up an integral part for maintaining the integrity of physical access control systems and logical access control systems. Outsourced service providers should perform internal assessments at least once a year on their se… (§ 6.3.10, § 7.5.9, § 7.16.2, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Assess the controls in accordance with the assessment procedures described in assessment plans. (TASK A-3, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls. (DE.DP-3.1, CRI Profile, v1.2)
  • The organization establishes testing programs that include a range of scenarios, including severe but plausible scenarios (e.g., disruptive, destructive, corruptive) that could affect the organization's ability to service clients. (PR.IP-10.1, CRI Profile, v1.2)
  • The organization establishes a comprehensive testing program to conduct periodic and proactive testing and validation of the effectiveness of the organization's incident detection processes and controls. (DE.DP-3.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should test the effectiveness of the controls used to protect personal information, including the key administrative, technical, and physical safeguards. The controls should be tested at least annually. (ID 8.2.6, AICPA/CICA Privacy Framework)
  • The organization should conduct tests on the effectiveness of the key administrative, technical, and physical safeguards that protect the personal information at least annually. (Generally Accepted Privacy Principles and Criteria § 8.2.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The security program, in relation to protecting personal information, should include procedures for proactively testing security procedures, such as penetration testing. (Table Ref 8.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The service auditor should conduct procedures that are related to any additional subject matter the service organization requests. (¶ 1.40, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The testing of controls should provide evidence that the controls are operating effectively. The testing should determine how the controls are applied, how consistently they were applied, and who or what applied them. The extent of tests performed should be based on how frequently the organization u… (§ 318.26, § 318.46, SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained)
  • Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. (CC4.1 Considers Rate of Change, Trust Services Criteria)
  • Management considers the rate of change in business and business processes when selecting and developing ongoing and separate evaluations. (CC4.1 ¶ 3 Bullet 2 Considers Rate of Change, Trust Services Criteria, (includes March 2020 updates))
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, are standard builds and security compliance checks conducted? (§ V.1.72.2, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization should establish testing and verification requirements for products that are identified as having a high counterfeit risk and are not received from the original equipment manufacture, original component manufacturer, or authorized distributor. (§ 2 Item 6, Overarching DoD Counterfeit Prevention Guidance, Memorandum for Secretaries of the Military Departments, Directors of the Defense Agencies)
  • CMS business partners are required to use a CMS-contracted third party to conduct a security test and evaluation (ST&E) of new functionality before releasing the system into production and the ST&E must include penetration testing. (§ 5 ¶ 1, CMS Business Partners Systems Security Manual, Rev. 10)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the bank holding company's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those tha… (§ III.C(3), 12 CFR Appendix F to Part 225 - Interagency Guidelines Establishing Information Security Standards)
  • Regular reviews and testing, as applicable, of such systems, including backup systems, to identify vulnerabilities pertaining to internal and external threats, physical hazards, and natural or manmade disasters; (§242.1001(a)(2)(iv), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Periodic capacity stress tests of such systems to determine their ability to process transactions in an accurate, timely, and efficient manner; (§242.1001(a)(2)(ii), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The agency head must ensure senior agency officials periodically test and evaluate information security controls and techniques for information and information systems that support operations and assets under their control to ensure they are implemented effectively. Each agency must develop, documen… (§ 3544(a)(2)(D), § 3544(b)(5), Federal Information Security Management Act of 2002)
  • The organization will contract with a reputable, highly qualified, thoroughly screen organization to hack its computer system in order to identify vulnerabilities and weaknesses. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • The Information Systems Security Manager (ISSM) must provide the appropriate protection and review and certify that the protection measures have been implemented correctly. The ISSM must assure that security features are implemented and operational and that the system operates in accordance with the… (§ 8-201, § 8-614, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A patient safety organization must have documented processes and procedures that address periodic assessments of security risks and controls to determine whether the controls are effective. (§ 3.106(b)(4)(i), 42 CFR Part 3, Patient Safety and Quality Improvements, Final Rule)
  • Perform validation testing to ensure rogue APs (Access Points) do not exist in the 802.11 Wireless Local Area Network (WLAN) and to fully understand the wireless network security posture. (§ 5.13.1.1 ¶ 2(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Determine whether test results are analyzed and compared against stated objectives; test issues are assigned ownership; a mechanism is developed to prioritize test issues; test problems are tracked until resolution; and recommendations for future tests are documented. (TIER I OBJECTIVES AND PROCEDURES Risk Monitoring and Testing Objective 11: Execution, Evaluation, and Re-Testing 2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Determine whether management covers all of the functions in the exercise and test universe according to its established timeframes (e.g., all processes are covered annually or every three years). (App A Objective 10:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Sufficient personnel to perform the exercise or test, provide oversight, and document the results. (App A Objective 10:7c, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management implemented a comprehensive exercise and testing program, objectives, and plans to validate the entity's ability to restore critical business functions. (App A Objective 10:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Verify that the program is appropriate for the entity's risk profile. Assess whether the entity's consolidated exercise and test schedule is reflective of exercise and test objectives and the overall exercise and test universe. (App A Objective 10:2, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Provisions for emergency stops and concluding exercises and tests. (App A Objective 10:7e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Infrastructure testing. (App A Objective 2:4a Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Testing internally and with third-party service providers, as appropriate. (App A Objective 12:4c Bullet 9, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management considers the following key testing factors when developing and implementing independent tests: (App A Objective 10.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should ascertain that the information security program is operating securely, as expected, and reaching intended goals by doing the following: - Testing and evaluating through self-assessments, tests, and audits with appropriate coverage, depth, and independence. - Aligning personnel sk… (IV.A Assurance and Testing, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine the extent of audit's participation in application development, acquisition, and testing, as part of the organization's process to ensure the effectiveness of internal controls. (TIER I OBJECTIVES AND PROCEDURES Objective 10, FFIEC IT Examination Handbook - Audit, April 2012)
  • Tested key controls (at least annually); (TIER II OBJECTIVES AND PROCEDURES D.2. Bullet 3, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether audit procedures for information security adequately consider compliance with the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. Consider evaluating whether management has â… (Exam Tier II Obj D.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • Security testing should be used to identify control deficiencies, occur on a regular basis, and be conducted by personnel who are not involved in security administration. The identified deficiencies should be corrected in a timely manner. (Pg 30, Obj 4.8, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The development of internal pilot programs and partnerships with technology service providers introducing new retail payment systems and delivery channels. (App A Tier 1 Objectives and Procedures Objective 9:1 Bullet 2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Software applications should be reviewed and tested to identify potential risks and identify any needed compensating controls to ensure the organization operates in a secure manner. (Pg 21, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, March 2003)
  • The organization should regularly test the effectiveness of the implemented security controls and procedures. (§ 314.4(c), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • Calls for the periodic evaluation and testing of information security controls and techniques to ensure that they are effectively implemented. (SP-5, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization must develop a policy for testing, validating, and authorizing the security controls that protect the Federal Tax Information (FTI). State and local agencies are not required to perform a NIST C&A but need to accredit in writing that the security controls have been implemented adequ… (§ 5.6.4, Exhibit 4 CA-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • (§ 6.03, IRS Revenue Procedure: Record retention: automatic data processing, 98-25)
  • (§ 5.01, IRS Revenue Procedure: Retention of books and records, 97-22)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the credit union's risk assessment. Tests should be conducted or reviewed by independent third parties or staff independent of those that develo… (§ 748 Appendix A. III.C.3., 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Are independent security assessments obtained to determine if the Credit Union is adhering to industry best practices and internal policies for Wireless Local Area Networks and wireless wide area networks? (IT - WLANS Q 23, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.4.4 Bullet 2: Evaluate each security access control to ensure alignment with existing management, operational, and technical controls, such as policy standards and personnel procedures, maintenance and audit trail review, user identification and authentication, and physical access controls. § … (§ 4.4.4 Bullet 2, § 4.8.3 Bullet 2, § 4.8.5 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ongoing control assessments in accordance with the continuous monitoring strategy; (CA-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. (RA-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ongoing control assessments in accordance with the continuous monitoring strategy; (CA-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Ongoing control assessments in accordance with the continuous monitoring strategy; (CA-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. (RA-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Ongoing control assessments in accordance with the continuous monitoring strategy; (CA-7c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Are developed and maintained; and (PM-14a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Are developed and maintained; and (PM-14a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. (RA-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Calls for Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to corre… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Organizational records and documents should be examined to ensure security assessment, certification, and accreditation policy and procedures are documented, disseminated, reviewed, and updated; security controls are assessed for correct implementation and intended operation; security certification … (CA-1, CA-4, CA-4(1), CA-6, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Are developed and maintained; and (PM-14a.1., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A third-party may be contracted to perform an assessment, which may include a penetration test, to ensure the WLANs are compliant with the organizational security procedures and policies. (§ 6.1(WLAN security assessments), Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • Ensure that cybersecurity inspections, tests, and reviews are coordinated for the network environment. (T0091, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide support to security/certification test and evaluation activities. (T0231, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Conduct hypothesis testing using statistical processes. (T0351, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide support to test and evaluation activities. (T0538, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Technical measures implemented to manage data processing are tested and assessed. (CT.DM-P9, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must develop and implement a security assessment and authorization policy. (SG.CA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should include unannounced and periodic Red Team exercises, penetration testing, and in-depth monitoring as part of the security requirements continuous monitoring. (SG.CA-6 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should use automated mechanisms for supporting the management of security testing. (SG.SI-6 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct integrity scans on a defined frequency to reassess the integrity of information and software. (SG.SI-7 Requirement Enhancements 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update a formal, documented security assessment and authorization policy that includes purpose, responsibilities, roles, scope, management commitment, compliance, and coordination among entities. (App F § CA-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security assessment plan describing the security controls and control enhancements; the assessment procedures used to determine effectiveness; and the assessment environment, team, and roles and responsibilities. (App F § CA-2.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should provide automated support for managing distributed security testing. (App F § SI-6(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update formal, documented procedures to implement the security assessment and authorization policies and associated controls. (App F § CA-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should plan, schedule, and conduct announced or unannounced assessments (penetration testing, red team exercises, in-depth monitoring, malicious user testing, and other assessment forms) on a predefined frequency to ensure organizational compliance with all vulnerability mitigation … (App F § CA-7(2), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use measures to ensure critical security controls are not compromised. (App F § SA-14(1)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must use compensating controls in accordance with the general tailoring guidance when the Industrial Control System cannot, for operational reasons, perform a live assessment of the production Industrial Control System. (App I § CA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must ensure the security assessments do not interfere with any of the Industrial Control System functions. (App I § CA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The security assessment must be scheduled during planned Industrial Control System outages, whenever possible, if the Industrial Control System must be taken offline to perform the security assessment. (App I § CA-2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must ensure the security assessments do not interfere with any of the Industrial Control System functions. (App I § CA-7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Provide support to security/certification test and evaluation activities. (T0231, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide support to test and evaluation activities. (T0538, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Administer test bed(s), and test and evaluate applications, hardware infrastructure, rules/signatures, access controls, and configurations of platforms managed by service provider(s). (T0420, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. (CA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including: (CA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including security controls and control enhancements under assessment. (CA-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment procedures to be used to determine security control effectiveness. (CA-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment environment, assessment team, and assessment roles and responsibilities. (CA-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system implements automated mechanisms to support for the management of distributed security testing. (SI-6(2), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. (CA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including: (CA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including security controls and control enhancements under assessment. (CA-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment procedures to be used to determine security control effectiveness. (CA-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment environment, assessment team, and assessment roles and responsibilities. (CA-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. (CA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including: (CA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including security controls and control enhancements under assessment. (CA-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment procedures to be used to determine security control effectiveness. (CA-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment environment, assessment team, and assessment roles and responsibilities. (CA-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security assessment and authorization policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (CA-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security assessment and authorization policy and associated security assessment and authorization controls. (CA-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including: (CA-2a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including security controls and control enhancements under assessment. (CA-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment procedures to be used to determine security control effectiveness. (CA-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security assessment plan that describes the scope of the assessment including assessment environment, assessment team, and assessment roles and responsibilities. (CA-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The information system implements automated mechanisms to support the management of distributed security testing. (SI-6(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; and (PM-14a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ongoing control assessments in accordance with the continuous monitoring strategy; (CA-7c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement automated mechanisms to support the management of distributed security and privacy function testing. (SI-6(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Identify critical system components and functions by performing a criticality analysis for [Assignment: organization-defined systems, system components, or system services] at [Assignment: organization-defined decision points in the system development life cycle]. (RA-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization should test all controls of the system as part of the assessment process. If the organization has multiple locations, the Senior Assessment Team should decide if tests need to be run at each site or if a sample of each site will suffice. (Pg 3, Pg 10, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Regularly test the key controls, systems and procedures of the information security program. The frequency and nature of such tests should be determined by the national bank's or Federal savings association's risk assessment. Tests should be conducted or reviewed by independent third parties or staf… (§ III. C. 3., Appendix B of OCC 12 CFR Part 30, Safety and Soundness Standards)
  • The auditor should evaluate the following to determine which controls need to be tested: points at which errors or fraud can occur; which controls have been implemented on the system; the significance of each control and if more than one control is needed to meet the control objective; and the risk … (¶ 83, PCAOB Auditing Standard No. 2)
  • Organization-level controls important to the auditor's conclusion about the effectiveness of the internal control over financial reporting should be tested. Based on the auditor's evaluation of these controls, the other controls may need more or less testing. Organization-level controls include the … (¶ 22, ¶ 24, ¶ 50, PCAOB Auditing Standard No. 5)
  • Document findings from each assessment and retain them until no longer valid; (4.3 ¶ 2 Bullet 3, Pipeline Security Guidelines)
  • The Secretary of Transportation must periodically assess the effectiveness of security measures in place at foreign airports served by an air carrier of the United States or whose air carriers serve the United States. (§ 44907(a), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity's Risk Assessment, designed to assess the effectiveness of the Covered Entity's cybersecurity program. The monitoring and testing shall include continuous monitorin… (§ 500.05 Penetration Testing and Vulnerability Assessments, New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • Testing and monitoring regularly the effectiveness of key controls, systems and procedures; and (§ 646A.622(2)(d)(B)(iv), Oregon Revised Statutes, Chapter 646a, Sections 646A.600 thru 646A.624, Identity Theft Protection Act, 2007 Statutes)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., TX-RAMP Security Controls Baseline Level 1)
  • Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; (CA-7c., TX-RAMP Security Controls Baseline Level 2)
  • The information system enforces access restrictions and supports auditing of the enforcement actions. (CM-5(1) ¶ 1, TX-RAMP Security Controls Baseline Level 2)
  • The organization includes as part of security control assessments, [TX-RAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)