Back

Establish, implement, and maintain a risk monitoring program.


CONTROL ID
00658
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Monitor the organization's exposure to threats, as necessary., CC ID: 06494
  • Implement a fraud detection system., CC ID: 13081
  • Monitor for new vulnerabilities., CC ID: 06843
  • Establish, implement, and maintain a compliance testing strategy., CC ID: 00659
  • Test compliance controls for proper functionality., CC ID: 00660
  • Establish, implement, and maintain a system security plan., CC ID: 01922
  • Analyze system audit reports and determine the need to perform more tests., CC ID: 00666
  • Monitor devices continuously for conformance with production specifications., CC ID: 06201


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • External auditors should understand the design status of process-level controls by receiving the records that are described in Section 3(7)[1], C to F of Chapter II, "Assessment and Report on Internal Control Over Financial Reporting." They should then conduct the following procedures: understand th… (Practice Standard § III.4(2)[1].A, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • risk monitoring, review and reporting – monitor and review technology risks, which include risks that customers are exposed to, changes in business strategy, IT systems, environmental or operating conditions; and report key risks to the board of directors and senior management. (§ 4.1.4(d), Technology Risk Management Guidelines, January 2021)
  • The FI should consider applying user behavioural analytics to enhance the effectiveness of security monitoring. User behavioural analytics might include the use of machine learning algorithms in real time to analyse system logs, establish a baseline of normal user activities and identify suspicious … (§ 12.2.4, Technology Risk Management Guidelines, January 2021)
  • The organization should conduct e-mail server auditing, e-mail server vulnerability analysis, and e-mail server security reviews on a regular basis. (Control: 0568, Australian Government Information Security Manual: Controls)
  • The organization should use 2 personnel with communications security custodian Access to conduct the audits of the cryptographic system material. (Control: 1004, Australian Government Information Security Manual: Controls)
  • The final step in the risk management process is monitoring risks and the effectiveness of controls over time to ensure changing circumstances do not alter risk priorities or weaken the operation of controls. A highly effective technique is to integrate risk assessment into corporate and annual busi… (Pg 25, Australia Better Practice Guide - Business Continuity Management, January 2000)
  • The organization should regularly assure that Information Technology assets are secured and the Risk Management Framework is effective. (¶ 80, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Highly sensitive and/or critical IT assets would typically have logging enabled to record events and monitored at a level commensurate with the level of risk. (¶ 68, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11). Financial institutions should ensure the independence and object… (3.3.1 11 ¶ 1, Final Report EBA Guidelines on ICT and security risk management)
  • Whether ICT risk measurement, monitoring and reporting systems are appropriate.; and (Title 3 3.4 61.b(iii), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Institutions and payment institutions should monitor and manage their internal concentration risks caused by outsourcing arrangements, taking into account Section 12.2 of these guidelines. (4.14 103, Final Report on EBA Guidelines on outsourcing arrangements)
  • However, in general, all risks should be monitored, i.e. not only those which are likely to increase in the future. To document the monitoring of the risks and adjustment of the safeguards and/or handling alternatives it is common practice to create a risk register or risk directories for this purpo… (§ 6.2 ¶ 3, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • These supplemental security safeguards must be documented and earmarked. The risks are monitored, and as soon as they are no longer acceptable, the earmarked supplemental security safeguards are checked, updated if necessary and included in the security concept. The risk classification is correspond… (§ 6.2 ¶ 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • For user-defined modules, the threats must be checked at regular intervals and evaluated again. Since the target objects covered by user-defined modules exceed the normal application of the IT-Grundschutz Compendium, the activities for monitoring risks described here must be taken into consideration… (§ 6.2 ¶ 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Where the risk associated with the business relationship is increased, firms must carry out enhanced ongoing monitoring of the business relationship. FCG 3.2.9G provides guidance on enhanced ongoing monitoring. (3.2.5 ¶ 2, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • A firm must conduct ongoing monitoring of its business relationships on a risk-sensitive basis. Ongoing monitoring means scrutinising transactions to ensure that they are consistent with what the firm knows about the customer, and taking steps to ensure that the firm's knowledge about the business r… (3.2.5 ¶ 1, Financial Crime Guide: A Firm’s Guide to Countering Financial Crime Risks, Release 11)
  • (¶ 18, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • Management uses a combination of different ongoing and separate evaluations, including system internal and external penetration testing, third-party independent verifications and certifications using established security control frameworks (NIST, COBIT, OWASP, etc.) and vendor and industry-specific,… (S7.5 Considers different types of ongoing and separate evaluations, Privacy Management Framework, Updated March 1, 2020)
  • Management systems should be established to periodically and independently review all elements of the internal modeling process. This review may be conducted during the internal or external audit program. (¶ 528, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • Supervisors should conduct regular independent evaluations of the policies, procedures, and practices related to risk management. The independent evaluation should review the risk management process, the procedures for resolving risks, the continuity plans, the monitoring and reporting process, the … (¶ 46, Principle 9, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • Work with the board to define the enterprise's appetite for IT risk, and obtain reasonable assurance that IT risk management practices are appropriate to ensure that the actual IT risk does not exceed the board's risk appetite. Embed risk management responsibilities into the organisation, ensuring t… (ME4.5 Risk Management, CobiT, Version 4.1)
  • Interview responsible personnel and observe the inspection process to verify all devices are periodically inspected for tampering or substitution. (Testing Procedures § 9.9.2.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for security monitoring and testing have been documented. (Testing Procedures § 11.6 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for security monitoring and testing have been implemented. (Testing Procedures § 11.6 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Security policies and operational procedures for security monitoring and testing must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Are security policies and operational procedures for security monitoring and testing documented, in use, and known to all affected parties? (PCI DSS Question 11.6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are security policies and operational procedures for security monitoring and testing documented, in use, and known to all affected parties? (PCI DSS Question 11.6, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The board of directors retains oversight responsibility for management’s design, implementation, and conduct of internal control: – Control Environment — Establishing integrity and ethical values, oversight structures, authority and responsibility, expectations of competence, and accountabilit… (§ 3 Principle 2 Points of Focus: Provides Oversight for the System of Internal Controls, COSO Internal Control - Integrated Framework (2013))
  • Ongoing evaluations are built into the business processes and adjust to changing conditions. (§ 3 Principle 16 Points of Focus: Integrates with Business Processes, COSO Internal Control - Integrated Framework (2013))
  • Management includes a balance of ongoing and separate evaluations. (§ 3 Principle 16 Points of Focus: Considers a Mix of Ongoing and Separate Evaluations, COSO Internal Control - Integrated Framework (2013))
  • A self-assessment ensures the organization has a robust and effective business continuity management plan and provides a qualitative verification that the organization can recover from an incident. It should be conducted against the objectives of the organization and take into account industry stand… (§ 9.5.4 ¶ 2, § 9.5.6, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The risk management committee is responsible for monitoring and evaluating all activities to minimize known and documented risks. Control monitoring and assessment activities should be planned and conducted either as ongoing monitoring or as a special review. The ongoing monitoring can be conducted … (§ 7.1.4, § 9.2.1, § 9.2.2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Auditors should run detailed testing with continuous auditing when continuous monitoring has not been implemented. Auditors may play a proactive role in establishing risk management and control assessment processes. Auditors should not take ownership roles over of these processes, because it could c… (§ 4 (Continuous Auditing) ¶ 2, § 6 (Determine Scope of Testing), IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • An internal auditor can help an organization meet privacy objectives and contribute to good governance and accountability by reviewing how effective the privacy policies, controls, and practices of the organization are. (§ 2.2 (Privacy Controls) ¶ 3, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Application controls provide many benefits that include reliability, benchmarking, and time and cost savings. Compared with manual controls, application controls are more reliable due to the potential for errors due to human intervention. After the application control is implemented and there are no… (§ 2 (Benefits of Relying on Application Controls), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The minimum inspection or test sample size shall be in accordance with Level A in Table 1 of this authority document. (§ 4.2.6.3 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The organization must ensure its organizational resilience management system, procedures, processes, and programs are tested and evaluated for efficacy and appropriateness. The organization must validate the organizational resilience management system via exercising and testing consistent with the s… (§ 4.5.2.2, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization should conduct frequent tests to ensure deficiencies and risks are identified. The tests should be designed to determine how the system reacts, for example, the tester can insert an error into the system and then see if it is reported to the appropriate personnel. (Pg 1-I-14, Protection of Assets Manual, ASIS International)
  • Analysis performed as part of security monitoring arrangements should be based on quantitative security metrics (e.g., the number, frequency, and business impact of information security incidents; internal and external audit findings; operational security statistics, such as firewall log data, patch… (SI.02.01.02a, The Standard of Good Practice for Information Security)
  • Analysis performed as part of security monitoring arrangements should be based on quantitative security metrics (e.g., the number, frequency, and business impact of information security incidents; internal and external audit findings; operational security statistics, such as firewall log data, patch… (SI.02.01.02a, The Standard of Good Practice for Information Security, 2013)
  • The system should run automated port scans on a regular basis against all the key servers and compare the results to a known effective baseline, and, if a change is found that is not on the approved baseline, an alert should be sent and reviewed. (Critical Control 11.3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for timely detection of vulnerabilities within organizationally-owned or managed (physical and virtual) applications and infrastructure network and system components, applying a risk-b… (TVM-02, Cloud Controls Matrix, v3.0)
  • Define, implement and evaluate processes, procedures and technical measures for the detection of vulnerabilities on organizationally managed assets at least monthly. (TVM-07, Cloud Controls Matrix, v4.0)
  • § 7.5.2.1: The organization shall validate production and service provision processes when the output cannot be verified by subsequent measurement or monitoring, including processes whose deficiencies are not apparent until after the product has been delivered or is in use. The validation shall sho… (§ 7.5.2.1, § 8.2.4.2, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • identifying and communicating compliance risks in their operations; (§ 5.3.5 ¶ 1 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • what needs to be monitored and measured, (§ 9.1.1 ¶ 1 a), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Service providers should ensure that testing is used for maintaining physical facilities and equipment in a high quality condition. The physical facilities and equipment, including the equipment listed in section 6.14.6.3, should be periodically tested and/or checked, along with the staff that opera… (§ 6.15, § 7.14.3(a), § 7.14.3(c), § 7.16.4, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • The organization should continuously monitor and review the risks and their factors to identify changes early and to maintain an overall risk picture because risks are ever changing. The following should be monitored continually: new assets; modifications of asset values; new threats that have not b… (§ 12.1, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • If there are no treatment options available or if treatment options do not sufficiently modify the risk, the risk should be recorded and kept under ongoing review. (§ 6.5.2 ¶ 7, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should continually monitor and adapt the risk management framework to address external and internal changes. In doing so, the organization can improve its value. (§ 5.7.1 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Monitoring and review should take place in all stages of the process. Monitoring and review includes planning, gathering and analysing information, recording results and providing feedback. (§ 6.6 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • This will help the organization to: - align risk management with its objectives, strategy and culture; - recognize and address all obligations, as well as its voluntary commitments; - establish the amount and type of risk that may or may not be taken to guide the development of risk criteria, ensu… (§ 5.2 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • Decision makers and other stakeholders should be aware of the nature and extent of the remaining risk after risk treatment. The remaining risk should be documented and subjected to monitoring, review and, where appropriate, further treatment. (§ 6.5.2 ¶ 8, ISO 31000 Risk management - Guidelines, 2018)
  • The organization should define the responsibilities for monitoring and review, which can be ad hoc or periodic, and make the monitoring and review a planned part of the risk management process. The purpose of the monitoring and review processes including all of the risk management process is to ensu… (§ 5.6, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • identifying and communicating compliance risks in their operations; (§ 5.3.3 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • identifying and communicating compliance risks in their operations; (§ 5.3.3 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • monitor the information security risk management process. (§ 7.2.1 ¶ 3 Bullet 4, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Risks and their factors (i.e. value of assets, impacts, threats, vulnerabilities, likelihood of occurrence) should be monitored and reviewed to identify any changes in the context of the organization at an early stage, and to maintain an overview of the complete risk picture. (§ 12.1 Action:, ISO/IEC 27005:2018, Information Technology — Security Techniques — Information Security Risk Management, Third Edition)
  • Enhance existing surveillance systems to enable monitoring of COVID-19 transmission and adapt tools and protocols for contact tracing and monitoring to COVID-19 (Pillar 3 Step 2 Action 1, COVID-19 Strategic Preparedness and Response Plan, OPERATIONAL PLANNING GUIDELINES TO SUPPORT COUNTRY PREPAREDNESS AND RESPONSE, Draft as of 12 February 2020)
  • Risk appetite is incorporated into decisions on how the organization operates. Management, with board oversight, continually monitors risk appetite at all levels and accommodates change when needed. In this way, management creates a culture that emphasizes the importance of risk appetite and holds t… (Using Risk Appetite ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting. (GV.RM-1.1, CRI Profile, v1.2)
  • The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management. (GV.RM-3.2, CRI Profile, v1.2)
  • The cyber risk management program incorporates cyber risk identification, measurement, monitoring, and reporting. (GV.RM-1.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization has a process for monitoring its cyber risks including escalating those risks that exceed risk tolerance to management. (GV.RM-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Pg 79 The organization should monitor the enterprise risk management program through ongoing monitoring processes on a real-time basis. (Pg 79, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • The auditor should decide when to perform the tests based on the risk of material misstatement. Factors the auditor should consider include the control environment, when the information will be available, the risks, and the date that the audit evidence is for. The testing may be performed throughout… (§ 318.16, § 318.17, § 318.35 thru § 318.38, § 318.42, § 318.43, SAS No. 110, Performing Audit Procedures in Response to Assessed Risks and Evaluating the Audit Evidence Obtained)
  • Management includes a balance of ongoing and separate evaluations. (CC4.1 Considers a Mix of Ongoing and Separate Evaluations, Trust Services Criteria)
  • Ongoing evaluations are built into the business processes and adjust to changing conditions. (CC4.1 Integrates With Business Processes, Trust Services Criteria)
  • Ongoing evaluations are built into the business processes and adjust to changing conditions. (CC4.1 ¶ 3 Bullet 5 Integrates With Business Processes, Trust Services Criteria, (includes March 2020 updates))
  • Management includes a balance of ongoing and separate evaluations. (CC4.1 ¶ 3 Bullet 1 Considers a Mix of Ongoing and Separate Evaluations, Trust Services Criteria, (includes March 2020 updates))
  • Systems should be reaccredited within 3 months of adding or replacing significant parts of a major system; making a significant change to the operating system; making a significant change to the physical facility that houses the system and affects the physical security described in the current accre… (§ 3-6, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 3 ¶ 5: CMS business partners shall use the CMS Integrated Security Suite (CISS) tool to conduct a FISMA Assessment (FA). In order to perform the FA, the CMS business partners shall use the CISS to conduct a systematic review of the CMSRs. § 3.3 ¶ 2: CMS business partners shall self-certify its… (§ 3 ¶ 5, § 3.3 ¶ 2, § 3.5.1 ¶ 3, § 3.5.1 ¶ 4, App A § 6 ¶ 2, App B § 3, CMS Business Partners Systems Security Manual, Rev. 10)
  • The business owner shall conduct security controls testing annually. The business owner shall conduct contingency plan testing annually. (§ 2.9, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 1.2.1: Designated management personnel must monitor the testing of corrective security actions after they have been implemented and on a continual basis. CSR 1.12.1: The organization must conduct an annual self-assessment and compliance review that addresses the CMS-imposed safeguard requirement… (CSR 1.2.1, CSR 1.12.1, CSR 1.12.6, CSR 2.5.7, CSR 3.1.2, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The business owner shall conduct a Federal Information Security Management Act of 2002 (FISMA) assessment every 365 days. (§ 2.9, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Banks that have foreign offices or branches must develop a testing system to verify the effectiveness and integrity of the internal controls and monitor activity. (Pg 31, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Conformance testing must include unannounced, periodic, and in-depth monitoring. (ECMT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Conformance testing must include unannounced, periodic, and in-depth monitoring. (ECMT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Whenever security-relevant changes are made to an accredited information system, the information system must be reaccredited. (§ 8-202, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A medical device manufacturer shall establish and maintain procedures to identify valid statistical techniques that are required to establish, control, and verify the acceptability of product characteristics and process capabilities. (§ 820.250(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • (§ I.A.4.b(i), The National Strategy to Secure Cyberspace, February 2003)
  • Determine whether the board has established an on-going, process-oriented approach to business continuity planning that is appropriate for the size and complexity of the organization. This process should include a business impact analysis (BIA), a risk assessment, risk management, and risk monitorin… (TIER I OBJECTIVES AND PROCEDURES Board and Senior Management Oversight Objective 2:1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Ongoing monitoring that identifies and evaluates changes in risk and periodic updates to the risk profile assessment. (App A Objective 2:8b Bullet 5, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Monitoring and reporting of risks. (App A Objective 3.1.d, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has effective risk monitoring and reporting processes. (App A Objective 7, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Verification that information and cybersecurity risks are appropriately identified, measured, mitigated, monitored, and reported. (App A Objective 6.31.g, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether program monitoring and reporting instigate appropriate changes that are effective in maintaining an acceptable level of risk. (App A Objective 7.3, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has effective threat monitoring processes, including the following: (App A Objective 8.4, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether the risk monitoring and reporting process is regular and prompts action, when necessary, in a timely manner. (App A Objective 7.2, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Management should oversee outsourced operations through the following: - Appropriate due diligence in third-party research, selection, and relationship management. - Contractual assurances for security responsibilities, controls, and reporting. - Nondisclosure agreements regarding the institution'… (II.C.20 Oversight of Third-Party Service Providers, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Financial institution management should maintain a risk identification process that is coordinated and consistent throughout the institution. Risk identification includes ongoing data collection from existing activities and new initiatives. (III.A Risk Identification, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should ensure satisfactory monitoring and reporting of IT activities and risk. These practices should include the following: - Developing metrics to measure performance, efficiency, and compliance with policy. - Developing benchmarks for reviewing performance. - Esta… (III.D Monitoring and Reporting, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Review the monitoring and reporting specific to the institution's ITRM activities. Specifically, determine whether the institution has developed the following: (App A Objective 13:7, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • A reporting process that assembles and reports IT risk-related information in a timely, complete, transparent, and relevant manner. (App A Objective 13:7 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether the institution has a risk management program and whether the program includes an integrated approach for enterprise-wide risk management, including identification, measurement, mitigation, monitoring, and reporting of risk. If applicable, determine whether the structure conforms t… (App A Objective 7:1, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The pandemic program should include a robust testing process. The testing process should test roles and responsibilities, assumptions, an increased reliance on remote banking services, and an increase in remote access and telecommuting. Pandemic testing should provide a high assurance that the plan … (Pg D-9, Exam Tier I Obj 8.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • The organization should establish a measuring and monitoring process for risks. (Pg 15, Pg 33, FFIEC IT Examination Handbook - Management)
  • The organization should monitor systems regularly to ensure they are functioning properly, being used efficiently, and achieving the desired results. (Pg 38, FFIEC IT Examination Handbook - Operations, July 2004)
  • Exam Tier I Obj 3.1 The organization should continuously monitor the system to identify and evaluate any changes in risk. (Exam Tier I Obj 3.1, FFIEC IT Examination Handbook - Outsourcing Technology Services, June 2004)
  • The following risks must be assessed by each financial institution when it develops an information security program: if the policies, procedures, customer information systems, and other arrangements already in place are sufficient to control risks. (Supplement A.I Risk Assessment and Controls, Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice)
  • Explains that when significant weaknesses are identified, related risks should be reassessed, appropriate corrective actions taken, and follow-up monitoring performed to make certain that corrective actions are effective. In addition to modifying written policies, testing strategies should be review… (SP-5.2, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • The organization includes as part of security control assessments, [FedRAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A security accreditation must be conducted every 3 years or whenever there is a significant change to the control structure. When completed, the security accreditation must be signed by a senior official and provided to the Office of Safeguards. (§ 5.6.4, Exhibit 4 CA-6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: (CA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (CA-7(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Effectiveness monitoring; (CA-7(4) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: (CA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (CA-7(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Effectiveness monitoring; (CA-7(4) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (CA-7(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Effectiveness monitoring; (CA-7(4) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: (CA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: (CA-7 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Effectiveness monitoring; (CA-7(4) ¶ 1(a), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (CA-7(4) ¶ 1, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Risk management should be an ongoing process. Plans should be tested and revised as needed for efficient risk monitoring. (§ 3.3.2, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1 High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control: Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control: Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control: High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Use the continuous monitoring tools and technologies to assess risk on an ongoing basis. (T0987, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Work with organizational officials to ensure continuous monitoring tool data provides situation awareness of risk levels. (T0976, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop a risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities. (Task 4-1, NIST SP 800-39, Managing Information Security Risk)
  • The organization must assess security requirements on a defined frequency to determine if they are implemented correctly, operating correctly, and producing the desired outcome. (SG.CA-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should conduct security testing on the smart grid Information System to determine how difficult it is to circumvent the security requirements. (SG.RA-6 Additional Considerations A2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should have a continuous monitoring program that includes an ongoing assessment of the effectiveness of security controls. The organization must review its risk management activities on a regular basis. The following events can trigger the immediate need to assess the state of secur… (§ 3.4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish a continuous monitoring strategy and implement a continuous monitoring program that includes ongoing security control assessments. (App F § CA-7.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Develop methods to monitor and measure risk, compliance, and assurance efforts. (T0072, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Use the continuous monitoring tools and technologies to assess risk on an ongoing basis. (T0987, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Work with organizational officials to ensure continuous monitoring tool data provides situation awareness of risk levels. (T0976, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: (CA-7 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following: (CA-7(4) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Effectiveness monitoring; (CA-7(4) ¶ 1(a), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; security instrumentation; automated security test cases; vulnerability scanning; malicious user testing; insider threat assessment… (CA-2(2) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Constraints affecting risk assessments, risk responses, and risk monitoring; (PM-28a.2., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Assumptions affecting risk assessments, risk responses, and risk monitoring; (PM-28a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop a risk monitoring strategy for the organization that includes the purpose, type, and frequency of monitoring activities. (2.2.4 TASK 4-1:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7a., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization includes as part of security control assessments, [Assignment: organization-defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [A… (CA-2(2) ¶ 1, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization should develop procedures for monitoring all controls. The monitoring should be performed regularly and should ensure that the controls are operating correctly. (Pg 22, Pg 25, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • The organization should continuously monitor and test the system to ensure that installed controls are effective and functioning correctly. If a control is ineffective, it should be redesigned or improved. Monitoring of controls should occur as part of the normal business day, and periodic assessmen… (§ I.A, § II.E, § IV, App B § III.B.5, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Check computer systems and servers for vulnerability and unauthorized access. (¶ 2, Internet Security: Distributed Denial of Service Attacks - OCC Alert 2000-1)
  • Senior management must ensure that independent reviews are periodically conducted of third party relationships that involve critical activities and the third party Risk Management process. ("Senior Bank Management" Bullet 8, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The auditor should evaluate the control environment to ensure weaknesses do not exist that could cause him/her to modify the timing and extent of the tests planned. The auditor should test the effectiveness of the controls on a yearly basis. The procedures used by the auditor for testing the control… (¶ 49, ¶ 104, ¶ 105, PCAOB Auditing Standard No. 2)
  • The auditor should test controls on which he/she needs to reach conclusions, if the controls address the assessed risk of misstatement for each assertion. The auditor should test the design effectiveness and operating effectiveness of controls by ensuring they operate as designed, the individuals ex… (¶ 39 thru ¶ 45, PCAOB Auditing Standard No. 5)
  • Compliance with the access control requirements must be assessed and tested on an ongoing basis. The findings of the tests must be reported annually. (§ 106(c), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
  • Compliance with the access control requirements must be assessed and tested on an ongoing basis. The findings of the tests must be reported annually. (§ 44903(g)(2)(D), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, TX-RAMP Security Controls Baseline Level 1)
  • The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes: (CA-7 Control, TX-RAMP Security Controls Baseline Level 2)
  • The organization includes as part of security control assessments, [TX-RAMP Assignment: at least annually], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assign… (CA-2(2) ¶ 1, TX-RAMP Security Controls Baseline Level 2)