Back

Establish, implement, and maintain a compliance testing strategy.


CONTROL ID
00659
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy., CC ID: 12833


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • A cyber inspector may investigate the cryptography service provider activities to determine compliance or noncompliance with the provisions of this act. (§ 94(1)(b)(i), The Electronic Communications and Transactions Act, 2002)
  • A cyber inspector may investigate an Authentication Service provider activities to determine compliance or noncompliance with the provisions of this act. (§ 94(1)(c)(i), The Electronic Communications and Transactions Act, 2002)
  • The number of cases to be sampled depends on the type of assessment being performed. This section discusses how to determine the number of cases to sample for manual and automated assessments. (App 5 § 3, Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization must conduct a risk assessment that includes testing the unevaluated configuration in the organization's environment, if the organization wishes to use the evaluated product in an unevaluated configuration. (Control: 0291 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should implement a multi-year testing schedule that includes compliance-type reviews and adequacy reviews. (¶ 81, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In order to systematically test information security controls, an APRA-regulated entity would normally outline the population of information security controls across the regulated entity, including any group of which it is a part, and maintain a program of testing which validates the design and oper… (78., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • In APRA's view, the frequency and scope of testing would ensure that a sufficient set of information security controls are tested, at least annually, in order to validate that information security controls remain effective. Furthermore, controls protecting information assets exposed to 'untrusted' e… (79., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • checks to determine if IT security controls are operating as expected and are being complied with; and (¶ 66(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • A regulated institution would benefit from a multi-year schedule of testing that incorporates both adequacy and compliance-type reviews, with the program of work determined on a risk basis. Additional assurance work may be triggered by changes to vulnerabilities/threats or material changes to IT ass… (¶ 81, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Periodic evaluations should be conducted to confirm the computerized system remains in a valid state and is compliant with good manufacturing practices. (¶ 11, EudraLex, The Rules Governing Medicinal Products in the European Union, Volume 4 Good Manufacturing Practice, Medicinal Products for Human and Veterinary Use Annex 11: Computerised Systems, SANCO/C8/AM/sl/ares(2010)1064599)
  • Regular checks must be performed to see whether all the security safeguards are being applied and implemented as planned in the security concept. This must involve checking that the technical security safeguards (e.g. regarding the configuration) and the organisational regulations (e.g. processes, p… (§ 8.3 Subsection 3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The Data Protection Officer must contribute that his/her organisation takes into account the requirements of data protection in a comprehensive manner. He/she must check the compliance with the data protection provisions in all areas. He/she performs his/her tasks mainly be counselling and inspectio… (§ 4.9 Subsection 3 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Management uses a combination of different ongoing and separate evaluations, including system internal and external penetration testing, third-party independent verifications and certifications using established security control frameworks (NIST, COBIT, OWASP, etc.) and vendor and industry-specific,… (S7.5 Considers different types of ongoing and separate evaluations, Privacy Management Framework, Updated March 1, 2020)
  • Auditors should conduct detailed testing using continuous control assessment techniques to evaluate the adequacy of controls when management monitoring is not sufficient. Auditors can assess the internal control framework's adequacy with the use of intelligent technology-enabled analytics and provid… (§ 5 (Conclusions and Recommendations) ¶ 1, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • Control reviews are periodically required for transactional and support applications, based on their significance to the overall control environment. The review's scope, depth, and frequency should be based on the application's type and impact on regulatory compliance, financial reporting, or operat… (§ 2 (Application Reviews), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The minimum level of testing and inspection of active parts containing active elements shall include the Level A requirements listed in Table 1 of this authority document. (§ 4.2.6.2 ¶ 2, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The minimum level of testing and inspection of passive parts shall include the level A1 requirements (documentation and packaging inspection) listed in Table 1 of this authority document. (§ 4.2.6.2 ¶ 2.a, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The minimum level of testing and inspection of passive parts shall include the level A2 requirements (external visual inspection) listed in Table 1 of this authority document. (§ 4.2.6.2 ¶ 2.b, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The minimum level of testing and inspection of passive parts shall include the level A3 requirements (solvent test for remarking only) listed in Table 1 of this authority document. (§ 4.2.6.2 ¶ 2.c, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • The minimum level of testing and inspection of passive parts shall include the level A5 requirements (lead finish evaluation) listed in Table 1 of this authority document. (§ 4.2.6.2 ¶ 2.d, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • There should be documented standards / procedures for monitoring Information Security compliance across the organization. (SI.02.03.01, The Standard of Good Practice for Information Security)
  • Methods of meeting security requirements should be defined, which include identification of compliance metrics. (SI.02.03.06a, The Standard of Good Practice for Information Security)
  • There should be documented standards / procedures for monitoring Information Security compliance across the organization. (SI.02.03.01, The Standard of Good Practice for Information Security, 2013)
  • Methods of meeting security requirements should be defined, which include identification of compliance metrics. (SI.02.03.06a, The Standard of Good Practice for Information Security, 2013)
  • Define and implement a process for conducting internal assessments to confirm conformance and effectiveness of standards, policies, procedures, and service level agreement activities at least annually. (STA-11, Cloud Controls Matrix, v4.0)
  • The organization shall define the strategy to validate the services are operational and meet the stakeholder requirements. (§ 6.4.8.3(a)(1), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • An appropriate testing strategy should be developed to independently test the product. Testing can be conducted on all or a sampling of security functions. Factors that influence the size of the testing sample include known public domain weaknesses, the complexity of the security function, the signi… (§ 10.8.2.4.1, § 11.8.4.4.1, § 12.9.5.4.1, § 13.9.5.4.1, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • how the results will be evaluated, e.g. pursuant to identified compliance key performance measures and outcomes. (§ 6.2 ¶ 3 Bullet 5, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall develop, establish, implement and maintain processes to assess, evaluate, investigate and close reports on suspected or actual instances of non-compliance. These processes shall be governed by the principles of due process, the right to be heard and the right to a fair and imp… (§ 8.4 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Verify the service auditor applied the requirements of au section 350 paragraphs .31 through .43 when using sampling for the testing, for type 2 reports. (Ques. AT218, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service organization may have different controls in place to address the risks that threaten the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria. In this case, the service auditor may need to consider multiple … (¶ 3.92, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The practitioner should obtain an understanding of relevant portions of internal control over compliance sufficient to plan the engagement and to assess control risk for compliance with specified requirements. In planning the examination, such knowledge should be used to identify types of potential … (AT-C Section 315.15, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria)
  • Management uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications (for example, ISO certifications), and internal audit assessments. (CC4.1 ¶ 4 Bullet 1 Considers Different Types of Ongoing and Separate Evaluations, Trust Services Criteria, (includes March 2020 updates))
  • On mainframes that transmit scoped data, are reviews performed to validate compliance with documented standards? (§ G.18.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that process scoped data, are reviews performed to validate compliance with documented standards? (§ G.18.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • On mainframes that store scoped data, are reviews performed to validate compliance with documented standards? (§ G.18.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there an annual schedule of required tests? (§ K.1.3, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • An independent team or agent shall conduct the Federal Information Security Management Act of 2002 (FISMA) Assessment (FA). All independent and management-directed testing performed within 365 days of the attestation due date may be used for the annual security controls testing. (§ 3.5.1 ¶ 5, CMS Business Partners Systems Security Manual, Rev. 10)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and (II.7.a.ii., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (III.7.a., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. (III.7.b., EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. (§ III.7.b., EU-U.S. Privacy Shield Framework Principles)
  • Where the organization has chosen outside compliance review, such a review must demonstrate that its privacy policy regarding personal information received from the EU conforms to the Privacy Shield Principles, that it is being complied with, and that individuals are informed of the mechanisms throu… (§ III.7.d., EU-U.S. Privacy Shield Framework Principles)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and (§ II.7.a.ii., EU-U.S. Privacy Shield Framework Principles)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. (iii.7.b., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non- compliance; and (ii.7.a.ii., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their Swiss-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (iii.7.a., SWISS-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of noncompliance; and (II.7.a.ii., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • Organizations must provide follow-up procedures for verifying that the attestations and assertions they make about their EU-U.S. DPF privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Principles. (III.7.a., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • To meet the verification requirements of the Recourse, Enforcement and Liability Principle, an organization must verify such attestations and assertions either through self-assessment or outside compliance reviews. (III.7.b., UK EXTENSION TO THE EU-U.S. DATA PRIVACY FRAMEWORK PRINCIPLES)
  • The organization may use self-assessments or outside compliance reviews to meet the verification requirements of the enforcement principle. (FAQ-Verification ¶ 1, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Outside compliance reviews needs to show that the privacy policy about personal information received from the European Union conforms to the safe harbor principles, is being complied with, and individuals are notified how to pursue complaints. (FAQ-Verification ¶ 4, US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • The system testing must verify that Information Assurance capabilities provide adequate assurance against the threats and vulnerabilities, which are constantly evolving. (ECMT-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The system testing must verify that Information Assurance capabilities provide adequate assurance against the threats and vulnerabilities, which are constantly evolving. (ECMT-2, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The board and senior management should engage internal audit or other independent personnel or third parties to review AIO functions and activities and validate effectiveness of controls. Effective AIO auditing assists the board and senior management with oversight, helps verify compliance with appl… (II.D Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • The Senior Assessment Team should decide on a testing strategy to ensure that all controls are tested for effectiveness. (Pg 10, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)