Back

Test compliance controls for proper functionality.


CONTROL ID
00660
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The hardware and software systems and procedures of an Authentication Service provider shall be reasonably suited to performing their intended functions. (§ 30(3)(c), The Electronic Communications and Transactions Act, 2002)
  • App 2-1 Item Number IV.6(2): The organization must verify that the access control and monitoring functions for software have been implemented correctly and are functioning effectively. This is a control item that constitutes a greater risk to financial information. This is an IT general control. App… (App 2-1 Item Number IV.6(2), App 2-1 Item Number IV.8(2), App 4 § 1, Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Standard § II.3(3): The organization should identify key controls that have material impact on financial reporting reliability and assess if the internal control basic components are operating with regard to the key control. Standard § III.3(4): External auditors must get audit evidence for the ke… (Standard § II.3(3), Standard § III.3(4), Practice Standard § II.3(3)[2].B, Practice Standard § II.3(3)[3], Practice Standard § II.3(3)[4].A, Practice Standard § II.3(3)[4].C, Practice Standard § II.3(3)[5].D.a, Practice Standard § II.3(4)[2].B, Practice Standard § III.4(2)[2].C.c, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended. (Control: ISM-1636; Revision: 1, Australian Government Information Security Manual, June 2023)
  • System owners ensure controls for each system and its operating environment are assessed to determine if they have been implemented correctly and are operating as intended. (Control: ISM-1636; Revision: 1, Australian Government Information Security Manual, September 2023)
  • The organization should conduct an audit to confirm that the security measures that are documented in the Key Management Plan are being followed. (Control: 1003 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should conduct controlled inspections of container files and archive files to ensure the content filter availability or performance is not adversely affected. (Control: 1290, Australian Government Information Security Manual: Controls)
  • The organization should test information technology security controls to determine if they are operating correctly. (¶ 66(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should test all areas of the information technology security control environment over time. (¶ 82, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should test Information Technology assets that are exposed to untrusted networks on an annual basis. (¶ 82, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The organization should verify that controls are implemented so the information technology security is not compromised during the testing process, including accessing and destroying sensitive data and sensitive information after the tests are completed. (Attach B ¶ 11, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In APRA's view, the frequency and scope of testing would ensure that a sufficient set of information security controls are tested, at least annually, in order to validate that information security controls remain effective. Furthermore, controls protecting information assets exposed to 'untrusted' e… (79., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • checks to determine if IT security controls are operating as expected and are being complied with; and (¶ 66(c), APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The schedule of testing would typically ensure that all aspects of the IT security control environment are assessed over time, commensurate with the sensitivity and criticality of the IT assets. In APRA's view, annual testing (as a minimum) would be normal for IT assets exposed to 'un-trusted' envir… (¶ 82, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • High-risk AI systems shall be tested for the purposes of identifying the most appropriate risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and they are in compliance with the requirements set out in this Chapter. (Article 9 5., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, prior to its placing on the market or putting into service; (Article 16 ¶ 1(e), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • IT-Grundschutz Check: This step is to check whether the basic requirements according to IT-Grundschutz have been implemented already in parts or completely, and which security safeguards are still missing. (§ 6 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Is it too easy for users to circumvent the safeguard? (§ 7 ¶ 4 Bullet 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Is it clear to the users if a safeguard is omitted? (§ 7 ¶ 4 Bullet 3, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The entity has a process for performing ongoing and separate evaluations of the design and operating effectiveness of information privacy and security controls and for addressing any identified control deficiencies. (M1.3 Ongoing and separate evaluations, Privacy Management Framework, Updated March 1, 2020)
  • Are rule sets tested regularly? (Table Row V.10, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The regulated user is responsible for conducting performance qualification of the system, which means that the system is in its operating environment and the tests are against a user requirements specification that includes performance and quality acceptance protocols and criteria for the controllin… (¶ 4.8, Good Practices For Computerized systems In Regulated GXP Environments)
  • Examine the most recent penetration test results to verify the segmentation methods are effective and operational and the out-of-scope systems are isolated from the in-scope controls. (Testing Procedures § 11.3.4.b Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. (§ 3 Principle 16 ¶ 1, COSO Internal Control - Integrated Framework (2013))
  • Regular reviews should be conducted to ensure controls are functioning as required. A traditional way for auditors to review controls is to create test data to be processed by the systems and then check the results to ensure the controls accept valid data and reject incorrect and invalid items. Curr… (§ 10.2, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • An internal auditor can help an organization meet privacy objectives and contribute to good governance and accountability by assessing the implemented information security and data protection controls and reviewing them regularly. The auditors should interview and observe the data processing in acti… (§ 2.2 (Privacy Controls) ¶ 3, § 5.5 (Identify the Controls and Countermeasures), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • In order to provide value to the organization, internal auditors can independently test application controls. These tests should determine if the controls are adequately designed and they are operating effectively. When controls are not operating effectively or they are inadequately designed, the in… (§ 2 (Controls Testing), § 5 (Testing) ¶ 1, § 5 (Testing Controls) ¶ 2, IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • The functionality of potential access control mechanisms should be subject to an evaluation to determine the degree to which they will meet access requirements. (CF.06.03.04, The Standard of Good Practice for Information Security)
  • The evaluation of potential access control mechanisms should take into account the strength of existing controls that influence the suitability of access control mechanisms (e.g., Identity and Access Management, physical security, or system hardening). (CF.06.03.04a, The Standard of Good Practice for Information Security)
  • Following recovery from information security incidents, existing security controls should be examined to determine their adequacy. (CF.11.01.07d, The Standard of Good Practice for Information Security)
  • The functionality of potential access control mechanisms should be subject to an evaluation to determine the degree to which they will meet access requirements. (CF.06.03.04, The Standard of Good Practice for Information Security, 2013)
  • The evaluation of potential access control mechanisms should take into account the strength of existing controls that influence the suitability of access control mechanisms (e.g., Identity and Access Management, physical security, or system hardening). (CF.06.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Following recovery from information security incidents, existing security controls should be examined to determine their adequacy. (CF.11.01.07d, The Standard of Good Practice for Information Security, 2013)
  • The organization must periodically evaluate if critical control 1 has been implemented by connecting test systems to at least 10 network locations, of which 2 must be in the asset inventory database, and verifying that all notifications are sent and the systems are isolated in the proper time period… (Control 1 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must place an unauthorized software test program onto 10 systems, with at least 2 of the systems being in the asset inventory database. The team must then verify that a notification is sent out inside of 24 hours with the discovery, that a notification is sent out inside of 1 hou… (Control 2 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must move a benign test system which does not contain the official hardened image onto 10 different segments, either virtual systems or real systems and verify a notification is sent inside of 24 hours and an additional notification is sent inside of 1 hour of the software being … (Control 3 Test ¶ 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must try to run the blocked software to verify it cannot run. (Control 3 Test ¶ 2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must check the previous 30 scanning cycles to verify the vulnerability scanning tools have successfully completed the daily or weekly scan and, if the scan was not completed, verify that a notification was sent. (Control 4 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must move a benign software test program that looks like malware and not listed in the authorized software list to 10 random systems on the network by a network share and by e-mail. The team must then verify that the system generated a notification inside of 1 hour of the malware… (Control 5 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must verify that the blocked file cannot be executed or opened by attempting to open or execute the file. (Control 5 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a wireless client configured with an unauthorized Service Set Identifier and send out an alert. (Control 7 Test Bullet 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a wireless client configured with improper encryption and send out an alert. (Control 7 Test Bullet 2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a wireless client configured with improper configuration and send out an alert. (Control 7 Test Bullet 3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a Wireless Access Point configured with improper configuration and send out an alert. (Control 7 Test Bullet 4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a Wireless Access Point configured with improper authentication and send out an alert. (Control 7 Test Bullet 5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must configure 10 unauthorized and hardened wireless clients and Wireless Access Points and try to connect them to the network. The system must detect a completely rogue Wireless Access Point with an unauthorized configuration and send out an alert. (Control 7 Test Bullet 6, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must make a change to each of the network devices that are plugged into the network and, for critical devices, the change must be made twice. The evaluation team must then verify that a notification was sent inside of 24 hours. (Control 10 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must conduct tests on a daily basis to verify that other protocols, such as Internet Protocol version 6, are being filtered. (Control 10 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must install hardened test services with network listeners on 10 random network locations and verify a notification is sent inside of 24 hours. (Control 11 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must create a test account on 10 different systems and try to change the password so that it does not meet the password policy to verify the system enforces the password policy. (Control 12 Test ¶ 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must add a temporary test account to a Superuser group and verify that a notification is sent inside of 24 hours. (Control 12 Test ¶ 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The system must identify unauthorized packets that are sent into or out of a trusted zone and verify the packets are properly blocked and/or triggers alerts and sends out a notification inside of 24 hours. In the future, the organization should strive for more rapid alerting. (Control 13 Metric, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must periodically send packets from outside trusted networks to verify only authorized packets are allowed through the boundary, in order to test the boundary devices. (Control 13 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must send unauthorized packets from trusted networks to untrusted networks to verify the egress filtering is operating correctly. (Control 13 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must verify that the device fails so that it does not forward traffic when it crashes or gets flooded. (Control 13 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must periodically review security logs of at least 2 routers, 2 switches, 2 firewalls, 10 servers, and 10 client systems to determine if traffic sent by the team is logged. (Control 14 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must create 2 test accounts (1 with limited privileges and 1 with privileges to create files) on 5 client systems and 5 server machines and verify that the non-privileged account cannot access the created files, and a notification is sent inside of 24 hours after the attempted un… (Control 15 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must review the previous 30 days of archived notifications to verify that the list was completed on a daily basis and contains disabled accounts, locked out accounts, accounts with passwords that do not expire, and accounts with passwords that are past the maximum password age. (Control 16 Test, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must attempt to transfer large data sets from an internal system over the network boundary at least 3 times on random network systems to verify the effectiveness of the monitoring system. (Control 17 Test Bullet 1, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must attempt to transfer test data of Personally Identifiable Information from an internal system over the network boundary at least 3 times on random network systems to verify the effectiveness of the monitoring system. (Control 17 Test Bullet 2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must attempt to maintain a persistent network connection for 10 hours between internal systems and external systems over the network boundary at least 3 times on random network systems to verify the effectiveness of the monitoring system. (Control 17 Test Bullet 3, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must attempt to maintain a network connection over the network boundary using anomalous service port numbers between external systems and internal systems at least 3 times on random network systems to verify the effectiveness of the monitoring system. (Control 17 Test Bullet 4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The evaluation team must insert a Universal serial bus token into a system and try to transfer test data to the Universal serial bus device at least 3 times on random network systems to verify the effectiveness of the monitoring system. (Control 17 Test Bullet 5, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization shall verify and document the implementation of risk control measures in the medical Information Technology network Risk Management file. (§ 4.4.4.4 ¶ 1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • The organization shall measure and monitor product characteristics to verify the requirements have been met at appropriate stages. The organization shall keep the acceptance criteria for conformity evidence and shall include the person(s) who authorized the release. The organization shall not releas… (§ 8.2.4.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The confidence level in the implementation and effectiveness of the security functions should assure that the security objectives are met. (§ 6.3.3, ISO 15408-1 Common Criteria for Information Technology Security Evaluation Part 1, 2005)
  • The product should be examined to ensure the testing configuration is consistent with the configuration that is being tested, the product is installed properly and is in a known state, and the evaluator is provided with an equivalent set of resources to those used by the developer to test the system… (§ 10.8.2.3, § 11.8.3.4.4, § 11.8.4.3, § 12.9.4.4.4, § 12.9.5.3, § 13.9.4.4.4, § 13.9.5.3, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • These controls should be maintained, periodically evaluated and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should check to ensure controls are functioning correctly when it is identifying existing controls. (§ 8.2.4, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • For software systems assigned to Class B and Class C software safety classes, the medical device manufacturer shall perform software integration testing to determine if the integrated software item performs as intended. The testing should consider the required functionality, the implemented risk con… (§ 5.6.4, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. (CC4.1 ¶ 1 COSO Principle 16:, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should conduct tests on the effectiveness of the key administrative, technical, and physical safeguards that protect the personal information at least annually. (Generally Accepted Privacy Principles and Criteria § 8.2.7, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should test the effectiveness of technical, administrative, and physical controls on a regular basis. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Verify the service auditor obtained and read the system description and evaluated whether the parts of the description that are included in the scope were presented fairly, including determining if the identified controls in the system description were implemented. (Ques. AT207 Item 2, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor interviewed personnel, in combination with other procedures, to determine if the organization's system has been implemented. (Ques. AT208, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor determined which controls were necessary to achieve the control objectives and assess these controls to determine if they were suitably designed to achieve the objectives. (Ques. AT209, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • Verify the service auditor tested the controls that are necessary to achieve the control objectives and assessed their operating effectiveness throughout the period, for type 2 reports. (Ques. AT210, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor should test the operating effectiveness of the controls stated in the system description that are needed to meet the applicable trust services criteria throughout the named time period, for a type 2 engagement. (¶ 3.46, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should test the operating effectiveness of controls that are effective during the period covered by the audit report and determine if it has operated often enough to be assessed. (¶ 3.64, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • The service auditor should test superseded controls before they are changed and the new controls after the change, when changes are made during the period that are relevant to the applicable trust services criteria and the changes are considered significant by the users. (¶ 3.72, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • If (a) the service organization makes changes to controls during the period, (b) the superseded controls are relevant to the achievement of the service organization's service commitments and system requirements based on the applicable trust services criteria, and (c) the service auditor believes the… (¶ 3.140, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Automated application controls may be tested only once or a few times if effective IT general controls are present. In such situations, the service auditor considers whether changes to the control made after the testing, but prior to the end of the examination period, would change his or her conclus… (¶ 3.139, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Regardless of whether the carve-out or inclusive method is selected, the description of the service organization's system and the scope of the service auditor's examination include the controls designed, implemented, and operated at the service organization to monitor the effectiveness of controls a… (¶ 3.50, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of the control operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.138, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will presume that the control is material for the purposes of the SOC 2Â… (¶ 3.163 Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In the type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description based on the applicable trust services criteria. The service auditor performs procedures (known as tests of controls) to obtain evidence about the operating effectiveness of con… (¶ 3.107, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When performing a type 2 examination, description criterion DC9 indicates that a description should disclose relevant details of changes to the service organization's system during that period. If the service auditor believes changes to the system would be considered significant by report users, the… (¶ 3.108, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.52, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Management's basis for its assertion usually relies heavily on monitoring of controls. Such monitoring activities typically include ongoing activities, separate evaluations, or a combination of the two. Ongoing monitoring activities are ordinarily built into the normal recurring activities of the se… (¶ 2.60, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Once the service auditor has obtained an understanding of the service organization's system and the related processes and controls, the service auditor should assess the risks of material misstatement in accordance with paragraph .19 of AT-C section 205. Inherent and control risks reflect the likeli… (¶ 2.126, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In a type 2 examination, the service auditor tests the operating effectiveness of the controls stated in the description. The service auditor performs procedures (commonly referred to as tests of controls) to obtain evidence about the operating effectiveness of controls. Evidence from tests of contr… (¶ 3.121, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If the service auditor has identified design deficiencies, the service auditor generally would not test the operating effectiveness of those controls. However, in certain circumstances, report users may expect management to identify the control in the description and may expect the service auditor t… (¶ 3.122, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • When testing the effectiveness of review controls, the service auditor also needs to consider the precision with which the control needed to be performed to determine whether the control operated the same way each time. The service auditor may need to determine whether the evidence gathered through … (¶ 3.136, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • If effective IT general controls are present, automated application controls may be tested only once or a few times. In such situations, the service auditor considers whether changes to the control made after the testing, but prior to the end of the examination period, would change the service audit… (¶ 3.154, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Alignment between the processes and controls stated in the description and the underlying system controls implemented by the service organization. If the description includes a particular control, it is likely that report users will assume the control is material for the purposes of the SOC 2 examin… (¶ 3.190 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • In a SOC 2 examination, the service auditor does not opine directly on whether the service organization complied with the requirements of relevant laws and regulations. Instead, the examination addresses whether controls were suitably designed and, in a type 2 examination, operated effectively to pr… (¶ 3.193, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Generally, IT processing is inherently consistent; therefore, the service auditor may be able to limit the testing to one or a few instances of a control's operation. An automated control usually functions consistently unless the program, including the tables, files, or other permanent data used by … (¶ 3.153, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • For type 2 audits, the service auditor should test superseded controls before changes are made, if the controls are relevant to achieving the control objectives. If the controls cannot be tested, the service auditor should determine the effect on the report. (¶ .23, SSAE No. 16 Reporting on Controls at a Service Organization)
  • When performing a type 2 engagement, the service auditor should obtain an understanding of changes in the service organization's system that were implemented during the period covered by the service auditor's report. If the service auditor believes the changes would be considered significant by user… (AT-C Section 320.29, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. (CC4.1 COSO Principle 16:, Trust Services Criteria)
  • The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning. (CC4.1 ¶ 1 COSO Principle 16:, Trust Services Criteria, (includes March 2020 updates))
  • Regularly tests or otherwise regularly monitors the key controls, systems and procedures of the information security program. The frequency and nature of these tests or other monitoring practices are determined by the licensee's risk assessment. (Section 7 ¶ 1.C., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Does management regularly review the compliance of information processing inside their area of responsibility with the appropriate security policies? (§ L.7, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Does management regularly review the compliance of information processing inside their area of responsibility with the appropriate standards? (§ L.7, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Does management regularly review the compliance of information processing inside their area of responsibility for any other security requirements? (§ L.7, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Does the cloud computing audit program allow controls verification and validation performed by independent, third party Information Security professionals? (§ V.1.18.4, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • § 1.1: CMS business partners shall provide certification that they have examined the operational, technical, and management controls for systems that support the Medicare Administrative Contractors (MAC) function and have determined that the controls are adequate to meet the CMS security standards … (§ 1.1, § 3 ¶ 4, § 3.5.1 ¶ 1, App B § 2.E, CMS Business Partners Systems Security Manual, Rev. 10)
  • Security controls testing must be conducted annually on at least one third of the 17 security controls. The business owner must include security incident findings in the plan of action and milestone and develop a corrective action plan. (§ 4.3 ¶ 4, CMS Information Security Risk Assessment (IS RA) Procedure, Version 1.0 Final)
  • CSR 1.12.5: The organization must conduct a certification assessment of the information system security controls to validate that the controls operate as expected, are implemented correctly, and provide adequate protection. CSR 2.5.8: The organization must test the security systems on sensitive inf… (CSR 1.12.5, CSR 2.5.8, CSR 10.2.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The agency head must ensure senior agency officials periodically test and evaluate information security controls and techniques for information and information systems that support operations and assets under their control to ensure they are implemented effectively. (§ 3544(a)(2)(D), Federal Information Security Management Act of 2002, Deprecated)
  • periodically testing and evaluating information security controls and techniques to ensure that they are effectively implemented; (§ 3554(a)(2)(D), Federal Information Security Modernization Act of 2014)
  • periodic testing and evaluation of the effectiveness of information security policies, procedures, and practices, to be performed with a frequency depending on risk, but no less than annually, of which such testing— (§ 3554(b)(5), Federal Information Security Modernization Act of 2014)
  • Organizations must provide follow up procedures for verifying that the attestations and assertions they make about their Privacy Shield privacy practices are true and those privacy practices have been implemented as represented and in accordance with the Privacy Shield Principles. (§ III.7.a., EU-U.S. Privacy Shield Framework Principles)
  • follow-up procedures for verifying that the attestations and assertions organizations make about their privacy practices are true and that privacy practices have been implemented as presented and, in particular, with regard to cases of non-compliance; and (§ II.7.a.ii., EU-U.S. Privacy Shield Framework Principles)
  • The privacy protection mechanisms must include procedures to verify the assertions and attestations that the organization makes are true and the privacy practices are implemented. (ENFORCEMENT(b), US Department of Commerce EU Safe Harbor Privacy Principles, U.S. European Union Safe Harbor Framework)
  • Ensure that a test of the backup media was included in the Continuity Of Operation Plan. (COED-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Evidence should exist that the hardware and software are installed and configured correctly. (§ 5.2.6 ¶ 5, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • The local agency security officer shall verify that the approved and appropriate security measures are implemented and functioning correctly. (§ 3.2.9(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Determine whether management has an adequate method of testing the effectiveness of control design and implementation and whether management and the board appropriately monitor risk mitigation activities. Determine whether management considers all forms of controls, including governance of controls,… (App A Objective 13:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Effective risk monitoring that provides tangible feedback on the quality of the implementation of controls and risk mitigation strategies. (App A Objective 13:7 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Performs this verification [FedRAMP Assignment: to include upon system startup and/or restart and at least monthly]; (SI-6b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Performs this verification [FedRAMP Assignment: to include upon system startup and/or restart and at least monthly]; (SI-6b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., FedRAMP Security Controls High Baseline, Version 5)
  • Verify the correct operation of [Assignment: organization-defined security and privacy functions]; (SI-6a., FedRAMP Security Controls High Baseline, Version 5)
  • Perform the verification of the functions specified in SI-6a [Selection (one or more): [FedRAMP Assignment: to include upon system startup and/or restart] ; upon command by user with appropriate privilege; [FedRAMP Assignment: at least monthly]]; (SI-6b., FedRAMP Security Controls High Baseline, Version 5)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., FedRAMP Security Controls Low Baseline, Version 5)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Verify the correct operation of [Assignment: organization-defined security and privacy functions]; (SI-6a., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Perform the verification of the functions specified in SI-6a [Selection (one or more): [FedRAMP Assignment: to include upon system startup and/or restart] ; upon command by user with appropriate privilege; [FedRAMP Assignment: at least monthly]]; (SI-6b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Do the audit policies and procedures include assessing the Information Technology department general controls? (IT - Audit Program Q 2c, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the audit plan include testing the "client control considerations" to determine if they are properly implemented by the applicable department? (IT - Audit Program Q 3e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has the response time for reviewing and responding to website applications been tested by management? (IT - Web Site Review Q 14, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Test in-place and planned security access controls. (§ 4.4.4 Bullet 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Verify the correct operation of [Assignment: organization-defined security and privacy functions]; (SI-6a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization must verify processes are implemented to ensure individuals are held accountable for adequately implementing controls to protect the confidentiality of Personally Identifiable Information and the controls are functioning as intended. (§ 4.1 ¶ 2, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes (Task 4-2, NIST SP 800-39, Managing Information Security Risk)
  • The organization should conduct periodic audits of the smart grid Information System to verify that the practices and mechanisms present during validation are still functioning. (SG.AU-14 Supplemental Guidance 5, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must verify that all of the security requirements are still functioning properly after maintenance or repairs. (SG.MA-3 Requirement 4, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must verify that the security functions are operating correctly on startups and restarts of the smart grid Information System. (SG.SI-6 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must verify that the security functions are operating properly when a user with the proper privilege issues the command at a defined frequency. (SG.SI-6 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must assess the system's security controls on a predetermined frequency to determine which controls are operating as intended, implemented correctly, and producing the desired outcome. (App F § CA-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The Information System must verify security functions are operating correctly periodically every predefined time period, upon command by an appropriate privilege user, and/or on system transitional states and, when anomalies are discovered it must notify the system administrator, shut down the syste… (App F § SI-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should assess the security controls and/or control upgrades after they have been implemented and deficiencies or weaknesses have been corrected to ensure they are operating as intended and producing the desired outcome to meet the security requirements. (§ 3.4 ¶ 2 Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must check all potentially impacted security controls to verify they are functioning properly after repair or maintenance. (App F § MA-2.e, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should test the malicious code protection mechanisms on a predefined frequency by introducing a known benign, non-spreading test case and verify the test case is detected and the incident reporting occurs. (App F § SI-3(6), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization is not recommended to shut down and restart the Industrial Control System after the identification of an anomaly. (App I § SI-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization assesses the security controls in the information system and its environment of operation {organizationally documented frequency} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting… (CA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system verifies the correct operation of {organizationally documented security functions}. (SI-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {organizationally documented system transitional states}. (SI-6b. Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {upon command by user with appropriate privilege}. (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {organizationally documented frequency}. (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization monitors and audits privacy controls and internal privacy policy {organizationally documented frequency} to ensure effective implementation. (AR-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization assesses the security controls in the information system and its environment of operation {organizationally documented frequency} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting… (CA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system verifies the correct operation of {organizationally documented security functions}. (SI-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {organizationally documented system transitional states}. (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {upon command by user with appropriate privilege}. (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The information system performs this verification {organizationally documented frequency}. (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization assesses the security controls in the information system and its environment of operation {organizationally documented frequency} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting… (CA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization assesses the security controls in the information system and its environment of operation {organizationally documented frequency} to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting… (CA-2b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions. (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Performs this verification [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization monitors and audits privacy controls and internal privacy policy [Assignment: organization-defined frequency] to ensure effective implementation. (AR-4 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Verify the correct operation of [Assignment: organization-defined security and privacy functions]; (SI-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Check all potentially impacted controls to verify that the controls are still functioning properly following maintenance, repair, or replacement actions; and (MA-2e., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Perform the verification of the functions specified in SI-6a [Selection (one or more): [Assignment: organization-defined system transitional states]; upon command by user with appropriate privilege; [Assignment: organization-defined frequency]]; (SI-6b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Verify the correct operation of [Assignment: organization-defined security and privacy functions]; (SI-6a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Monitor organizational information systems and environments of operation on an ongoing basis to verify compliance, determine effectiveness of risk response measures, and identify changes. (2.2.4 TASK 4-2:, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The Senior Assessment Team should ensure that all locations have been notified of the testing objectives and what is required of division/department to assess the effectiveness of controls. (Pg 10, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • If a control is considered effective, testing should be accomplished to determine if the control is functioning properly. This testing can be accomplished by any or all of the following: interviewing personnel; inspecting reports and files; and observing the control while it is working. (App A § III.C.6, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Appendix A of OMB Circular No. A-123 provides a methodology for agency management to assess, document and report on internal controls over reporting. This document also encourages an integrated approach to assess the internal controls over reporting considering the current legislative and regulatory… (Section VI (C) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Management should test the controls the bank uses to manage third party relationships on a regular basis, especially when critical activities are involved. ("Ongoing Monitoring" ¶ 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third party relationships must verify that the implemented controls for managing third party relationships are regularly tested. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 7, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., TX-RAMP Security Controls Baseline Level 1)
  • Checks all potentially impacted security controls to verify that the controls are still functioning properly following maintenance or repair actions; and (MA-2e., TX-RAMP Security Controls Baseline Level 2)
  • Verifies the correct operation of [Assignment: organization-defined security functions]; (SI-6a., TX-RAMP Security Controls Baseline Level 2)
  • Performs this verification [Selection (one or more): [TX-RAMP Assignment: to include upon system startup and/or restart and at least monthly]]; (SI-6b., TX-RAMP Security Controls Baseline Level 2)