Back

Analyze system audit reports and determine the need to perform more tests.


CONTROL ID
00666
CONTROL TYPE
Testing
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a risk monitoring program., CC ID: 00658

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • All BCP related risks and assumptions must be reviewed for relevancy and appropriateness as part of the annual planning of testing. The scope of testing should be comprehensive to cover the major components of the BCP as well as coordination and interfaces among important parties. Depending on the t… (6.1.3, Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning, V.1 - 02.12.02)
  • IT-based and manual controls must be assessed annually. If an automated control is assessed in a previous period to be operating effectively without any control deficiencies, these results may continue to be used when the following are met and recorded: if no changes have been made to the control, n… (Practice Standard § II.3(3)[5].D.c, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Where internal audit relies on control testing performed by other areas, APRA would expect the internal audit function to assess the scope and quality of the testing conducted in order to determine how much reliance can be placed upon it. (85., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The organization must perform regular compliance checks against the configuration records and must be documented in the audit report. (Mandatory Requirement 37.a, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization should use the past vulnerability scanning results to correlate attack detection events and determine if the exploit was used against a known vulnerable target. (Critical Control 4.2, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • The organization shall use appropriate methods to monitor and measure the quality management system processes. The methods shall show that the processes can achieve the planned results. When the planned results are not achieved, the organization shall take corrective action to ensure the product con… (§ 8.2.3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • An independent evaluator should test the security functions of the system to ensure they operate as specified. The evaluator should either retest a subset of the tests in the test documentation or rerun every test for verification. The evaluator should also come up with other tests to run. (§ 18.4, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The actual test results should be compared with the expected test results. Any differences should be analyzed to determine if the product needs to be fixed or the tests need to be rerun with a larger sample size or a change in the test. The final report should contain the test configurations, the nu… (§ 10.8.2.4.5, § 10.8.2.4.6, § 11.8.4.4.5, § 12.9.5.4.5, § 13.9.5.4.5, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Verify the service auditor determined if the controls being tested depended on other controls, and, if so, tested the other controls to obtain evidence supporting their operating effectiveness, for type 2 reports. (Ques. AT215, Reporting on Controls at a Service Organization Checklist, PRP §21,100)
  • The service auditor's tests should identify the applicable trust services criteria for which tests have not been conducted and the reason that the tests have not been conducted, when the control did not operate during the examination period. (¶ 3.71, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Automated application controls may be tested only once or a few times if effective IT general controls are present. In such situations, the service auditor considers whether changes to the control made after the testing, but prior to the end of the examination period, would change his or her conclus… (¶ 3.139, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service auditor may decide that it is necessary to perform additional tests for the portion of the extended or modified period not included in the original period, and the results of those tests, along with any additional information of which the service auditor becomes aware, would be considere… (¶ 2.83, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • additional testing of the control or other controls is necessary to determine whether the controls were effective throughout the period (If the service auditor is unable to apply additional procedures to the selected items, the service auditor should consider the reasons for this limitation and conc… (¶ 3.185 Bullet 5 Sub-Bullet 2, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In certain situations, the service auditor may become aware of information that causes the service auditor to reconsider some of the conclusions reached to that point. For example, when obtaining the written representations from management, the service auditor may learn about a previously unknown se… (¶ 3.208, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If effective IT general controls are present, automated application controls may be tested only once or a few times. In such situations, the service auditor considers whether changes to the control made after the testing, but prior to the end of the examination period, would change the service audit… (¶ 3.154, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • additional testing of the control or other controls is necessary to determine whether the controls were effective throughout the period (If the service auditor is unable to apply additional procedures to the selected items, the service auditor would consider the reasons for this limitation and concl… (¶ 3.217 Bullet 5 Sub-Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • additional tests of controls are necessary, or (AT-C Section 205.25 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • performing other procedures as necessary in the circumstances. (AT-C Section 205.28 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • In rare circumstances, the practitioner may judge it necessary to depart from a relevant presumptively mandatory requirement. In such circumstances, the practitioner should perform alternative procedures to achieve the intent of that requirement. The need for the practitioner to depart from a releva… (AT-C Section 105.20, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • consider the responses to these inquiries to determine whether other procedures are necessary in the circumstances. (AT-C Section 210.20 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • The service auditor should read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement, if any, to obtain an understanding of the nature and extent of the procedures performed and the related findin… (AT-C Section 320.23, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Analytical procedures may not be possible when the subject matter is qualitative, rather than quantitative. In those circumstances, the practitioner should perform other procedures, in addition to inquiries, that provide equivalent levels of review evidence. (AT-C Section 210.17, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • design and perform further procedures whose nature, timing, and extent are based on, and responsive to, the assessed risks of material misstatement. (AT-C Section 320.24 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • additional testing of the control or other controls is necessary to reach a conclusion about whether the controls related to the control objectives stated in management's description of the service organization's system operated effectively throughout the specified period. (AT-C Section 320.32 b., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • A medical device manufacturer shall establish and maintain procedures to monitor and control the process parameters for validated processes and ensure specified requirements are continuously met. (§ 820.75(b), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. (App A Objective 1:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Internal or independent tests or reviews of controls (e.g., penetration tests, business continuity reviews, and third-party management reviews). (App A Objective 1:1 c., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Security configuration, provisioning, logging, and monitoring. Misconfiguration of cloud resources is a prevalent cloud vulnerability and can be exploited to access cloud data and services. System vulnerabilities can arise due to the failure to properly configure security tools within cloud computin… (Risk Management Cloud Security Management Bullet 4, FFIEC Security in a Cloud Computing Environment)