Back

Establish, implement, and maintain a compliance monitoring policy.


CONTROL ID
00671
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Establish, implement, and maintain an approach for compliance monitoring., CC ID: 01653
  • Establish, implement, and maintain a metrics policy., CC ID: 01654
  • Establish, implement, and maintain a technical measurement metrics policy., CC ID: 01655
  • Establish, implement, and maintain an Electronic Health Records measurement metrics program., CC ID: 06221
  • Establish, implement, and maintain a log management program., CC ID: 00673


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • § 1(1) ¶ 5: Management of listed companies must implement assessments, which must be audited by certified public accountants. Standard § II.4: Management should develop an Internal Control Report. It must include: design and operation matters (the person responsible for financial reports and inte… (§ 1(1) ¶ 5, Standard § II.4, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization must include a separate section containing a detailed compliance report on Corporate Governance in the annual report. The compliance report must be signed by either the Compliance Officer or the CEO. (§ VI, Corporate Governance in listed Companies - Clause 49 of the Listing Agreement)
  • A regulated institution would normally implement processes that ensure compliance with regulatory and prudential requirements and the internal IT security risk management framework. APRA envisages that this would include ongoing checks by the compliance function (or equivalent), supported by reporti… (¶ 28, The AD_offical_Name should be: APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • Financial institutions should identify and manage their ICT and security risks. The ICT function(s) in charge of ICT systems, processes and security operations should have appropriate processes and controls in place to ensure that all risks are identified, analysed, measured, monitored, managed, rep… (3.3.1 10, Final Report EBA Guidelines on ICT and security risk management)
  • the oversight role of the management body in its supervisory function, including overseeing and monitoring management decision-making. (4.6 36(f), Final Report on EBA Guidelines on outsourcing arrangements)
  • Providers of high-risk AI systems shall, upon request by a national competent authority, provide that authority with all the information and documentation necessary to demonstrate the conformity of the high-risk AI system with the requirements set out in Chapter 2 of this Title, in an official Union… (Article 23 ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The post-market monitoring system shall actively and systematically collect, document and analyse relevant data provided by users or collected through other sources on the performance of high-risk AI systems throughout their lifetime, and allow the provider to evaluate the continuous compliance of A… (Article 61 2., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The corporate governance report must include a statement on how the auditor evaluated the Board of Directors; what audit services the auditor has performed for other organizations and companies that are closely related to the organization's major shareholders; the year the auditor was hired and how … (¶ III.2.2.6, ¶ III.2.3.1, ¶ III.2.4.3, ¶ III.2.5.2, ¶ III.3.2.8, ¶ III.3.5.11, ¶ III.3.7.1, ¶ III.3.7.2, ¶ III.3.8.1, ¶ III.4.1.3, ¶ III.4.3.6, ¶ III.6.1, ¶ III.6.2, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • (¶ 4.9, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • (¶ 42 thru ¶ 44, Turnbull Guidance on Internal Control, UK FRC, October 2005)
  • Confirm compliance of IT policies, standards, procedures and methodologies with legal and regulatory requirements. (ME3.3 Evaluation of Compliance With External Requirements, CobiT, Version 4.1)
  • Review and adjust IT policies, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. (ME3.2 Optimisation of Response to External Requirements, CobiT, Version 4.1)
  • Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for monitoring all access to network resources and cardholder data are documented, in use, and known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data: - Documented - In use - Known to all affected parties? (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data: - Documented - In use - Known to all affected parties? (10.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data: - Documented - In use - Known to all affected parties? (10.8, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for monitoring all access to network resources and cardholder data: - Documented - In use - Known to all affected parties? (10.9, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for monitoring all access to network resources and cardholder data are: - Documented, - In use, and - Known to all affected parties. (10.9, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities. (A3.1.2 Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • The organization should perform a privacy audit and create policies and procedures to create, store, and manage business data. (App A.5 (Recommendations for Privacy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • The organization must ensure that procedures are established, implemented, and maintained to periodically evaluate the organization's compliance with legal, regulatory, and other requirements, including industry best practices. A record must be retained of all periodic evaluations. (§ 4.5.2.1, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • when the monitoring and measuring shall be performed; (§ 9.1.1 ¶ 2 d), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall select and document the needed measures. (§ 6.3.7.3(a)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • (§ 10, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • what needs to be monitored and measured and why; (§ 9.1.1 ¶ 1 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Reporting obligations should be set out clearly in the organization's compliance policy and procedures and reinforced by other methods, such as informal reinforcement by managers during their day-to-day work with employees. (§ 9.1.7 ¶ 7, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization shall periodically evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformance with its own business continuity policy and objectives; and (§ 9.1.2 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • when the monitoring and measuring shall be performed, and (§ 9.1.1 ¶ 1 c), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • evaluate compliance with applicable legal and regulatory requirements, industry best practices, and conformity with its own business continuity policy and objectives; (§ 8.6 ¶ 1 d), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • what needs to be monitored and measured; (§ 9.1 ¶ 1 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • when and by whom the monitoring and measuring shall be performed; (§ 9.1 ¶ 1 c), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • when the monitoring and measuring shall be performed; (§ 9.1 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • what needs to be monitored and measured, including information security processes and controls; (§ 9.1 ¶ 2 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • when the monitoring and measuring shall be performed; (§ 9.1.1 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure valid results; (§ 9.1.1 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • when the monitoring and measuring shall be performed; (9.1.1 ¶ 1(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • what needs to be monitored and measured; (9.1.1 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • what needs to be monitored and measured; (§ 9.1.1 ¶ 2 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • when the monitoring and measuring shall be performed; (§ 9.1.1 ¶ 2 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • what needs to be monitored and measured; (Section 9.1 ¶ 1(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when the monitoring and measuring shall be performed; and (Section 9.1 ¶ 1(c), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • when the monitoring and measuring shall be performed; (§ 9.1 ¶ 1(c), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization should confirm its compliance with applicable policies and regulations annually. (§ G1, Canadian Marketing Association Code of Ethics and Standards of Practice)
  • The organization should regularly review its compliance with privacy policies, laws, regulations, and contracts and should report the results of these reviews to management. (ID 10.2.3, AICPA/CICA Privacy Framework)
  • The organization must monitor and report compliance with operational and technical controls. (§ 12, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • An audit system shall be in place providing for accountability regarding inputting of records required to be maintained. The results of the audit system must be available and preserved. (§ 240.17a-4(f)(3)(v), 17 CFR Part 240.17a-4, Records to be preserved by certain exchange members, brokers, and dealers)
  • An audit system shall be in place providing for accountability regarding inputting of records required to be maintained. The results of the audit system must be available and preserved. (§ 240.17Ad-7(f)(4), 17 CFR Part 240.17Ad-7, Record retention)
  • Annual reports must include an internal control report that states management's responsibility for establishing and maintaining adequate internal controls and an assessment of the effectiveness of the internal controls. (§ 404, The Sarbanes-Oxley Act of 2002 (SOX), Deprecated)
  • Under the self-assessment approach, such verification must indicate that an organization's published privacy policy regarding personal information received from the EU is accurate, comprehensive, prominently displayed, completely implemented and accessible. It must also indicate that its privacy pol… (§ III.7.c., EU-U.S. Privacy Shield Framework Principles)
  • Determine whether IT management develops satisfactory measures for defining and monitoring metrics, performance benchmarks, service level agreements, compliance with policies, effectiveness of controls, and quality assurance and control. Determine whether management developed satisfactory reporting … (App A Objective 13, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine the effectiveness of management's communication and monitoring of IT policy compliance across the institution. (App A Objective 13:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The organization should maintain metrics to help assess the organization. The specific metrics that need to be reported and the frequencies of the reports are dependent on the organization. (Pg 33, FFIEC IT Examination Handbook - Management)
  • Determine whether the institution monitors compliance with policies, procedures, and limits. (App A Tier 1 Objectives and Procedures Objective 4:3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate financial institution adherence to bankcard company rules and bylaws and regulatory requirements. (App A Tier 1 Objectives and Procedures Objective 6:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Evaluate the financial institution's compliance with interchange rules and bylaws. (App A Tier 1 Objectives and Procedures Objective 7:1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • (§ 101(e), FTC Electronic Signatures in Global and National Commerce Act (ESIGN), June 2001)
  • Requires compliance with applicable laws and regulations. Transactions are to be executed in accordance with laws, regulations and government policies identified in the audit guidance. (§ 260.06, GAO/PCIE Financial Audit Manual (FAM))
  • Taxpayers' electronic storage systems must be in compliance with recordkeeping regulations. (§ 6.01, IRS Revenue Procedure: Retention of books and records, 97-22)
  • Compliance monitoring; and (CA-7(4) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Compliance monitoring; and (CA-7(4) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Compliance monitoring; and (CA-7(4) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Compliance monitoring; and (CA-7(4) ¶ 1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Information security programs can use all three types of metrics; however, the metrics will vary in their usefulness depending on the maturity of each individual information security program. Organizations that are in the process of developing or formalizing their policies and procedures may have a … (§ 5.1, § 5.2, Guide for Developing Performance Metrics for Information Security, NIST SP 800-80)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control:, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Analyze organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives. (T0010, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization must develop, monitor, and report on Information Security performance measure results. (App G § PM-6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Analyze organization's cyber defense policies and configurations and evaluate compliance with regulations and organizational directives. (T0010, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide daily summary reports of network events and activity relevant to cyber defense practices. (T0198, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, monitors, and reports on the results of information security measures of performance. (PM-6 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Employ the following actions to validate that policies are established and implemented controls are operating in a consistent manner: [Assignment: organization-defined actions]. (CA-7(5) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Compliance monitoring; and (CA-7(4) ¶ 1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Develop, monitor, and report on the results of information security and privacy measures of performance. (PM-6 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • When an agency head determines that a control deficiency is material when weighed against other agency deficiencies, it shall be included in the annual Federal Managers' Financial Integrity Act (FMFIA) report, in accordance with OMB Circular No. A-123. (§ A.5.b, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)