Back

Establish, implement, and maintain a corrective action plan.


CONTROL ID
00675
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Monitoring and measurement, CC ID: 00636

This Control has the following implementation support Control(s):
  • Align corrective actions with the level of environmental impact., CC ID: 15193
  • Include risks and opportunities in the corrective action plan., CC ID: 15178
  • Include environmental aspects in the corrective action plan., CC ID: 15177
  • Include the completion date in the corrective action plan., CC ID: 13272
  • Include monitoring in the corrective action plan., CC ID: 11645


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Standard § II.3(5): Material weaknesses and control deficiencies that are identified during management's assessment should be recognized on a timely basis and taken care of. When material weaknesses have been identified, internal control over financial reporting can still be determined to be effect… (Standard § II.3(5), Practice Standard § II.3(5)[1], Practice Standard § III.4(3)[2], Practice Standard § III.4(3)[3], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • Specifically, the financial institution should confirm its service system and network configurations, participate in progress meetings, and resolve problems. (C26.1. ¶ 4(3) ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • Where a person responsible for protection of personal information becomes aware of a fact of violation of this Act or other relevant statute, he or she shall take measures for improvement immediately, and if necessary, report the measures for improvement to the business owner or representative of th… (Article 27(4), Act On Promotion of Information and Communications Network Utilization and Information Protection, Amended by Act No. 14080, Mar. 22, 2016)
  • At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner. (Control: ISM-1564; Revision: 0, Australian Government Information Security Manual, June 2023)
  • At the conclusion of a security assessment for a system, a plan of action and milestones is produced by the system owner. (Control: ISM-1564; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Under CPS 234, an APRA-regulated entity must notify APRA of information security control weaknesses meeting specified criteria. An APRA-regulated entity would typically escalate material control weaknesses to the relevant governing bodies or individuals and formulate a remediation strategy. (89., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Financial institutions should monitor and evaluate the results of the security tests and update their security measures accordingly without undue delays in the case of critical ICT systems. (3.4.6 46, Final Report EBA Guidelines on ICT and security risk management)
  • Institutions should take appropriate measures if they identify shortcomings in the provision of the outsourced function. In particular, institutions and payment institutions should follow up on any indications that service providers may not be carrying out the outsourced critical or important functi… (4.14 105, Final Report on EBA Guidelines on outsourcing arrangements)
  • Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings. (Art. 6.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Thus, there must be a clearly defined procedure and explicitly specified competences for handling complaints and for feedback on problems to the responsible body. A response to complaints should be provided as fast as possible so that the person filing the complaint feels to be taken seriously. The … (§ 10.2 Subsection 3 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Where nonconformities are identified, has the organization put in place appropriate processes for managing nonconformities and the related corrective actions? (Performance evaluation ¶ 10, ISO 22301: Self-assessment questionnaire)
  • Have actions to control, correct and deal with the consequences of nonconformities been identified? (Improvement ¶ 1, ISO 22301: Self-assessment questionnaire)
  • implement follow-up action if appropriate, which may involve a firm: (§ 5.15 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • (¶ 4.35, Smith Guidance on Audit Committees, UK FRC, January 2003)
  • Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through: - Review, negotiation and establishment of management responses - Assignment of responsibility for remediation - Tracking of… (ME1.6 Remedial Actions, CobiT, Version 4.1)
  • Identify, initiate, track and implement remedial actions arising from control assessments and reporting. (ME2.7 Remedial Actions, CobiT, Version 4.1)
  • Develop senior management reports on IT's contribution to the business, specifically in terms of the performance of the enterprise's portfolio, IT-enabled investment programmes, and the solution and service deliverable performance of individual programmes. Include in status reports the extent to whi… (ME1.5 Board and Executive Reporting, CobiT, Version 4.1)
  • Add processes and policies that will regularly read and act on the data provided by the IDS/IPS. (§ 4.3.1.F, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (PCI DSS Question 10.6.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Are written policies and procedures defined for following up on exceptions and anomalies identified during the review process? (PCI DSS Question 10.6.3(a), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is follow up to exceptions and anomalies identified during the review process performed? (PCI DSS Question 10.6.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • The organization must develop, implement, and maintain procedures to handle nonconformity, both actual and potential, and for taking preventive and corrective actions. The procedures must define the requirements for identifying and correcting nonconformity and necessary actions to mitigate its impac… (§ 4.5.3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • Define and implement an Audit Management process to support audit planning, risk analysis, security control assessment, conclusion, remediation schedules, report generation, and review of past reports and supporting evidence. (A&A-05, Cloud Controls Matrix, v4.0)
  • Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. (CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process, CIS Controls, V8)
  • The organization shall establish a process for tracking all preventive actions and corrective actions until they are corrected. (§ 4.6.2 ¶ 1(c), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • deal with the consequences, including mitigating adverse environmental impacts; (§ 10.2 ¶ 1 a) 2), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall determine opportunities for improvement (see 9.1, 9.2 and 9.3) and implement necessary actions to achieve the intended outcomes of its environmental management system. (§ 10.1 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should retain documented information as evidence of the nature of the nonconformities and subsequent actions taken, and the results of corrective actions taken. (10.2 ¶ 8, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • Based on the area(s) an organization has selected to improve, it should assess which maturity level is necessary for each of the EMS elements to achieve the intended outcomes. It should then determine the gap between the required maturity levels and the existing ones, guided by the maturity matrix (… (§ 6.5 ¶ 1, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • if there were delays or other deviations from the action plan; (§ 6.7 ¶ 2 Bullet 5, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • The action plan should be implemented and monitored with regard to timescales, achievement of milestone results and resource use. Appropriate actions should be taken, where necessary, to ensure that the improvement actions progress according to the plan. (§ 6.6 ¶ 2, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • set timescales; (§ 6.6 ¶ 1 Bullet 7, ISO 14005:2019, Environmental management systems — Guidelines for a flexible approach to phased implementation, Second Edition)
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered. (§ 10.1.2 ¶ 1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall act on the results of its exercising and testing to implement changes and improvements. (§ 8.5 ¶ 3, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • nonconformities and corrective actions; (§ 9.3.2 ¶ 1 c) 1), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • take appropriate action relating to those results. (§ 9.3.3.2 b), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • The organization shall determine opportunities for improvement and implement necessary actions to achieve the intended outcomes of its BCMS. (§ 10.1.1, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • corrective action can be taken. (§ 6.1.3.3 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • take corrective action; (§ 6.4.3.1 ¶ 1 c), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should oversee organizational performance by assessing and taking corrective action based on: (§ 6.4.3.2 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's identification of, and engagement with, relevant stakeholders (see 6.6); (§ 6.4.3.2 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's responsible (which includes ethical) use of, and adequate investment in, technology including, for example, artificial intelligence and cyber security; (§ 6.4.3.2 ¶ 1 i), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • For accountability to be effective, it relies on effective stakeholder engagement (see 6.6) as this is the basis for effective dialogue, value generation and improvement. The governing body should be available to answer to relevant stakeholders about decisions made and have responses evaluated. Impr… (§ 6.5.3.2 ¶ 3, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body is accountable for establishing and maintaining an integrated organizational governance framework across the organization that coordinates these governance activities such that the organization realizes effective performance, responsible stewardship and ethical behaviour. This org… (§ 4.2.1 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should demonstrate accountability by retaining and distributing value in a transparent manner and reporting on the associated processes, decisions and results, including on the extent of the organization's impacts over time. This includes disclosing to relevant stakeholders where … (§ 6.2.3.5 ¶ 2, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • whether the organizational values and governance policies are effectively guiding the organization, its culture and its ethical behaviour; (§ 6.4.3.2 ¶ 1 a), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • Recognize failures and mistakes and take appropriate action. (Table 2 Column 2 Row 2 Bullet 5, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • compliance (e.g. information received directly from the compliance function) regarding the organization's compliance culture and the meeting of its compliance obligations; (§ 6.4.3.2 ¶ 1 d), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's management of plans, organizational changes and other substantial transformations as well as responses to unplanned events and incidents. (§ 6.4.3.2 ¶ 1 j), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • managerial reporting and performance, ensuring that it appraises results against applicable measurement criteria and its intentions and expectations (see 6.3.3); (§ 6.4.3.2 ¶ 1 b), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's controlling and processing of data, ensuring that data are recognized as a valuable and strategic organizational resource (see 6.8); (§ 6.4.3.2 ¶ 1 h), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • resource allocations, capacity and capabilities (including people and their development) ensuring that the organization is enabled to meet its organizational purpose, value generation objectives and strategic outcomes; (§ 6.4.3.2 ¶ 1 g), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • the organization's financial results and financial resources, ensuring that the organization remains financially sound; (§ 6.4.3.2 ¶ 1 f), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The governing body should hold to account those to whom it has delegated (see 4.2.2). The governing body should ask questions, exercise its judgement, implement consequences, affect improvements and ensure that is equipped to do so. When doing so, the governing body should practise integrity, fairne… (§ 6.5.3.3 ¶ 1, ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • The organization shall use the outcomes of investigations for the improvement of the compliance management system as appropriate (see Clause 10). (§ 8.4 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • nonconformities, noncompliances and corrective actions; (§ 9.3.2 ¶ 1 d) bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • its activities and operations related to identified hazards, risks and opportunities; (§ 9.1.1 ¶ 2 a) 2), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • actions, if needed; (§ 9.3 ¶ 3 Bullet 5, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • Corrective actions shall be appropriate to the effects or potential effects of the incidents or nonconformities encountered. (§ 10.2 ¶ 3, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall use the outcome of investigations for the improvement (see Clause 10) of the compliance management system as appropriate. (§ 8.4 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • nonconformities and corrective actions; (§ 9.3 ¶ 2(c)(1), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The organization shall monitor and review the effectiveness of information security controls and take necessary actions. (§ 8.7.3.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Corrective actions shall be appropriate to the effects of the nonconformities encountered. (§ 10.2 ¶ 2, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the nature of the nonconformities and any subsequent actions taken, (§ 10.2 ¶ 3 f), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • If the outcome of the audit includes nonconformities, the auditee should prepare an action plan for each nonconformity to be agreed with the audit team leader. A follow-up action plan typically includes: (§ 9.2 Guidance ¶ 15, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • plan the corrective actions, giving priority, if possible, to areas where there are higher likelihood of recurrence and more significant consequences of the nonconformity. Planning should include a responsible person for a corrective action and a deadline for implementation; (§ 10.1 Guidance ¶ 4(6), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Some organizations maintain registers for tracking nonconformities and corrective actions. There can be more than one register (for example, one for each functional area or process) and on different media (paper, file, application, etc.). If this is the case, then they should be established and cont… (§ 10.1 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Update plans, assessment reports, and plans of action and milestones based on the results of the continuous monitoring process. (Task M-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The organization establishes a process to prioritize and remedy issues identified through vulnerability scanning. (PR.IP-12.2, CRI Profile, v1.2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • Throughout the course of the examination, the service auditor may perform procedures other than direct tests of operating effectiveness (for example, reviewing results from internal audit reports or other control reports issued by the service organization, or reading other information received from … (¶ 3.186, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-4 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability Assessments CIP-010-4, Version 4)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-2 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-2, Version 2)
  • Document the results of the assessments conducted according to Parts 3.1, 3.2, and 3.3 and the action plan to remediate or mitigate vulnerabilities identified in the assessments including the planned date of completing the action plan and the execution status of any remediation or mitigation action … (CIP-010-3 Table R3 Part 3.4 Requirements ¶ 1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Configuration Change Management and Vulnerability CIP-010-3, Version 3)
  • For any method used pursuant to 5.2.1, Responsible Entities shall determine whether any additional mitigation actions are necessary and implement such actions prior to connecting the Transient Cyber Asset. (Attachment 1 Section 5. 5.2 5.2.2, North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - Security Management Controls CIP-003-8, Version 8)
  • Are all issues identified in the vulnerability assessment documented and tracked to remediation? (§ G.10.2.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability scan documented and tracked to remediation? (§ G.10.2.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability assessment documented and tracked to remediation? (§ G.10.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified in the vulnerability scan documented and tracked to remediation? (§ G.10.3.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified by the internal network penetration test documented and tracked to remediation? (§ G.10.4.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Are all issues identified by the external network penetration test documented and tracked to remediation? (§ G.10.5.1.1, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Each agency must develop, document, and implement an information security program agency wide that includes processes for planning, implementing, evaluating, and documenting any remedial actions. The head of each agency shall submit to the Director of the Office of Management and Budget the results … (§ 3544(b)(6), § 3545(e), Federal Information Security Management Act of 2002, Deprecated)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 2)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 3)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 4)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.2.159, Cybersecurity Maturity Model Certification, Version 1.0, Level 5)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (CA.L2-3.12.2 Plan of Action, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • A medical device manufacturer shall establish and maintain procedures to implement corrective and preventive actions. The procedures shall include requirements for analyzing work operations, quality audit reports, processes, concessions, service and quality records, returned products, complaints, an… (§ 820.100, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Establishing a provision for management intervention if timeliness for corrective action is not met. (App A Objective 2:4g, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Implementation of corrective action plans when KPIs do not meet established targets. (VI.D Action Summary ¶ 2 Bullet 6, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Discuss corrective action and communicate findings. (App A Objective 18, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. (App A Objective 17:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Developing longer-term action plans to monitor and address issues. (App A Objective 16:4b Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Discuss examination findings with management and obtain proposed corrective action for significant deficiencies. (TIER I OBJECTIVES AND PROCEDURES OBJECTIVE 14:5, FFIEC IT Examination Handbook - Audit, April 2012)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., FedRAMP Security Controls High Baseline, Version 5)
  • Update existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., FedRAMP Security Controls High Baseline, Version 5)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., FedRAMP Security Controls Low Baseline, Version 5)
  • Update existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., FedRAMP Security Controls Low Baseline, Version 5)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Update existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Has management developed resolutions to the identified problems? (IT - Servers Q 26, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Report on C-SCRM to Level 1 and act on reporting from Level 3. (Level 2 Mission and Business Process Activities Bullet 9, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Terms and conditions that address the government, supplier, and other applicable third-party roles, responsibilities, and actions for responding to identified supply chain risks or risk incidents in order to mitigate risk exposure, minimize harm, and support timely corrective action or recovery from… (3.1.2. ¶ 11 Bullet 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • For audit trails to be reviewed in order to implement the appropriate controls is called for. (§ 3.13.3, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure a plan of action and milestones have been documented and are updated regularly, the organization follows the plan by correcting deficiencies and meeting milestones, and specific responsibilities and actions are defined for the impleme… (CA-5, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Response actions to address results of the analysis of security-related information; and (CA-7f. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Scope the testing, design the tests, perform the testing, and document the results, including recording and triaging all discovered issues and recommended remediations in the development team's workflow or issue tracking system. (PW.8.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Perform the code review and/or code analysis based on the organization's secure coding standards, and record and triage all discovered issues and recommended remediations in the development team's workflow or issue tracking system. (PW.7.2, NIST SP 800-218, Secure Software Development Framework: Recommendations for Mitigating the Risk of Software Vulnerabilities, Version 1.1)
  • Recovery Time Objective (RTO). RTO defines the maximum amount of time that a system resource can remain unavailable before there is an unacceptable impact on other system resources, supported mission/business processes, and the MTD. Determining the information system resource RTO is important for se… (§ 3.2.1 ¶ 4 Bullet 2, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 1)
  • Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems. (3.12.2, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, NIST Special Publication 800-171, Revision 2)
  • The organization must establish and maintain a Plan of Action and Milestones for the security program and associated Information Systems, which includes remedial actions to mitigate risk to operations, assets, individuals, other organizations, and the nation. (App G § PM-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must plan and start any necessary corrective actions by developing a Plan of Action and Milestones for the deficiencies or weaknesses that have not been immediately corrected and for implementing security control upgrades or additional controls when an event occurs that triggers the… (§ 3.4 ¶ 2 Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should use automated mechanisms to help ensure the Plan of Action and Milestones is accurate, up to date, and readily available. (App F § CA-5(1), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. (CA-5(1), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • The organization employs automated mechanisms to help ensure that the plan of action and milestones for the information system is accurate, up to date, and readily available. (CA-5(1) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. (CA-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Ensure the accuracy, currency, and availability of the plan of action and milestones for the system using [Assignment: organization-defined automated mechanisms]. (CA-5(1) ¶ 1, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Response actions to address results of the analysis of control assessment and monitoring information; and (CA-7f., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Response actions to address results of the analysis of security-related information; and (CA-7g., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until achievable protection needs are obtained. (PM-11b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • All of the organization's deficiencies should be corrected if they are cost beneficial. A plan should be developed to correct these deficiencies in a timely manner and to track the status of the deficiencies. (Pg 22, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • All personnel of the organization should be encouraged to identify and report deficiencies up the chain of command. The upper-level managers should decide on the importance of the deficiencies. Management should track all corrective actions and the resolution of the deficiencies. Management should a… (§ IV.B, § V, App A § VI, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Management must maintain more thoroughly detailed corrective action plans internally, which must be made available for OMB and audit review. Management's process for resolution and corrective action of identified internal control deficiencies must: (Section V (B) ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Ensure that the corrective action plans are consistent with laws, regulations, and Agency policy. (Section V (B) ¶ 3 Bullet 6, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • § A.5.a: The organization shall correct all deficiencies that were identified during the independent security reviews for the general support systems and the major applications. § A.5.b: Deficiencies that are identified as less significant shall be reported and corrective action shall be tracked a… (§ A.5.a, § A.5.b, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • A data base owner shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any personal information of Indiana residents collected or maintained by the data base owner. (IC 24-4.9-3-3.5 (c), Indiana Code Title 24 Article 4.9, Disclosure of Security Breach)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., TX-RAMP Security Controls Baseline Level 1)
  • Updates existing plan of action and milestones [TX-RAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., TX-RAMP Security Controls Baseline Level 1)
  • Response actions to address results of the analysis of security-related information; and (CA-7f., TX-RAMP Security Controls Baseline Level 2)
  • Updates existing plan of action and milestones [TX-RAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., TX-RAMP Security Controls Baseline Level 2)