Back

Include procedures for continuous quality improvement in the internal control framework.


CONTROL ID
00819
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The feasibility of the contingency plan must be assessed and confirmed. This is an IT general control. (App 2-1 Item Number VI.7.2(3), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • O10-1: The organization shall confirm the status of the observance of the items specified in security-related documentation. O44-1: The organization shall take precautions against illicit withdrawals from CD/ATM and other automated machines. (O10-1, O44-1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The effectiveness of the organization's internal controls should be reviewed at least annually by the audit committee. (¶ 12.1, CODE OF CORPORATE GOVERNANCE 2005)
  • contains a planning and planning review process that provides flexibility to respond to important identified issues (e.g. encountered implementation problems or delays) or external developments (e.g. important changes in the business environment, technological issues or innovations) to ensure a time… (Title 2 2.2.2 27.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • One important item involves improving the practical feasibility of technical safeguards and organisational procedures so as to increase the acceptance of the security safeguards. Likewise, the formulation of suitable security safeguards should time and again be considered as to whether it is easily … (§ 8.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Eliminating discovered flaws and weaknesses and continuous improvement. (Section 5.1 OIS-01 Basic requirement ¶ 1 Bullet 3, Cloud Computing Compliance Controls Catalogue (C5))
  • Planning, implementation, maintenance and continuous improvement of a framework regarding information security within the organisation. (Section 5.1 Objective, Cloud Computing Compliance Controls Catalogue (C5))
  • Inappropriate security safeguards should be rejected and after a detailed analysis replaced by effective safeguards. (§ 7 ¶ 6 Bullet 1, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Contradictions or inconsistencies in the security safeguards should be resolved and replaced by homogeneous mechanisms that are coordinated with each other. (§ 7 ¶ 6 Bullet 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Security safeguards that are too difficult or costly should be re-worked or rejected and replaced by appropriate safeguards. On the other hand, safeguards that are too weak endanger information security. They should also be reworked or replaced. (§ 7 ¶ 6 Bullet 4, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • The purpose of the continual improvement practice is to align the organization's practices and services with changing business needs through the ongoing improvement of products, services, and practices, or any element involved in the management of products and services. (5.1.2 ¶ 1, ITIL Foundation, 4 Edition)
  • The organization, as part of its Quality Management program, must provide written documentation of re-measuring the level of performance at least annually. (CORE -21(e), URAC Health Utilization Management Standards, Version 6)
  • Continuously monitor, benchmark and improve the IT control environment and control framework to meet organisational objectives. (ME2.1 Monitoring of Internal Control Framework, CobiT, Version 4.1)
  • Identify and maintain standards, procedures and practices for key IT processes to guide the organisation in meeting the intent of the QMS. Use industry good practices for reference when improving and tailoring the organisation's quality practices. (PO8.2 IT Standards and Quality Practices, CobiT, Version 4.1)
  • Define the elements of a control environment for IT, aligned with the enterprise's management philosophy and operating style. These elements should include expectations/requirements regarding delivery of value from IT investments, appetite for risk, integrity, ethical values, staff competence, accou… (PO6.1 IT Policy and Control Environment, CobiT, Version 4.1)
  • Top management should review the business continuity management capabilities, when it deems appropriate, to ensure it is suitable, adequate, and effective. The review should be documented. The review should verify the business continuity management policy complies with applicable standards, laws, fr… (§ 9.5.1, § 9.5.2, § 9.5.3, § 9.5.4 ¶ 1, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The organization must make continual improvements on the effectiveness of its business continuity management system by reviewing audit results, the analyses of monitored events, business continuity policy and objectives, preventive and corrective actions, and management reviews. Inputs to a manageme… (§ 5.2.2, § 5.2.3, § 6.2, BS 25999-2, Business continuity management. Specification, 2007)
  • The organizational policy statement must, within the scope of the organizational resilience management system, ensure it includes continual improvement and is reviewed regularly and whenever significant changes occur. The organization must continuously improve upon the effectiveness of its organizat… (§ 4.2.1(c), § 4.2.1(n), § 4.6.5, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The security strike operations plan should be updated continuously. All holders of the plan should be kept well informed of all changes. The organization should conduct security surveys at least once a year. (Pg 1-I-A2, Pg 13-II-5, Protection of Assets Manual, ASIS International)
  • The information security function should have sufficient impact on the organization and strong support from executive management, other business managers, and Information Technology managers. (CF.01.02.08a, The Standard of Good Practice for Information Security)
  • The information security function should have sufficient impact on the organization and strong support from executive management, other business managers, and Information Technology managers. (CF.01.02.08a, The Standard of Good Practice for Information Security, 2013)
  • Top management shall establish quality objectives to meet the product's requirements at relevant functions and levels within the organization. These objectives shall be consistent and measurable. (§ 5.4.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 g), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • decisions related to continual improvement opportunities; (§ 9.3 ¶ 3 Bullet 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • promoting continual improvement. (§ 5.1 ¶ 1 l), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • achieve continual improvement. (§ 6.1 ¶ 1 Bullet 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 g), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The outputs of the management review should include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • gaps or lack in current compliance systems and longer term continual improvement initiatives; (§ 9.3 ¶ 4 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 d), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • operational conditions and processes, (§ 9.3 ¶ 4 d) 3), ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities, relating to the business, or to the BCMS, that shall be addressed as part of continual improvement. (§ 10.2 ¶ 2, ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • Service providers should continuously improve services by tracking ICT disaster recovery trends, using performance measurement techniques, using scalability planning, and using continuous risk mitigation procedures. (§ 9.1, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 f), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • promoting continual improvement; and (§ 5.1 ¶ 1 g), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. (§ 9.3 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. (§ 4.4 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • promoting continual improvement; (§ 5.1.1 ¶ 1 bullet 7, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • achieve continual improvement. (§ 6.1 ¶ 1 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • opportunities for continual improvement. (§ 9.3.2 ¶ 1 e), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensuring and promoting continual improvement; (§ 5.1 ¶ 1 h), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • other opportunities for improving the OH&S management system. (§ 6.1.2.3 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall establish OH&S objectives at relevant functions and levels in order to maintain and continually improve the OH&S management system and OH&S performance (see 10.3). (§ 6.2.1 ¶ 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • ensure its communication process(es) enables workers to contribute to continual improvement. (§ 7.4.2 ¶ 1 b), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • continual improvement opportunities; (§ 9.3 ¶ 3 Bullet 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 g), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • The organization shall determine and select opportunities for improvement and implement any necessary actions to meet customer requirements and enhance customer satisfaction. (10.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • opportunities for improvement; (9.3.3 ¶ 1(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The organization shall consider the results of analysis and evaluation, and the outputs from management review, to determine if there are needs or opportunities that shall be addressed as part of continual improvement. (10.3 ¶ 2, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • determine and apply the criteria and methods (including monitoring, measurements, and related performance indicators) needed to ensure the effective operation and control of these processes; (4.4.1 ¶ 2(c), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • opportunities for continual improvement. (§ 9.3 ¶ 2 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • promoting continual improvement; (§ 5.1.1 ¶ 1 bullet 7, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • achieve continual improvement. (§ 6.1 ¶ 1 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the compliance management system. (§ 9.3 ¶ 4, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • includes a commitment to continual improvement of the compliance management system; (§ 5.2 ¶ 1 d), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • achieve continual improvement. (Section 6.1.1 ¶ 1 bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes (see 8.2) to the IT asset management system. (Section 9.3 ¶ 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall continually improve the suitability, adequacy and effectiveness of its IT asset management and the IT asset management system. (Section 10.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • promoting continual improvement; (Section 5.1 ¶ 1 bullet 8, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall plan, implement and control the processes needed to meet requirements, and to implement the actions determined in 6.1, the IT asset management plan(s) determined in 6.2, and the corrective and preventive actions determined in 10.1 and 10.2 by: (Section 8.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Where service level targets are not met, the organization shall identify opportunities for improvement. (§ 8.3.3 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • At planned intervals, the organization shall measure satisfaction with the services based on a representative sample of customers. The results shall be analysed, reviewed to identify opportunities for improvement and reported. (§ 8.3.2 ¶ 4, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Opportunities for improvement shall be documented. The organization shall manage approved improvement activities that include: (§ 10.2 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • The outputs of the management review shall include decisions related to continual improvement opportunities and any need for changes to the SMS and the services. (§ 9.3 ¶ 3, ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • opportunities for continual improvement; (§ 9.3 ¶ 2(d), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • promoting continual improvement; and (§ 5.1 ¶ 1 g), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • opportunities for continual improvement. (§ 9.3.2 ¶ 1 g), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The results of the management review shall include decisions related to continual improvement opportunities and any needs for changes to the information security management system. (§ 9.3.3 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • top management should assess resource needs during management reviews and set objectives for continual improvement and for monitoring effectiveness of planned activities; and (§ 5.1 Guidance ¶ 1(g), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The outputs from the management review process should include decisions related to continual improvement opportunities and any needs for changes to the ISMS. They can also include evidence of decisions regarding: (§ 9.3 Guidance ¶ 6, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • opportunities for continual improvement, including efficiency improvements of both the ISMS and information security controls. (§ 9.3 Guidance ¶ 4(f), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • evaluate them to establish whether they are worth pursuing; (§ 10.2 Guidance ¶ 4(d), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • The organization continually improves the suitability, adequacy and effectiveness of the ISMS. (§ 10.2 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • determine the changes to the ISMS and its elements in order to achieve the improvement; (§ 10.2 Guidance ¶ 4(e), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • effectiveness of the ISMS, considering if the intended outcome(s) of the ISMS are achieved, the requirements of the interested parties are met, information security risks are managed to meet information security objectives, nonconformities are managed, while resources needed for the establishment, i… (§ 10.2 Guidance ¶ 1(c), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Management pursues continual improvement throughout the entity (functions, operating units, divisions) to improve the efficiency and usefulness of enterprise risk management at all levels. Opportunities to revisit and improve efficiency and usefulness may occur in any of the following areas: (Pursuing Improvement ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization should continuously improve its security posture by investigating new technologies and tracking and measuring security compliance. (Pg 4, Responsible Care Security Code of Management Practices, American Chemistry Council)
  • Whether the applicable control or set of controls is adequately changing, adapting, and evolving, from a threat-monitoring perspective, as new threats and exploits are identified and become able to be defended against by service organizations. (¶ 3.84 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Whether the applicable control or set of controls is adequately changing, adapting, and evolving, from a threat-monitoring perspective, as new threats and exploits are identified and become able to be defended against (¶ 3.97 h., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • § 422.503(b)(4)(vi)(D): An entity that is seeking to contract as a Medicare Advantage (MA) organization must adopt and implement an effective compliance program, to include measures for preventing, detecting, and correcting non-compliance with the Centers for Medicare & Medicaid Services' (CMS) pro… (§ 422.503(b)(4)(vi)(D), § 422.503(b)(4)(vi)(E), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • This table can be used as a checklist to verify that all of the IT systems security tasks are completed on schedule. It shows key requirements, a high-level description, how often to perform the tasks, who or where to send the output or documentation, comments, a blank for the due date or to show co… (Table 3.1, CMS Business Partners Systems Security Manual, Rev. 10)
  • CSR 1.9.6: The organization must document in the system security plan that the security management structure has adequate independence, expertise, and authority. CSR 5.2.3: System Security Officers (SSOs) and management must be able to show how the organization responds to disruptions and disasters … (CSR 1.9.6, CSR 5.2.3, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The compliance program should include procedures for the organization to maintain the current lists of blocked countries and individuals. (Pg 41, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Management with executive responsibility shall establish objectives and policies for, and commitment to, quality. They shall ensure quality policies are understood, implemented, and maintained at all organizational levels. (§ 820.20(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Strategies for service and process improvement and methods to measure the results of those improvement efforts. (VI.D Action Summary ¶ 2 Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should develop processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. (VI.D Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Ongoing practice of process improvement. (App A Objective 17:4c Bullet 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management develops processes to oversee operations functions, evaluate the effectiveness of controls, and identify opportunities for improvement. (VI.D, "Ongoing Monitoring and Evaluation Processes") (App A Objective 17, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and… (App A Objective 17:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether management has a continuous improvement process in place to recommend changes to the entity's IT environment. Evaluate whether management does the following: (App A Objective 17:4, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Develops improvement strategies for operations and prioritizes projects. (App A Objective 17:4a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Enterprise-wide practice of service improvement that augments the ability to provide value to its stakeholders and customers. (App A Objective 17:4c Bullet 2, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Are appropriately flexible to address changes in the environment. (App A Objective 6.1.e, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • The organization should ensure the security of handheld devices is maintained during the entire lifecycle and this process is an ongoing process. (Pg ES-3, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Provide feedback on network requirements, including network architecture and infrastructure. (T0200, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide ongoing optimization and problem-solving support. (T0207, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up. (T0389, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • In this step, specific ways to make desired improvements (i.e., architectural changes, ways to implement cyber resiliency techniques in the context of the existing architecture, ways to use existing system capabilities more effectively to improve resilience) are identified and analyzed in terms of p… (3.2.4 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Prioritize desired improvements using the identified evaluation criteria (e.g., improve the ability of a given system element to continue functioning by enabling that element to be dynamically isolated, decrease adversary benefits by reducing the concentration of highly sensitive information in a si… (3.2.3.3 ¶ 2 Bullet 4, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Identify desired improvements to system elements or to the system of interest as a whole. Statements of desired improvements described in terms specific to the architectural and operational context can be more meaningful to stakeholders than general statements about improved use of a cyber resilienc… (3.2.3.3 ¶ 2 Bullet 3, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • In this step, the system is analyzed in its operational context from two perspectives. First, a mission or business function perspective is applied to identify critical resources (i.e., those resources for which damage or destruction would severely impact operations) and sources of system fragility.… (3.2.3 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Identify potentially applicable techniques or approaches. If the set of potentially applicable techniques and approaches has already been identified, it can be narrowed by identifying the set of techniques and approaches related to prioritized objectives using Appendix D, Table D-13 or to potentiall… (3.2.3.3 ¶ 2 Bullet 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Review service performance reports identifying any significant issues and variances, initiating, where necessary, corrective actions and ensuring that all outstanding issues are followed up. (T0389, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Provide feedback on network requirements, including network architecture and infrastructure. (T0200, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Organizational leadership is responsible and accountable for cybersecurity risk and fosters a culture that is risk-aware, ethical, and continually improving (GV.RR-01, The NIST Cybersecurity Framework, v2.0)
  • Cybersecurity supply chain risk management is integrated into cybersecurity and enterprise risk management, risk assessment, and improvement processes (GV.SC-03, The NIST Cybersecurity Framework, v2.0)
  • Bank management should establish procedures to ensure that quality assurance efforts take place and that the results are incorporated into future planning in order to manage and limit excessive risk taking. The bank should conduct quality assurance reviews whenever it engages in a significant combin… (¶ 44, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • The organization should continuously improve its security posture by investigating new technologies and tracking and measuring security compliance. (§ 106(c), Aviation and Transportation Security Act, Public Law 107 Released-71, November 2001, November 2001)
  • The effectiveness of the compliance penalties must be assessed; actions may be taken when noncompliance occurs. (§ 44903(g)(2)(D), TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • To determine if the comprehensive information security program is in compliance with this regulation, the program will be evaluated by taking the following into account: the amount of resources available; the size, scope, and type of business; the amount of resources; the amount of stored data; and … (§ 17.03(2), Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)