Back

Establish, implement, and maintain an internal control framework.


CONTROL ID
00820
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a Governance, Risk, and Compliance framework., CC ID: 01406

This Control has the following implementation support Control(s):
  • Measure policy compliance when reviewing the internal control framework., CC ID: 06442
  • Review the relevance of information supporting internal controls., CC ID: 12420
  • Assign ownership of the internal control framework to the appropriate organizational role., CC ID: 06437
  • Assign resources to implement the internal control framework., CC ID: 00816
  • Establish, implement, and maintain a baseline of internal controls., CC ID: 12415
  • Leverage actionable information to support internal controls., CC ID: 12414
  • Include procedures for continuous quality improvement in the internal control framework., CC ID: 00819
  • Include continuous service account management procedures in the internal control framework., CC ID: 13860
  • Include threat assessment in the internal control framework., CC ID: 01347
  • Include vulnerability management and risk assessment in the internal control framework., CC ID: 13102
  • Include personnel security procedures in the internal control framework., CC ID: 01349
  • Include continuous security warning monitoring procedures in the internal control framework., CC ID: 01358
  • Include security information sharing procedures in the internal control framework., CC ID: 06489
  • Include security incident response procedures in the internal control framework., CC ID: 01359
  • Include incident response escalation procedures in the internal control framework., CC ID: 11745
  • Include continuous user account management procedures in the internal control framework., CC ID: 01360
  • Include emergency response procedures in the internal control framework., CC ID: 06779
  • Authorize and document all exceptions to the internal control framework., CC ID: 06781
  • Disseminate and communicate the internal control framework to all interested personnel and affected parties., CC ID: 15229


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The organization should have a risk management and internal control system that includes processes that document the implemented internal controls, the costs for not complying with policies and regulations, and risk communications. (¶ 3.2.3, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • the AI has an adequate system of checks and balances. Where material control deficiencies are identified, appropriate follow-up actions should be considered and monitored by the Board or senior management. (§ 3.1.1 (iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the AI has an adequate system of checks and balances. Where material control deficiencies are identified, appropriate follow-up actions should be considered and monitored by the Board or senior management. (§ 3.1.1 (iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • IT control policies normally cover, at a minimum, the five aspects of IT controls mentioned in sections 3 to 7 of this module. They should be reviewed regularly, and where necessary updated to accommodate changing operating environments and technologies. (2.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • IC-1 “General Risk Management Controls” sets out the general objective and the importance of independence and expertise of AIs’ internal audit function. As regards technology audits, AIs are expected to assess periodically their technology risk management process and IT controls. To ensure ade… (2.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization must clearly state the measures from the information security policy in the overall optimization plan. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control and an IT general control. (App 2-1 Item Number I.1.1(6), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The organization should, when designing and operating internal controls and based on a full understanding of the systems, prepare in an orderly manner and determine how incidents could be examined after an incident occurs. (Practice Standard § I.2(6)[2][Use of IT].E, On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • O1.1: The organization shall formulate a security policy. The types of security-related documentation that must be developed include the security policy, security standards, and manuals and procedural instructions. O1.3: The organization shall define which information resources require protection, … (O1.1, O1.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • O2: The organization shall evaluate, periodically, documentation defining security management methods and revise them to reflect current operations. O10-1.2: The organization shall confirm security observance status with the timing of events including, but not limited to changes to security-related … (O2, O10-1.2, O10-1.4, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Conducting a vulnerability assessment for each vulnerability and calculating the probability that it will be exploited. Evaluating policies, procedures, standards, training, physical security, quality control and technical security in this regard (Critical components of information security 2) 3) Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Development/maintenance of a security and control framework that consists of standards, measures, practices and procedures (Information Security Governance ¶ 4 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • The Plan phase is about designing the ISMS, assessing information security risks and selecting appropriate controls. (Critical components of information security 27) (b) Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • A financial institution shall implement IT controls to protect customer information from unauthorised access or disclosure. (Technology Risk Management ¶ 9, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Amendment 2018)
  • A financial institution shall implement IT controls to protect customer information from unauthorised access or disclosure. (Technology Risk Management ¶ 9, Monetary Authority of Singapore: Securities and Futures Act (CAP. 289) Notice on Technology Risk Management, Notice No.: CMG-N02)
  • Technology is a key business enabler in the financial sector and FIs rely on technology to deliver financial services. It is vital that the FI's board of directors and senior management ensure effective internal controls and risk management practices are implemented to achieve security, reliability … (§ 3.1.1, Technology Risk Management Guidelines, January 2021)
  • The organization must have an information security policy. (Control: 0039, Australian Government Information Security Manual: Controls)
  • The organization should review the information security documentation at least annually and whenever there are significant changes to the environment, business, or system. (Control: 0888, Australian Government Information Security Manual: Controls)
  • The information security policy should describe the Information Security policies, responsibilities, and standards. (Control: 0049, Australian Government Information Security Manual: Controls)
  • The organization should state the processes and conditions for preventing sensitive information or classified information from being stored on hard drives and enforcing the scrubbing of Operating System swap files and other temporary files during logoff and shutdown in the System Security Plan. (Control: 0162 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization must state in the System Security Plan which authorizations, briefings, and security clearances are necessary for system access. (Control: 0432, Australian Government Information Security Manual: Controls)
  • The organization should assess the adequacy of the information technology security controls on a regular basis or after changes to the internal control environment or the external environment. (¶ 18, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • The information technology security Risk Management Framework should be regularly reviewed. (¶ 25, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • In discharging its responsibility for information security, an APRA-regulated entity would typically assess the sufficiency of its information security capability. This could include reviewing the adequacy of resourcing, including funding and staffing, timely access to necessary skill sets and the c… (15., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • The organization should develop an Information Security Policy, a Risk Management Plan, and a System Security Plan for each system the organization owns. The Information Security Policy should contain the organization's high-level security objectives, such as prevent the introduction of malicious co… (§ 2.2.5, § 2.2.7, § 2.2.12, § 2.5.5, § 3.2.13, § 3.5.7, Australian Government ICT Security Manual (ACSI 33))
  • All security documents should be reviewed on a regular basis. The reviews should be conducted at least yearly and when changes are made to the environment or system. The date the review was done should be included on each security document. (§ 2.2.16, Australian Government ICT Security Manual (ACSI 33))
  • The management body should ensure that financial institutions have adequate internal governance and internal control framework in place for their ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and busin… (3.2.1 2, Final Report EBA Guidelines on ICT and security risk management)
  • If the institution's ICT strategy requires the implementation of important and complex ICT changes, or changes with material implications for the institution's business model, competent authorities should assess whether the institution has a control framework in place, appropriate to its size, its I… (Title 2 2.2.2 27., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Whether the control frameworks for material ICT risks are sound. (Title 3 3.4 61.b(iv), Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • In line with the EBA Guidelines on ICT risk assessment under the SREP, institutions should, where relevant, ensure that they are able to carry out security penetration testing to assess the effectiveness of implemented cyber and internal ICT security measures and processes. Taking into account Title… (4.13.3 94, Final Report on EBA Guidelines on outsourcing arrangements)
  • The Member States, the supervisory authorities, the Board and the Commission shall encourage the drawing up of codes of conduct intended to contribute to the proper application of this Regulation, taking account of the specific features of the various processing sectors and the specific needs of mic… (Art. 40.1., Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation))
  • When creating the security policy implementers should obtain a request from management to develop the security policy. (3.3 bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • When creating the security policy implementers should check the security policy regularly and update if necessary. (3.3 bullet 6, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • The cloud provider has documented any function separation conflicts and the compensating controls established for this purpose comprehensibly (e. g. in a role and rights concept) to allow for an assessment of the appropriateness and effectiveness of these controls. (Section 5.1 OIS-04 Description of additional requirements (confidentiality) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to log events on all assets which are used for the development or operation of the cloud service and to store them in a central place. The logging includes def… (Section 5.6 RB-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Regular follow-up of safeguards in order to address identified safeguards (e. g. installation of security updates according to internal target specifications) (Section 5.6 RB-17 Basic requirement ¶ 1 Bullet 2, Cloud Computing Compliance Controls Catalogue (C5))
  • The data controller must document how he/she develops a security policy, conducts a risk analysis, and decides what security measures should be implemented. The Data Protection Authority must be granted access to any of these procedures at any time. (Art 11 ¶ 5, Iceland Protection of Privacy as regards the Processing of Personal Data)
  • The controller for processing operations for sensitive and/or judicial data must develop, along with the data processor's agency, a security policy document that contains the following information by March 31 of each year: a list of the processing operations that concerns personal data; how responsi… (Annex B.19, Italy Personal Data Protection Code)
  • The processing of personal data by electronic means will only be allowed if the following minimum security measure is implemented with the technical specifications stated in Annex B of this Code: keeping the security policy up-to-date. (§ 34.1(g), Italy Personal Data Protection Code)
  • The security policy must include the following: the minimum required security measures; the basic security objectives; the technical, personal, and organizational measures to protect the personal data in the filing system; how the measures are used; a definition of the filing system's environment an… (§ 16(4), § 16(6), Slovak Republic Protection of Personal Data in Information Systems)
  • The organization must establish an information security policy that states how it and its delivery partners comply with the requirements of this policy. (Mandatory Requirement 31, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization must develop a counter-terrorist protective security policy. The policy must include central advice and guidance; roles and responsibilities; management controls and assurance that plans and measures are implemented; communications arrangements; testing of the plans; and liaison wit… (Mandatory Requirement 66, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization should implement a policy for boundary protection device, such as firewalls. (Mandatory Requirement 39.c, HMG Security Policy Framework, Version 6.0 May 2011)
  • The organization's security instructions should include guidance about the security implications of organizing conferences and meetings, including making an individual that is attending the event responsible for the security controls; compiling a list of who is attending the event and their need to … (¶ 24, Security Requirements for List X Contractors, Version 5.0 October 2010)
  • (§ 3.1.1, OGC ITIL: Security Management)
  • The technical and organisational measures implemented under subsection (1) must be reviewed and updated where necessary. (§ 56(3), UK Data Protection Act 2018 Chapter 12)
  • Each controller must implement appropriate technical and organisational measures which are designed— (§ 57(1), UK Data Protection Act 2018 Chapter 12)
  • Is the security program aligned with overall business objectives? (Table Row I.8, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • What mechanisms are in place to keep security policies up-to-date? (Table Row II.5, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Continuously monitor, benchmark and improve the IT control environment and control framework to meet organisational objectives. (ME2.1 Monitoring of Internal Control Framework, CobiT, Version 4.1)
  • Monitor and evaluate the efficiency and effectiveness of internal IT managerial review controls. (ME2.2 Supervisory Review, CobiT, Version 4.1)
  • Obtain, as needed, further assurance of the completeness and effectiveness of internal controls through third-party reviews. (ME2.5 Assurance of Internal Control, CobiT, Version 4.1)
  • Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confi… (ME4.1 Establishment of an IT Governance Framework, CobiT, Version 4.1)
  • Define an IT process framework to execute the IT strategic plan. This framework should include an IT process structure and relationships (e.g., to manage process gaps and overlaps), ownership, maturity, performance measurement, improvement, compliance, quality targets and plans to achieve them. It s… (PO4.1 IT Process Framework, CobiT, Version 4.1)
  • Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. (§ 12.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire B and Attestation of Compliance Imprint Machines or Stand-alone Dial-out Terminals Only, no Electronic Cardholder Data Storage, Version 2.0)
  • Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. (§ 12.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance Payment Application Connected to Internet, No Electronic Cardholder Data Storage, Version 2.0)
  • Verify that the policy addresses all Payment Card Industry Data Security Standard requirements. (§ 12.1.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. (§ 12.1.3, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview personnel and examine documentation to verify security policies and operational procedures to manage the firewalls are documented. (Testing Procedures § 1.5 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures to manage the firewalls are implemented. (Testing Procedures § 1.5 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify operational procedures and security policies for managing vendor defaults and other security parameters are documented. (Testing Procedures § 2.5 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify operational procedures and security policies for managing vendor defaults and other security parameters are implemented. (Testing Procedures § 2.5 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures to protect cardholder data are documented. (Testing Procedures § 3.7 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures to protect cardholder data are implemented. (Testing Procedures § 3.7 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for encrypting cardholder data transmissions are documented. (Testing Procedures § 4.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for encrypting cardholder data transmissions are implemented. (Testing Procedures § 4.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for protecting systems against malware are documented. (Testing Procedures § 5.4 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for protecting systems against malware are implemented. (Testing Procedures § 5.4 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for developing and maintaining secure systems and applications are documented. (Testing Procedures § 6.7 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for developing and maintaining secure systems and applications are implemented. (Testing Procedures § 6.7 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for restricting access to cardholder data are documented. (Testing Procedures § 7.3 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for restricting access to cardholder data are implemented. (Testing Procedures § 7.3 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for Identification and Authentication have been documented. (Testing Procedures § 8.8 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for Identification and Authentication have been implemented. (Testing Procedures § 8.8 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify the security policies and operational procedures for restricting physical access to cardholder data are documented. (Testing Procedures § 9.10 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify the security policies and operational procedures for restricting physical access to cardholder data are implemented. (Testing Procedures § 9.10 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for monitoring all access to network resources and cardholder data are documented. (Testing Procedures § 10.8 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for monitoring all access to network resources and cardholder data are implemented. (Testing Procedures § 10.8 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for security monitoring and testing have been documented. (Testing Procedures § 11.6 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for security monitoring and testing have been implemented. (Testing Procedures § 11.6 Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify the information security policy is reviewed at least annually and is updated, as needed. (Testing Procedures § 12.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Verify that the responsibility for establishing, documenting, and distributing the Information Security policies and procedures have been formally assigned. (Testing Procedures § 12.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The organization must develop, publish, maintain, and distribute a security policy and must address all of the PCI DSS requirements. (§ 12.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the policy addresses all PCI DSS requirements. (§ 12.1.1 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The organization must ensure the security policy is reviewed on an annual basis and whenever the environment changes. (§ 12.1.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Verify that the information security policy is reviewed at least annually and updated as needed to reflect changes to business objectives or the risk environment. (§ 12.1.3 Testing Procedures, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • The security policies and operational procedures to manage firewalls must be documented, in use, and known to all affected personnel. (PCI DSS Requirements § 1.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for managing vendor defaults and other security parameters must be documented, implemented, and communicated to all affected parties. (PCI DSS Requirements § 2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The security policies and operational procedures for protecting cardholder data must be documented, implemented, and known to all parties. (PCI DSS Requirements § 3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for encrypting cardholder data transmissions must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for protecting systems against malware must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for developing and maintaining secure systems and applications must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for restricting access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for Identification and Authentication must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operating procedures for restricting physical access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for monitoring access to cardholder data and network resources must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for security monitoring and testing must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • A security policy must be established, maintained, published, and disseminated. (PCI DSS Requirements § 12.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The security policy must be reviewed at least annually and updated when the environment changes. (PCI DSS Requirements § 12.1.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The Information Security policies and procedures must formally assign an individual or a team the responsibility for establishing, documenting, and distributing Information Security policies and procedures. (PCI DSS Requirements § 12.5.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Ensure that the organization maintains a list of all wireless devices and personnel authorized to use the devices. (§ 4.6.1.C, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire B and Attestation of Compliance, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire B-IP and Attestation of Compliance, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire C-VT and Attestation of Compliance, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.0)
  • Is a security policy established, published, maintained, and disseminated to all relevant personnel? (PCI DSS Question 12.1, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • Is the security policy reviewed at least annually and updated when the environment changes? (PCI DSS Question 12.1.1, PCI DSS Self-Assessment Questionnaire P2PE-HW and Attestation of Compliance, Version 3.0)
  • IT policy statements should include, but not be restricted to a general policy on the organization's security and privacy level (should be consistent with relevant national and international legislation). (§ 5.3.1 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • Policies and procedures for all key IT activities should be formulated, developed, and documented and communicated to business teams and process owners. The policies and procedures should be reviewed periodically. Outsourcing procedures should be reviewed periodically after they have been formalized… (§ 5.1 (Information Security Policies and Procdures), IIA Global Technology Audit Guide (GTAG) 7: Information Technology Outsourcing)
  • The security policy should have details on the password parameters, structures, and proper use. (§ 3.5.5 ¶ 1, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • An information security program should include policies and procedures for the handling and classification of sensitive information; pre-employment screening and employee reviews; awareness programs for sensitive information; nondisclosure agreements; noncompetitive agreements; physical measures, su… (Pg 15-I-19, Pg 22-I-13, Pg 41-I-8, Pg 41-I-10, Protection of Assets Manual, ASIS International)
  • The organisation's governing body (e.g. board of directors or equivalent) should establish an information security governance framework. (SG.01.01.01-1, The Standard of Good Practice for Information Security)
  • The high-level working group, committee, or equivalent body should support the Chief Information Security Officer (or equivalent) in establishing the organization's overall approach to Information Security by reviewing the overall information security policy prior to sign off by the governing body. (SG.01.02.06a-2, The Standard of Good Practice for Information Security)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should review the information security strategy on a periodic basis to ensure it continues to support delivery of the organization's objectives. (SG.02.01.05a, The Standard of Good Practice for Information Security)
  • There should be a documented information security policy, ratified at Board level, that applies across the organisation. (CF.01.01.01-1, The Standard of Good Practice for Information Security)
  • There should be an individual or group responsible for maintaining the Information Security policy. (CF.01.01.01-2, The Standard of Good Practice for Information Security)
  • The information security policy should define Information Security. (CF.01.01.02-1, The Standard of Good Practice for Information Security)
  • Standards / procedures should cover performing standard security practices (e.g., configuration, malware protection, Change Management, and patch management). (CF.07.04.02b, The Standard of Good Practice for Information Security)
  • There should be a documented information security policy, ratified at board level, that applies across the organization. (CF.01.01.01-1, The Standard of Good Practice for Information Security)
  • There should be an individual (or a group of individuals) responsible for maintaining the information security policy. (CF.01.01.01-2, The Standard of Good Practice for Information Security)
  • The information security policy should define the Information Security principles to be followed by all staff. (CF.01.01.02-3, The Standard of Good Practice for Information Security)
  • The information security policy should require that information is classified in a way that indicates its importance to the organization. (CF.01.01.03a, The Standard of Good Practice for Information Security)
  • The information security policy should require that compliance with contractual obligations is met. (CF.01.01.03e-3, The Standard of Good Practice for Information Security)
  • The information security policy should require that suspected Information Security weaknesses are reported. (CF.01.01.03f-2, The Standard of Good Practice for Information Security)
  • The information security policy should be aligned with other high-level policies (e.g., those relating to Human Resources, health and safety, finance, and Information Technology). (CF.01.01.04a, The Standard of Good Practice for Information Security)
  • The information security policy should be reviewed regularly according to a defined review process. (CF.01.01.04c, The Standard of Good Practice for Information Security)
  • The information security policy should be revised to take account of changing circumstances (e.g., new threats, vulnerabilities and risks, reorganization of the organization, changes to contractual, legal and regulatory requirements, or changes to the technical infrastructure). (CF.01.01.04d, The Standard of Good Practice for Information Security)
  • The organisation's governing body (e.g. board of directors or equivalent) should establish an information security governance framework. (SG.01.01.01-1, The Standard of Good Practice for Information Security, 2013)
  • The high-level working group, committee, or equivalent body responsible for coordinating the overall information security activity should review the information security strategy on a periodic basis to ensure it continues to support delivery of the organization's objectives. (SG.02.01.05a, The Standard of Good Practice for Information Security, 2013)
  • There should be a documented information security policy, ratified at board level, that applies across the organization. (CF.01.01.01-1, The Standard of Good Practice for Information Security, 2013)
  • There should be an individual (or a group of individuals) responsible for maintaining the information security policy. (CF.01.01.01-2, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should define Information Security. (CF.01.01.02-1, The Standard of Good Practice for Information Security, 2013)
  • Standards / procedures should cover performing standard security practices (e.g., configuration, malware protection, Change Management, and patch management). (CF.07.04.02b, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should define the Information Security principles to be followed by all staff. (CF.01.01.02-3, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that information is classified in a way that indicates its importance to the organization. (CF.01.01.03a, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that compliance with contractual obligations is met. (CF.01.01.03e-3, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should require that suspected Information Security weaknesses are reported. (CF.01.01.03f-2, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should be aligned with other high-level policies (e.g., those relating to Human Resources, health and safety, finance, and Information Technology). (CF.01.01.04a, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should be reviewed regularly according to a defined review process. (CF.01.01.04c, The Standard of Good Practice for Information Security, 2013)
  • The information security policy should be revised to take account of changing circumstances (e.g., new threats, vulnerabilities and risks, reorganization of the organization, changes to contractual, legal and regulatory requirements, or changes to the technical infrastructure). (CF.01.01.04d, The Standard of Good Practice for Information Security, 2013)
  • An overall security policy shall be clearly established for the authentication solution. (§ 4.5.4.1 ¶ 1, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The security policy shall meet the requirements of international or national standards and resolutions or recognized industry practices. (§ 4.5.4.1 ¶ 3, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • The security assurance procedures shall be described and audited. (§ 5.2 ¶ 2, ISO 12931:2012, Performance Criteria for Authentication Solutions Used to Combat Counterfeiting of Material Goods, First Edition)
  • § 4.2 Policy hierarchy. An organization security policy should include the following: The corporate security policy may comprise the security principles and directives for the organization as a whole. Corporate security policies should reflect the broader corporate policies, including those that ad… (§ 4.2, § 4.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • § 4.3 Corporate ICT security policy elements. An organization should produce a corporate ICT (Information and Communications Technology) security policy based on the agreed corporate ICT security objectives and strategy. It is necessary to establish and maintain a corporate ICT security policy, con… (§ 4.3, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Corporate IT Security Policy. An organization should produce a corporate IT security policy based on the agreed corporate IT security objectives and strategy. It is necessary to establish and maintain a corporate IT security policy, consistent with the corporate business, security, and IT policies, … (¶ 7.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • Monitoring of Security Awareness Programs. An organization should monitor security awareness programs by: • periodic performance evaluations - to determine the effectiveness of an awareness program by monitoring security related behavior and identify where changes affecting the program delivery mi… (¶ 10.2.3, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • Operational Issues. An organization should implement safeguards which assure that all procedures maintain the secure, correct and reliable functioning of the IT equipment and related system(s) used. This should be achieved by implementing organizational procedures. Operational safeguards are necessa… (¶ 8.1.5(1)(5), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • Security Operating Procedures. In support of the system security policy, security operating procedures (SecOPs) documents should be developed and maintained. They should contain details of the day-to-day operating procedures associated with security, and who is responsible for their use and manageme… (¶ 13.2.2, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • Security Compliance Checking. For network connections, security compliance checking should take place against a comprehensive checklist constructed from the safeguards specified in the: • system' security policy • related SecOPs, • technical security architecture, • security gateway service … (¶ 13.2.3, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The security requirements statement should identify all security functional requirements, including those that require an explicit strength of function claim, security assurance requirements, Evaluation Assurance Levels (EALs), IT security requirement dependencies, and minimum strength of function l… (§ 9.5, § 10.5, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The security functional requirements should be checked to ensure they identify only existing ISO/IEC 15408-2 functional requirements components, they are written correctly, and they contain a statement about the minimum strength of function (SOF) level, either SOF-basic, SOF-medium, or SOF-high. The… (§ 8.3.5, § 9.3.6, § 13.6.7, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • Management shall ensure that information security management objectives have been established. (§ 6.6.1 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall review the effectiveness of Information Security controls and take any necessary actions. (§ 6.6.2 ¶ 3, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall continually improve the suitability, adequacy and effectiveness of the information security management system. (§ 10.2 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall establish, implement, maintain and continually improve an information security management system, in accordance with the requirements of this International Standard. (§ 4.4 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • An information security policy should be developed for the organization. This policy should be written in accordance with business requirements and any applicable laws and regulations. The policy should contain statements on objectives and scope; management intent; control objectives; compliance req… (§ 5.1, § 5.1.1, ISO 27002 Code of practice for information security management, 2005)
  • The information security policy should be reviewed at planned intervals and when significant changes occur. This will ensure the effectiveness and suitability of the policy for the organization. (§ 5.1.2, § 6.1.8, ISO 27002 Code of practice for information security management, 2005)
  • The organization establishes, implements, maintains and continually improves the ISMS. (§ 4.4 Required activity, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • see a) above. The information security policy specifies the requirements for information security in an organization. All other specific requirements set for relevant functions and levels should be consistent with them. If the information security policy has information security objectives, then any… (§ 6.2 Guidance ¶ 4 Bullet 1, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • suitability of the ISMS, considering if the external and internal issues, requirements of the interested parties, established information security objectives and identified information security risks are properly addressed through planning and implementation of the ISMS and information security cont… (§ 10.2 Guidance ¶ 1(a), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Where the organization acts in both roles (e.g. a PII controller and a PII processor), separate roles shall be determined, each of which is the subject of a separate set of controls. (§ 5.2.1 ¶ 4, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • The organization shall establish, implement, maintain and continually improve a PIMS in accordance with the requirements of ISO/IEC 27001:2013 Clauses 4 to 10, extended by the requirements in Clause 5. (§ 5.2.4 ¶ 2, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • To be useful, information must be available to decision-makers when it is needed. It is also essential that the information be of high quality. If the underlying data is inaccurate or incomplete, management may not be able to make sound judgments, estimates, or decisions. To maintain high-quality in… (Putting Relevant Information to Use ¶ 4, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization should develop, document, approve, and implement an information security program. The program should include administrative, physical, and technical safeguards for protecting personal information from loss, unauthorized access, misuse, alteration, disclosure, and destruction. (ID 8.2.1, AICPA/CICA Privacy Framework)
  • The organization should develop, document, approve, and implement an information security program, to include technical controls, administrative controls, and physical controls that protect personal information from unauthorized access, unauthorized alteration, misuse, loss, unauthorized destruction… (Generally Accepted Privacy Principles and Criteria § 8.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include a security policy. (Generally Accepted Privacy Principles and Criteria § 8.2.1 b, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include how the Information Security area is organized in relation to personal information security. (Generally Accepted Privacy Principles and Criteria § 8.2.1 c, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include asset management. (Generally Accepted Privacy Principles and Criteria § 8.2.1 d, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include Human Resources security. (Generally Accepted Privacy Principles and Criteria § 8.2.1 e, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include physical security and environmental security. (Generally Accepted Privacy Principles and Criteria § 8.2.1 f, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include communications management and operations management. (Generally Accepted Privacy Principles and Criteria § 8.2.1 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include Access Control. (Generally Accepted Privacy Principles and Criteria § 8.2.1 h, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include Information Systems acquisition, development, and maintenance. (Generally Accepted Privacy Principles and Criteria § 8.2.1 i, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include information security incident management. (Generally Accepted Privacy Principles and Criteria § 8.2.1 j, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include Business Continuity Management. (Generally Accepted Privacy Principles and Criteria § 8.2.1 k, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program, in relation to protecting personal information, should include compliance. (Generally Accepted Privacy Principles and Criteria § 8.2.1 l, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The information security program should include a security policy as it relates to personal information security. (Table Ref 8.2.1.b, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address how the Information Security area is organized in relation to personal information security. (Table Ref 8.2.1.c, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address asset management in relation to personal information security. (Table Ref 8.2.1.d, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address Human Resources security as it relates to personal information security. (Table Ref 8.2.1.e, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address physical security and environmental security as it relates to personal information security. (Table Ref 8.2.1.f, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address communication management and operations management as it relates to personal information security. (Table Ref 8.2.1.g, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address access control as it relates to personal information security. (Table Ref 8.2.1.h, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address Information Systems acquisition, development, and maintenance as it relates to personal information security. (Table Ref 8.2.1.i, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address information security incident management as it relates to personal information security. (Table Ref 8.2.1.j, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address Business Continuity Management as it relates to personal information security. (Table Ref 8.2.1.k, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information security program should address compliance as it relates to personal information security. (Table Ref 8.2.1.l, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The system description, when addressing privacy controls, must contain a statement that the service organization is responsible for providing its privacy practices to the user entities and the privacy practice statement must include a statement that a written security program exists and what standar… (¶ 1.35.e.ix, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2))
  • Designing, implementing, operating, monitoring, and documenting controls that are suitably designed and, in a type 2 examination, operating effectively to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable tr… (¶ 2.04 Bullet 5, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When more than one control is necessary to address a risk that would prevent the service organization from achieving one or more of its service commitments and system requirements, the service auditor considers whether a combination of controls is necessary, as discussed in paragraph 3.92. If a comb… (¶ 3.113, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • When a service organization uses a subservice organization, the service organization may need to implement controls to achieve its service commitments and system requirements. The controls to be implemented may be communicated in an authoritative communication or as CUECs in a type 1 or type 2 repor… (¶ 3.89, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The overall control environment (¶ 2.84 Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The service organization designs, implements, and operates controls at the entity level that are necessary to support the achievement of its service commitments and system requirements. That is particularly true for controls that address the trust services criteria for the control environment compon… (¶ 2.127, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Assessment of the risks of material misstatement is affected by many factors, including materiality considerations (see paragraph 3.05) and the service auditor's understanding of the effectiveness of the control environment or other components of internal control related to the service provided to u… (¶ 3.01, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Nevertheless, effective entity-level controls, particularly those designed and implemented to meet the control environment criteria, may enable the service auditor to place greater confidence in the processes and controls the service organization has designed, implemented, and operated to provide re… (¶ 2.128, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Service organization management is responsible for designing and implementing controls to provide reasonable assurance that the service organization's service commitments and system requirements were achieved based on the applicable trust services criteria, identifying the risks that threaten the ac… (¶ 3.80, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Designing, implementing, monitoring, and documenting effective controls to provide reasonable assurance of achieving the service organization's service commitments and system requirements based on the applicable trust services criteria (¶ 2.168 Bullet 4, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • As discussed beginning in paragraph 2.56, service organization management may document controls in a variety of ways. The nature and extent of documentation usually varies, depending on the size and complexity of the service organization and its monitoring activities. In some cases, the service audi… (¶ 3.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • In other situations, the service organization may perform several control activities directed at meeting an applicable trust services criterion in order to achieve its service commitments and service requirements. Consequently, if the service auditor evaluates certain control activities as being ine… (¶ 3.94, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The auditor should evaluate the automated and manual internal control procedures the organization uses to prepare its financial statements. These procedures include entering transactions into the ledger; combining ledger data; and preparing financial statements. (§ 314.86, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. (CC7.5 Implements Changes to Prevent and Detect Recurrences, Trust Services Criteria)
  • Additional architecture or changes to preventive and detective controls, or both, are implemented to prevent and detect recurrences on a timely basis. (CC7.5 ¶ 2 Bullet 4 Implements Changes to Prevent and Detect Recurrences, Trust Services Criteria, (includes March 2020 updates))
  • The organization must establish a security policy structure and risk thresholds. (PE 1, Corporate Information Security Working Group: Report of the best practices and metrics teams; subcommittee on technology, information policy, intergovernmental relations and the census; Government Reform Committee, United States House of Representatives)
  • Assess the sufficiency of policies, procedures, Information Systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the Licensee's operations, including: (Section 4.C ¶ 1(4), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Is there an information security policy that has been approved by management? (§ B.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover change control? (§ B.1.10, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover policy maintenance? (§ B.1.27, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Did the information security policy review contain feedback from interested parties? (§ B.1.33.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Has the information security policy been reviewed in the last 12 months? (§ B.1.32, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Did the information security policy review contain results of independent reviews? (§ B.1.33.2, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Did the information security policy review contain changes that could affect the approach to managing information security? (§ B.1.33.4, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security function review information security policies? (§ C.1.1, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Does the information security function approve information security policies? (§ C.1.1, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Does the information security function create Information Security policies? (§ C.1.1, Shared Assessments Standardized Information Gathering Questionnaire - C. Organizational Security, 7.0)
  • Has a review of security policies been performed in the last 12 months? (§ L.8, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Has a review of security standards been performed in the last 12 months? (§ L.8, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Has a review of security procedures been performed in the last 12 months? (§ L.8, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Has a review of security guidelines been performed in the last 12 months? (§ L.8, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • For cloud computing services, is there a formal security program established to include Application Program Interface security reviews? (§ V.1.39.1, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • The organization should develop a security plan for each information system and maintain the plan for the system's lifecycle. The development of the security plan is the beginning of the accreditation process. Appendix C contains a format for the security plan. (§ 2-3.a(12), § 3-5.b(1), App C, Army Regulation 380-19: Information Systems Security, February 27, 1998)
  • § 2.2 ¶ 3: The organization must have a robust organization-wide security program that is fully supported, practiced by senior management, and staffed by trained and knowledgeable individuals. CMS business partners should encourage systems security personnel to pursue security accreditation. § 3.… (§ 2.2 ¶ 3, § 3.1 ¶ 1, § 3.1 ¶ 3, § 3.1 ¶ 5, CMS Business Partners Systems Security Manual, Rev. 10)
  • § 3.1 ¶ 4: The business owner and the system security officer shall review the system security plan on an annual basis and verify it is up-to-date. § 3.1 ¶ 6: The organization shall re-certify the system security plans within 365 days from the previous certification date. The plan shall be revi… (§ 3.1 ¶ 4, § 3.1 ¶ 6, § 3.1 ¶ 7, § 3.1 ¶ 10, CMS Business Partners Systems Security Manual, Rev. 10)
  • All organizations that are subject to OMB Circular A-130 must have a security plan. These plans must be modified to detail the protective measures and methodologies the organization will be using if it decides to use the Internet to transmit HCFA Privacy Act-protected and/or other sensitive HCFA inf… (§ 8 ¶ 2, HIPAA HCFA Internet Security Policy, November 1998, Deprecated)
  • CSR 1.4.3: The organization must distribute the security policies to all affected personnel. The security policies must include rules that clearly delineate responsibility; application and system rules; expected behavior access rules; and procedures for preventing, detecting, containing, and correct… (CSR 1.4.3, CSR 1.5.1, CSR 1.9, CSR 1.9.2, CSR 1.9.3, CSR 1.9.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization must review and update the system security plan on an annual basis or whenever there are significant changes to the facilities, information systems, or other conditions that may impact security. (CSR 1.9.5, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 1.1 ¶ 2: Entities must have a system security plan for systems that process information or performs IT processes on behalf of CMS. § 1.1 ¶ 7: Only the actual implemented controls are required to be documented in the system security plan. § 1.5 ¶ 6: The system security plan shall be predictab… (§ 1.1 ¶ 2, § 1.1 ¶ 7, § 1.5 ¶ 6, § 3.1.3, App A, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • § 1.1 ¶ 6: Business owners shall develop and/or update the system security plan for the following events: a new system; expired accreditation; major modification; increased security risks or exposure; increased overall system security level; and/or serious security violations. § 2.9: The system s… (§ 1.1 ¶ 6, § 2.9, § 3.3 Task 4, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. (§242.1001(b)(3), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • An airport security program that incorporates the security program of an airport tenant that has access to a secured area may be approved by the Under Secretary, if the security program includes the measures the tenant uses to carry out the access control system requirements, the methods the airport… (§ 1542.101, § 1542.103, § 1542.113, 49 CFR Part 1542, Airport Security)
  • The Chief Information Officer must develop and maintain an agency-wide information security program and information security policies, procedures, and control techniques that addresses all applicable requirements. Each agency must develop, document, and implement an information security program agen… (§ 3544(a)(3)(B), § 3544(a)(3)(C), § 3544(b), Federal Information Security Management Act of 2002)
  • providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of— (§ 3554(a)(1)(A), Federal Information Security Modernization Act of 2014)
  • Standards should be developed for administrative, technical, and physical safeguards to ensure the security and confidentiality of customer information; to protect against threats to the customer information; and to protect against unauthorized access. (§ 6801(b), Gramm-Leach-Bliley Act (GLB), Deprecated)
  • A comprehensive personal data privacy and security program that includes technical, physical, and administrative safeguards appropriate for the complexity and size of the business entity and the scope and nature of its activities must be implemented. Federal agencies may not enter into a contract wi… (§ 302(a)(1), § 403(b)(2)(I), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • A business entity subject to Subtitle A of Title III of this Act must monitor, evaluate, and adjust its data privacy and security program on a regular basis based on relevant changes in technology; internal or external threats to the personally identifiable information; sensitivity of personally ide… (§ 302(e), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The organization will maintain a comprehensive approach to IT security. The IT security framework will be fully documented and address access controls and system protection. Updates will be communicated to employees. (Pg 47, C-TPAT Supply Chain Security Best Practices Catalog)
  • The security manager must ensure that a security plan has been developed and signed by an authorized senior management official. (§ 5.2 ¶ AC42.020, DISA Access Control STIG, Version 2, Release 3)
  • Wireless devices that are either directly or indirectly connected to the network should be listed in the System Security Plan (SSP). A security policy should be developed for secure wireless remote access. The policy should contain at least the following security requirements: the type of access req… (§ 2 (WIR0030), § 2 (WIR0076), DISA WIRELESS SECURITY CHECKLIST, Version 5, Release 2.2, Version 5, Release 2.2)
  • § 2.2 (WIR0030) Wireless devices that are either directly or indirectly connected to the network should be listed in the System Security Plan (SSP). § 2.2 (WIR0076) For mobile and remote users of the DoD enclave and resources, the IAM will develop a written security policy or checklist for secure … (§ 2.2 (WIR0030), § 2.2 (WIR0076), DISA Wireless STIG Apriva Sensa Secure Wireless Email System Security Checklist, V5R2.2, Version 5 Release 2.2)
  • A security policy should be developed for secure wireless remote access to the site. This policy should contain at least the following information: the type of access required by users; the responsibilities, liabilities, and security measures involved in using wireless devices; incident handling and… (§ 2.2 (WIR0076), DISA WIRELESS STIG BLACKBERRY SECURITY CHECKLIST, Version 5, Release 2.4, Version 5 Release 2.4)
  • § 2.1 (WIR0030) The IAO will ensure wireless devices connecting directly or indirectly (e.g., hotsync, ActiveSync, wireless) to the network are added to the site System Security Plan (SSP). § 2.1 (WIR0076) For mobile and remote users of the DoD enclave and resources, the Information Assurance Mana… (§ 2.1 (WIR0030), § 2.1 (WIR0076), DISA Wireless STIG Motorola Good Mobile Wireless Email System Security Checklist, Version 5 Release 2.3)
  • § 2.1 (WIR0030) Wireless devices that are either directly or indirectly connected to the network should be listed in the System Security Plan (SSP). § 2.1 (WIR0076) All mobile and remote users of the DoD enclave and resources must sign a written agreement, developed by the Information Assurance Ma… (§ 2.1 (WIR0030), § 2.1 (WIR0076), App B.3 Row "User Agreement", App B.3 Row "Show Agreement At Device Log-In", DISA Wireless STIG Windows Mobile Messaging Wireless EChecklist Version 5, Release 2.4, Version 5 Release 2.4)
  • A System Security Plan must be developed. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The System Security Plan must describe the administrative, procedural, and technical information assurance program and policies for the Information System. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The System Security Plan must describe the specific information assurance requirements and objectives. (DCSD-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The organization must publish a security policy for the classified processing environment. The System Security Policy (SSP) must include procedures for initially distributing authenticators; procedures for group authenticators; specifications for authenticator requirements (length, generation, age, … (§ 8-101, § 8-607.b, § 8-609.b(2), § 8-610.a(1), § 8-610.b(2)(b), § 8-613.b(2), NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Policies and procedures shall be implemented for preventing, detecting, containing, and correcting security violations. (§ 164.308(a)(1)(i), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (§ 164.312(c)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • The organization will maintain a comprehensive approach to IT security. The IT security framework will be fully documented and address access controls and system protection. Updates will be communicated to employees. (§ 27.225(a), § 27.230, § 27.245(a), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The Site Security Plan must be updated, revised, or altered whenever the Security Vulnerability Assessment is changed. The facility must audit annually its compliance with the Site Security Plan. (§ 27.225(d), § 27.225(e), 6 CFR Part 27, Chemical Facility Anti-Terrorism Standards (CFATS), Department of Homeland Security)
  • The organization will maintain a comprehensive approach to IT security. The IT security framework will be fully documented and address access controls and system protection. Updates will be communicated to employees. (Password Protection, Customs-Trade Partnership Against Terrorism (C-TPAT) Importer Security Criteria)
  • § 8.2.1 The organization will provide an acknowledgement letter, at least annually, regarding its participation in developing and maintaining the DIB (Defense Industrial Base) SSP (Sector-Specific Plan) security plan. § 8.2.2 An organization will provide the information to DoD which is necessary t… (§ 8.2.1, § 8.2.2, Defense Industrial Base Information Assurance Standard)
  • The criminal justice information services systems agency must establish and administer an information technology security program throughout its user community, including local levels. (§ 3.2.1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that comprise and support a telecommunications network and related CJIS systems used to process, store, or transmit CJI, guaranteeing the priority, confidentiality, integrity, and av… (§ 3.2.2 ¶ 1(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Expire upon the CSO approved date or when a compliant AA solution is implemented. (§ 5.13.7.2.1 ¶ 1(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • The organization should periodically modify its information security program due to changes in technology, internal or external threats, and changes in customer information sensitivity. (Pg 2, FFIEC Guidance on Authentication in an Internet Banking Environment)
  • Evaluate whether business line management is consulted to assist in data classification, recovery standards development, and appropriate control validation. (App A Objective 3:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • With respect to operating centers, describe the entity's operating center type and key responsibilities and determine whether functions such as security and network management are addressed. Evaluate the appropriateness of the entity's processes and controls, such as the following: (App A Objective 14:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Reviews and improves or updates the security controls, where necessary. (App A Objective 6.5.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Internal controls and processes. (App A Objective 8:1 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Assess whether IT management maintains an active role in the institution's strategic planning to align IT with established business goals and strategies. Assess whether effective IT controls exist throughout the institution, either through direct oversight or by holding lines of business accountable… (App A Objective 8:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Maintains an inventory of assets, event classes, threats, and existing controls. (App A Objective 10:1 a., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Exam Tier II Obj D.1 Determine whether audit procedures for information security adequately consider the risks in information security and e-banking. Evaluate whether ▪ A written and adequate data security policy is in effect covering all major operating systems, databases, and applications; ▪ E… (Exam Tier II Obj D.1, Exam Tier II Obj E.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • The organization should implement computer security policies to help in deterring fraud and/or theft. (Pg C-1, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 4.1, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • The Board of Directors should oversee the development, implementation, and maintenance of the information security policy. The information security policy should include sections on oversight and coordination; responsibilities; monitoring and testing; risk measurement; acceptable risk; and reporting… (Pg 30, FFIEC IT Examination Handbook - Management)
  • The Board of Directors should be responsible for reviewing and approving the information security policy and the information security program on an annual basis. (Pg 30, Exam Obj 5.1, FFIEC IT Examination Handbook - Management)
  • Departmental management and the quality of internal controls, including separation of duties and dual control procedures, for bankcard, ATM and debit card, ACH, check items, and electronic banking payment transaction processing, clearance, and settlement activity. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The board of directors should ensure that an effective internal audit function for the financial institution's payment systems is in place. The audit program should test the quality of retail payment systems internal controls and compliance with laws, regulations, management policies, procedures, an… (Audit, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should incorporate the funds transfer controls into the information security program to ensure the integrity and confidentiality of customer information is maintained. (Pg 16, Exam Tier II Obj 4.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • A comprehensive information security program should be developed, implemented, and maintained; it should contain administrative, physical, and technical safeguards. (§ 314.3(a), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • The information security program should be reviewed and modified based on the results of the testing and monitoring; after changes are made to the environment; and in any other situation that may have an impact on the information security program. (§ 314.4(e), 16 CFR Part 314, Standards for Safeguarding Customer Information, Final Rule)
  • (SP-3.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • The organization must develop, document, distribute, and continuously update a security planning policy and procedures for implementing security planning controls. The organization must develop a system security plan. The system security plan must describe the planned security controls, the current … (§ 5.6.12, Exhibit 4 PL-2, Exhibit 6, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • The system security plan must be updated whenever there are significant changes to the information system(s). (§ 5.6.12, Exhibit 4 PL-3, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Senior personnel must ensure appropriate technical surveillance countermeasures are included in the overall security program. (§ 12, Marine Corps Order 5511.11D; Technical Surveillance Countermeasures (TSCM) Program)
  • Provide for a system of internal controls to assure ongoing compliance; (§ 748.2 (c)(1), 12 CFR Part 748, NCUA Guidelines for Safeguarding Member Information, July 1, 2001)
  • Does the Credit Union have a written security program? (IT - 748 Compliance Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the written security program designed to assist in identifying persons who commit or try to commit crimes? (IT - 748 Compliance Q 1e, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the written security policy designed to prevent the destruction of vital records, as defined in rules and regulations part 749? (IT - 748 Compliance Q 1f, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union monitor, evaluate, and modify the information security program, as necessary? (IT - 748 Compliance Q 11, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include an information security program? (IT - Policy Checklist Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Has management developed and implemented a comprehensive security policy and program which describes the standards and procedures used to protect Information Technology assets and member data? (IT - Security Program Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is the security policy and program reviewed on a regular basis and updated based on operational changes or technological changes? (IT - Security Program Q 2, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • § 4.11 ¶ 2: If the cryptographic module is designed to mitigate 1 or more attacks, the security policy shall state the security mechanisms the module uses to mitigate the attack(s). App C: Appendix C contains an outline of the required contents for a cryptographic module security policy. (§ 4.11 ¶ 2, App C, FIPS Pub 140-2, Security Requirements for Cryptographic Modules, 2)
  • § 1.5.5 ¶ 2: The organization should have a formal security policy in place for the use of LANs to show how important protecting valued assets is to management and to provide support and direction from the highest levels of management. The LAN security policy should identify the role each employee… (§ 1.5.5 ¶ 2, App A, FIPS Pub 191, Guideline for the Analysis of Local Area Network (LAN) Security)
  • Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information system… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Protection processes are continuously improved (PR.IP-7, Framework for Improving Critical Infrastructure Cybersecurity, v1.1)
  • Organizational information security policy is established. (ID.GV-1, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • (§ 3.2.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the security plan is documented, disseminated, reviewed, and approved; the security plan meets the requirements of NIST Special Publication 800-18; the security plan lists roles and responsibilities of assigned individuals; and specif… (PL-2, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Organizational records and documents should be examined to ensure the security plan is updated at regular intervals, any changes identified during control assessments or plan implementation are made to the security plan, and specific responsibilities and actions are defined for the implementation of… (PL-3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should ensure the wireless security policy includes Bluetooth and user requirements. The policy should include a password scheme, a list of approved Bluetooth uses, and the type of information that can be transferred over a Bluetooth network. (Pg ES-1, § 4.3, Table 4-2 Item 1, Guide to Bluetooth Security, NIST SP 800-121, September 2008)
  • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; (PM-1a.1., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • The organization should create a security policy for wireless networking. The policy should address IEEE 802.11 WLAN security and should include roles and responsibilities, WLAN infrastructure security, WLAN client device security, and WLAN security assessments. (§ 6.1, Guide to Securing Legacy IEEE 802.11 Wireless Networks, NIST SP 800-48, Revision 1)
  • The organization should develop a security policy for all mobile handheld devices. The security policy should include required safeguards; cover the full lifecycle of the device; state any restrictions on personal use, such as storing contacts, music, and photos; and state implications on what could… (Pg ES-2, § 4.2.1, Guidelines on Cell Phone and PDA Security, NIST SP 800-124, October 2008)
  • Identify organization-wide common controls that are available for inheritance by organizational systems. (T0938, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop data management capabilities (e.g., cloud-based, centralized cryptographic key management) to include support to the mobile workforce. (T0413, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Establish overall enterprise information security architecture (EISA) with the organization's overall security strategy. (T0095, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Protection processes are improved. (PR.PO-P5, NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization must develop and implement a documented security awareness and training policy. (SG.AT-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The security awareness and training policy must include the scope of the program as it relates to staff, third parties, and contractors. (SG.AT-1 Requirement 1.a.ii, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop a security plan for each smart grid Information System. (SG.PL-2 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security policy must align with the enterprise architecture. (SG.PL-2 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security policy must explicitly define the system components. (SG.PL-2 Requirement 1.b, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security policy must describe the interconnections to and relationships with other smart grid Information Systems. (SG.PL-2 Requirement 1.c, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security plan must provide an overview of the system's security objectives. (SG.PL-2 Requirement 1.d, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security plan must describe the implemented security requirements or what is planned to meet the requirements. (SG.PL-2 Requirement 1.e, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The smart grid information system security plan must be reviewed and approved by management before being implemented. (SG.PL-2 Requirement 1.f, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review the smart grid information system security plan on a defined frequency. (SG.PL-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must revise the smart grid information system security plan whenever there are changes to the environment, operations, or when problems are identified during security assessments or implementation. (SG.PL-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, a formal, documented security planning policy that addresses purpose, roles, responsibilities, scope, compliance, management commitment, coordination among entities. (App F § PL-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, document, and update a Critical Infrastructure and Key Resources protection plan. (App G § PM-8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that is consistent with the enterprise architecture. (App F § PL-2.a Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • An organization should create and maintain common controls, which are security controls that protect organizational information systems, and might apply to several information systems. common controls should be developed with the involvement of management, users, security, and risk management. senio… (§ 2.3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the information security program plan on a predefined frequency. (App G § PM-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization-wide information security program plan generally includes the common controls, unless they are a part of a specific Information System, in which they should be documented in the specific system security plan. If the common controls are documented in multiple documents, the documents… (§ 2.3 ¶ 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The security plan must document tailoring decisions on all security controls in the selected baseline, along with the specific reasons. These decisions must be approved by an appropriate official. (§ 3.3 ¶ Tailoring the Baseline Security Controls, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The security plan must include the security controls, along with the reasons for their selection and any usage restrictions. Documenting the risk management decisions is vital to allow the Authorizing Officials to have the needed information to make credible, risk-based decisions and will ensure the… (§ 3.3 ¶ Supplementing the Tailored Baseline ¶ 4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The security plan must be updated whenever changes are made to the initial plan and when additional corrective actions are taken to mitigate risk. (§ 3.4 ¶ Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the security planning policy and its associated controls. (App F § PL-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that explicitly defines the system's authorization boundaries. (App F § PL-2.a Bullet 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that describes the operational context in terms of business processes and missions. (App F § PL-2.a Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan bullet that provides the security categorization and the supporting rationale. (App F § PL-2.a Bullet 4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that describes the operational environment. (App F § PL-2.a Bullet 5, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that describes connections and relationships with other systems. (App F § PL-2.a Bullet 6, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that provides a system requirements overview. (App F § PL-2.a Bullet 7, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that describes the implemented or planned security controls, including the rationale. (App F § PL-2.a Bullet 8, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop a security plan that is reviewed and approved before the plan is implemented. (App F § PL-2.a Bullet 9, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the system security plan on a predefined frequency. (App F § PL-2.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop and disseminate an information security program plan that provides sufficient information to allow implementing the controls in a way that is clearly compliant with the intent of the plan and a determination of risk if the plan is implemented as intended. (App G § PM-1.a Bullet 2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop and disseminate an information security program plan that includes roles, responsibilities, compliance, coordination among entities, and management commitment. (App G § PM-1.a Bullet 3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Identify organization-wide common controls that are available for inheritance by organizational systems. (T0938, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization documents the rationale for such access in the security plan for the information system. (AC-17(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security planning policy and associated security planning controls. (PL-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning policy {organizationally documented frequency}. (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning procedures {organizationally documented frequency}. (PL-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is consistent with the organization's enterprise architecture. (PL-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that explicitly defines the authorization boundary for the system. (PL-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational context of the information system in terms of missions and business processes. (PL-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides the security categorization of the information system including supporting rationale. (PL-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational environment for the information system and relationships with or connections to other information systems. (PL-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides an overview of the security requirements for the system. (PL-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that identifies any relevant overlays, if applicable. (PL-2a.7., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions. (PL-2a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews the security plan for the information system {organizationally documented frequency}. (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and disseminates an organization-wide information security program plan that provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirement… (PM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization develops and disseminates an organization-wide information security program plan that includes the identification and assignment of roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PM-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews the organization-wide information security program plan {organizationally documented frequency}. (PM-1b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the plan to address organizational changes and problems identified during plan implementation or security control assessments. (PM-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization documents the rationale for such access in the security plan for the information system. (AC-17(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security planning policy and associated security planning controls. (PL-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning policy {organizationally documented frequency}. (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning procedures {organizationally documented frequency}. (PL-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is consistent with the organization's enterprise architecture. (PL-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that explicitly defines the authorization boundary for the system. (PL-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational context of the information system in terms of missions and business processes. (PL-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides the security categorization of the information system including supporting rationale. (PL-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational environment for the information system and relationships with or connections to other information systems. (PL-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides an overview of the security requirements for the system. (PL-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that identifies any relevant overlays, if applicable. (PL-2a.7., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions. (PL-2a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the security plan for the information system {organizationally documented frequency}. (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security planning policy and associated security planning controls. (PL-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning policy {organizationally documented frequency}. (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning procedures {organizationally documented frequency}. (PL-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is consistent with the organization's enterprise architecture. (PL-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that explicitly defines the authorization boundary for the system. (PL-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational context of the information system in terms of missions and business processes. (PL-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides the security categorization of the information system including supporting rationale. (PL-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational environment for the information system and relationships with or connections to other information systems. (PL-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides an overview of the security requirements for the system. (PL-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that identifies any relevant overlays, if applicable. (PL-2a.7., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions. (PL-2a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the security plan for the information system {organizationally documented frequency}. (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization documents the rationale for such access in the security plan for the information system. (AC-17(4)(b), Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} a security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance. (PL-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops, documents, and disseminates to {organizationally documented personnel} procedures to facilitate the implementation of the security planning policy and associated security planning controls. (PL-1a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning policy {organizationally documented frequency}. (PL-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security planning procedures {organizationally documented frequency}. (PL-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that is consistent with the organization's enterprise architecture. (PL-2a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that explicitly defines the authorization boundary for the system. (PL-2a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational context of the information system in terms of missions and business processes. (PL-2a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides the security categorization of the information system including supporting rationale. (PL-2a.4., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the operational environment for the information system and relationships with or connections to other information systems. (PL-2a.5., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that provides an overview of the security requirements for the system. (PL-2a.6., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that identifies any relevant overlays, if applicable. (PL-2a.7., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization develops a security plan for the information system that describes the security controls in place or planned for meeting those requirements including a rationale for the tailoring decisions. (PL-2a.8., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the security plan for the information system {organizationally documented frequency}. (PL-2c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; (PM-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; (PM-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements; (PM-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Licensees must establish, implement, and maintain a cyber security program. This program must protect the assets identified in section 73.54(b)(1). Licensees must establish, implement, and maintain a cyber security plan. The cyber security plan must describe how this section's requirements will be i… (§ 73.54(b)(2), § 73.54(e), § 73.54(e)(1), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • Licensees must, as part of the cyber security program, ensure that when assets identified in section 73.54(b)(1) are modified, they are evaluated before they are implemented to ensure the cyber security program performance objectives are maintained. The cyber security program must be reviewed by the… (§ 73.54(d)(3), § 73.54(g), 10 CFR Part 73.54, Protection of digital computer and communication systems and networks)
  • Firms may be particularly at risk of a data breach from a failure to implement basic controls to prevent unauthorized access to systems or information, such as multifactor authentication or updating access rights based on personnel or system changes. Examiners may review how firms control access to … (Bullet 2: Access Rights and Controls, OCIE’s 2015 Cybersecurity Examination Initiative, Volume IV, Issue 8)
  • Knowledgeable staff should be responsible for developing and updating documentation of all key processes and the controls for those processes. (Pg 20, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • One of management's fundamental responsibilities is to maintain and develop internal controls that are effective. These controls help to safeguard the integrity of the systems. The organization should ensure its information security policies and procedures are adequate. (§ I, § III (Clinger-Cohen Act of 1996), OMB Circular A-123, Management's Responsibility for Internal Control)
  • Document the methodology used, and retain the criticality assessment until no longer valid; (4.2 ¶ 1 Bullet 2, Pipeline Security Guidelines)
  • An airport security program that incorporates the security program of an airport tenant that has access to a secured area may be approved by the Under Secretary, if the security program includes the measures the tenant uses to carry out the access control system requirements, the methods the airport… (§ 44903(c)(2)(A), § 44903(g)(4)(D), § 44906, TITLE 49, Subtitle VII - Aviation Programs, December 5, 2001)
  • States that written security procedures should be developed to provide airport operators with a method to ensure employees and tenants are aware of and understand the security issues. (§ 3.5.1, Transportation Security Administration (TSA) Security Guidelines for General Aviation Airports, Information Publication A-001, May 2004, Version 1.0)
  • § A.3.a.2: Security plans shall be consistent with the guidance issued by the National Institute of Standards and Technology (NIST). The security plan for general support systems shall include the rules of the system; personnel controls; training; continuity; incident response; technical security; … (§ A.3.a.2, § A.3.b.2, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Anyone who owns, stores, licenses, or maintains personal information about a Massachusetts resident must develop, implement, maintain, and monitor a written information security program. This program must be consistent with industry standards and contain technical, physical, and administrative safeg… (§ 17.03(1), § 17.03(3), § 17.04, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • The comprehensive information security program must include a review of the program at least annually or whenever there is a change in the business practices. (§ 17.03(3)11, Massachusetts 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth of Massachusetts)
  • Any person or business that owns or licenses computerized data which includes private information of a resident of New York shall develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of the private information including, but not limited to, dis… (§ 899-bb. 2(a), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
  • assesses the sufficiency of safeguards in place to control the identified risks; (§ 899-bb. 2(b)(ii)(A)(3), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)
  • adjusts the security program in light of business changes or new circumstances; and (§ 899-bb. 2(b)(ii)(A)(6), New York General Business Law Chapter 20, Article 39-F, Section 899-BB)