Back

Establish, implement, and maintain output distribution procedures.


CONTROL ID
00927
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Include printed output in output distribution procedures., CC ID: 13477


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A data delivery procedure and rules must be developed for output data, and it must be complied with. This is a control item that constitutes a greater risk to financial information. This is an IT application control. (App 2-1 Item Number IV.5(4), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time. (Control: ISM-1075; Revision: 2, Australian Government Information Security Manual, June 2023)
  • The sender of a fax message makes arrangements for the receiver to collect the fax message as soon as possible after it is sent and for the receiver to notify the sender if the fax message does not arrive in an agreed amount of time. (Control: ISM-1075; Revision: 2, Australian Government Information Security Manual, September 2023)
  • Verify that all data expected for processing are received and processed completely, accurately and in a timely manner, and all output is delivered in accordance with business requirements. Support restart and reprocessing needs. (DS11.1 Business Requirements for Data Management, CobiT, Version 4.1)
  • Establish procedures and associated responsibilities to ensure that output is handled in an authorised manner, delivered to the appropriate recipient, and protected during transmission; that verification, detection and correction of the accuracy of output occurs; and that information provided in the… (AC5 Output Review, Reconciliation and Error Handling, CobiT, Version 4.1)
  • Output controls provide reasonable assurance the processing results are accurate and are only distributed to authorized personnel. See the "Output Controls" table for controls and tests to ensure the output is accurate, complete, and appropriately distributed. (App A (Output Controls), IIA Global Technology Audit Guide (GTAG) 8: Auditing Application Controls)
  • distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 Bullet 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • maintaining an effective distribution system. (7.5.3 ¶ 2 Bullet 3, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • The organization shall distribute information as required by agreed upon schedules or defined circumstances. (§ 6.3.6.3(b)(3), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • distribution, access, retrieval and use; (§ 7.5.3.2 a), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • distribution, access, retrieval and use; (§ 7.5.3 ¶ 2 Bullet 1, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • distribution, access, retrieval and use; (§ 7.5.3.2(a), ISO/IEC 20000-1:2018, Information technology — Service management —Part 1: Service management system requirements, Third Edition)
  • Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. (PI1.4 ¶ 2 Bullet 3 Distributes Output Completely and Accurately, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Output is distributed or made available only to intended parties. (PI1.4 ¶ 2 Bullet 2 Distributes Output Only to Intended Parties, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Access to personal information should be restricted by distributing output to only authorized internal personnel. (ID 8.2.2.g, AICPA/CICA Privacy Framework)
  • The organization should restrict logical access to personal information by only distributing output to authorized personnel. (Generally Accepted Privacy Principles and Criteria § 8.2.2 g, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should restrict logical access to personal information by only distributing output to authorized personnel. (Table Ref 8.2.2.g, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should maintain physical control over how reports containing personal information are distributed. (Table Ref 8.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Output is distributed or made available only to intended parties. (PI1.4 Distributes Output Only to Intended Parties, Trust Services Criteria)
  • Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. (PI1.4 Distributes Output Completely and Accurately, Trust Services Criteria)
  • Procedures are in place to provide for the completeness, accuracy, and timeliness of distributed output. (PI1.4 ¶ 2 Bullet 3 Distributes Output Completely and Accurately, Trust Services Criteria, (includes March 2020 updates))
  • Output is distributed or made available only to intended parties. (PI1.4 ¶ 2 Bullet 2 Distributes Output Only to Intended Parties, Trust Services Criteria, (includes March 2020 updates))
  • System output is complete, accurate, distributed, and retained to meet the entity’s processing integrity commitments and system requirements. (PI1.5, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The organization must assign responsibility to ensure all outputs are produced and distributed in accordance with the system requirements and design. (CSR 9.6.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • § 820.130: A medical device manufacturer shall ensure the packaging and shipping containers used for its devices are designed and constructed for protecting the devices from damage and alteration during normal conditions of processing, storage, handling, and distribution. § 820.160(a): A medical d… (§ 820.130, § 820.160(a), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • EXCEPTION: An MDM is not required when receiving CJI from an indirect access information system (i.e. the system provides no capability to conduct transactional activities on state and national repositories, applications or services). However, it is incumbent upon the authorized agency to ensure CJI… (§ 5.13.2 ¶ 4, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.9.1, Version 5.9.1)
  • The organization should implement controls for handling sensitive system output, both hard copy and electronic forms. (Pg 27, FFIEC IT Examination Handbook - Operations, July 2004)
  • Output distribution, and (App A Tier 2 Objectives and Procedures G.1 Bullet 2 Sub-Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the effectiveness of personnel responsible for internal ATM processing. Determine whether there are: • Controls prohibiting staff members who originate entries from processing and physically handling cash. • Proper control of all source documents (e.g., checks for deposit) maintained thro… (Exam Tier II Obj 7.1, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization shall have procedures and controls in place for generating accurate and complete copies of human readable and electronic form records that are suitable for inspection, review, and copying. Individuals who have questions about the ability of the Food and Drug Administration (FDA) to … (§ 11.10(b), 21 CFR Part 11, Electronic Records; Electronic Signatures)
  • Because the ISCP contains potentially sensitive operational and personnel information, its distribution should be marked accordingly and controlled. Typically, copies of the plan are provided to recovery personnel for storage. A copy should also be stored at the alternate site and with the backup me… (§ 3.6 ¶ 3, NIST SP 800-34, Contingency Planning Guide for Federal Information Systems, Rev. 1 (Final))
  • The organization should implement application controls to ensure that all output is properly secured and cannot be modified or damaged and is distributed to the correct personnel. (Pg 33, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)