Back

Establish, implement, and maintain output review and error handling checks with end users.


CONTROL ID
00929
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • App 2-1 Item Number IV.5(2): A procedure must be included in the output management rules to ensure the output data is accurate and free of omissions or duplications. This is a control item that constitutes a greater risk to financial information. This is an IT application control. App 2-1 Item Numbe… (App 2-1 Item Number IV.5(2), App 2-1 Item Number IV.5(6), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Concrete measures to prevent illegal and unauthorized actions and protect secrecy when creating and handling output information includes checking output information to see if the wrong output is not being processed and to confirm the record identification, authority by the use of passwords, total re… (O37.3(5), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • The fax sender should make arrangements with the receiver to notify the sender if the fax does not arrive in a certain amount of time. (Control: 1075 Bullet 2, Australian Government Information Security Manual: Controls)
  • The organization should ensure output encoding is conducted, where appropriate. (Control: 1241, Australian Government Information Security Manual: Controls)
  • To reduce the chances of duplicate orders, customers should be required to click on product selections instead of using the Enter key and receive an "Order Being Processed" message displayed on the screen. The system should check for identical orders within a short time period and send an e-mail to … (Pg 33, VISA E-Commerce Merchants Guide to Risk Management Tools and Best Practices for Building a Secure Internet Business)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by performing regular checks to ensure that website content is not defamatory. (CF.04.02.03e-1, The Standard of Good Practice for Information Security)
  • The integrity (validity, accuracy, completeness, and timeliness) of information processed and output by business applications should be confirmed by checking against external sources (e.g., by reconciling bank statements, comparing against order processing logs, customer / supplier records or physic… (CF.04.03.03, The Standard of Good Practice for Information Security)
  • Website content (e.g., web pages, articles, images) should be protected against corruption or unauthorized disclosure by performing regular checks to ensure that website content is not defamatory. (CF.04.02.03e-1, The Standard of Good Practice for Information Security, 2013)
  • The integrity (validity, accuracy, completeness, and timeliness) of information processed and output by business applications should be confirmed by checking against external sources (e.g., by reconciling bank statements, comparing against order processing logs, customer / supplier records or physic… (CF.04.03.03, The Standard of Good Practice for Information Security, 2013)
  • The system should not display system error messages to the end users. (Critical Control 6.4, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Outputted data should be tested and reviewed to ensure it is correct and appropriate. (§ 12.2.4, ISO 27002 Code of practice for information security management, 2005)
  • CSR 9.1.2: The organization must review all corrections and have them approved by supervisors before they are reentered. CSR 9.7.1: Users must review output reports for data accuracy, completeness, and validity. These reports include master record change reports, error reports, transaction reports, … (CSR 9.1.2, CSR 9.7.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Human-readable output and electronic output must be reviewed prior to being released outside of the security zone to ensure it has been properly marked with the correct classification level and markings. (§ 8-310, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • The organization should consider using proactive confirmations that requires customers to confirm their transaction before it is processed. (Pg 36, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Assess the adequacy of the investigative unit in place to address customer inquiries and control non-posted items, rejects, and differences. Management should periodically receive aging reports that list outstanding items. (App A Tier 2 Objectives and Procedures F.4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Assess the effectiveness and accuracy of the adjustment process (e.g., changes to deposits and reversals) relating to retail EFT/POS and bankcard transactions processed by staff. (App A Tier 2 Objectives and Procedures F.6, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Internal controls should be implemented for the applications to ensure errors do not occur in order to prevent reputation risk to the organization. (Pg 23, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Error messages should be provided only to authorized personnel, such as System Administrators or maintenance personnel. (SI-11.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)