Back

Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.


CONTROL ID
01241
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Leadership and high level objectives, CC ID: 00597

This Control has the following implementation support Control(s):
  • Define the scope of the security policy., CC ID: 07145
  • Identify roles, tasks, information, systems, and assets that fall under the organization's mandated Authority Documents., CC ID: 00688
  • Correlate Information Systems with applicable controls., CC ID: 01621
  • Establish, implement, and maintain a policy and procedure management program., CC ID: 06285
  • Estimate the costs of implementing the compliance framework., CC ID: 07191


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • A privileged wire, oral, or electronic communication intercepted in accordance with this act does not lose its privileged status. (§ 71, The Electronic Communications and Transactions Act, 2002)
  • App 2-1 Item Number I.1.1(1): The organization must establish a policy on IT governance. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. App 2-1 Item Number I.6(5): The organization must periodically assess the level of compliance … (App 2-1 Item Number I.1.1(1), App 2-1 Item Number I.6(5), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • An APRA-regulated entity must have information security controls to protect its information assets, including those managed by related parties and third parties, that are implemented in a timely manner and that are commensurate with: (21., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • the potential consequences of an information security incident. (21.(d), Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • As a part of scoping the project, a general canvas of all issues, options, and recommendations are reported. (Step A, Pg 11, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • Institutions and payment institutions should maintain at all times sufficient substance and not become 'empty shells' or 'letter-box entities'. To this end, they should: (4.6 39, Final Report on EBA Guidelines on outsourcing arrangements)
  • The scope within which the ISMS should be responsible must be defined initially. The scope frequently includes the entire organisation, but can also, for example, refer to one or more specialised tasks or business processes or one or more organisational units. In this, it is important that the consi… (§ 7.1 Subsection 4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Implement the security concept by summarizing missing or partially implemented IT-Grundschutz Safeguards as well as any additional security safeguards in a table. (5 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Select and adapt safeguards systematically working through the "layer model and modeling" section in the it-grundschutz catalogues. (4.4 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Determine which target objects in the information domain being examined applies to for each module in the it-grundschutz catalogues. (4.4 Bullet 2, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Select and adapt safeguards marking any target objects that could not be modeled properly for a supplementary security analysis. (4.4 Bullet 4, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Select and adapt safeguards by carefully reading the text of each safeguard in the modules identified and adapt them accordingly if necessary. (4.4 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Supplement the security analysis by systematically working through bsi standard 100-3 "risk analysis based on itgrundschutz". (4.6 Bullet 5, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Read the security management information from the bsi on the qualification scheme and ISO 27001 certification scheme on the basis of it-grundschutz. (7 Bullet 1, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Which information is processed within scope of these business processes? (§ 3.2.1 Subsection 2 ¶ 3 Bullet 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Then it should be documented for which area and with which schedule a Basic Protection, Standard Protection and/or Core Protection should be implemented. The corresponding scopes of the information domain should be defined. (§ 3.3.5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In addition to the approach, also the design of the information domain to be protected with it must be defined. This may include the whole organisation or just parts. For example, certain organisational units of an organisation can be considered to be an information domain. However, this can also be… (§ 3.3.4 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • If possible, the scope should comprise all areas, aspects and components which serve for supporting the specialised tasks, business processes or organisational units and which are administrated within the organisation. (§ 3.3.4 ¶ 7 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Define which critical business processes, specialised tasks or parts of the organisation should be included in the scope (§ 3.3.4 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Clearly delimit the scope (§ 3.3.4 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The scope may include the whole organisation or just individual areas. In any case, the scope should be clearly delimited and should be reasonably self-contained, with a few, uniquely defined interfaces. Thus, at first an organisation could implement the Basic Protection for a newly added department… (§ 6.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • the scope of application should be extended (e.g. from Core Protection of a limited area to a larger information domain). (§ 10.2 Subsection 5 ¶ 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Legally, regulatory and statutory prescribed requirements, as well as the procedure to comply with these requirements and regulations must be identified, documented and updated regularly by the cloud provider for the cloud service related to the respective application. (Section 5.16 COM-01 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • When organizations and their contractors are subject to statutory security requirements, these requirements take precedence over this framework. (Mandatory Requirement 1, HMG Security Policy Framework, Version 6.0 May 2011)
  • The purpose of the information security management practice is to protect the information needed by the organization to conduct its business. This includes understanding and managing risks to the confidentiality, integrity, and availability of information, as well as other aspects of information sec… (5.1.3 ¶ 1, ITIL Foundation, 4 Edition)
  • The Board should ensure the organization is in compliance with applicable laws and regulations. (§ VI.D, OECD Principles of Corporate Governance, 2004)
  • Definition of activities for maintaining and monitoring overall PCI DSS compliance, including business-as-usual activities (A3.1.2 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Policies and practices reflect expectations of competence necessary to support the achievement of objectives. (§ 3 Principle 4 Points of Focus: Establishes Policies and Practices, COSO Internal Control - Integrated Framework (2013))
  • Review and if necessary challenge the scope set out in the BCM Policy. (Stage 1.1 Process, Business Continuity Institute (BCI) Good Practice Guidelines, 2005)
  • A potential subject area in the IT audit universe is the regulatory area. The auditors need to determine if rigorous processes have been implemented and if they are operating effectively to ensure the regulations are being complied with. (§ 4.6, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • Privacy programs should be based on complying with applicable laws and regulations. Privacy attorneys may be used to help design compliant privacy programs, provide counsel for privacy incidents, and review third party contracts for compliance with privacy controls. Privacy laws and regulations chan… (§ 5.4 (Legal and Organizational Risks), IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • When developing, implementing, and maintaining the organizational resilience management system, the organization must ensure it considers all the regulatory, legal, and other requirements to which the organization is subject. (§ 4.3.2 ¶ 3, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organization's governing body (eg board of directors or equivalent) should ensure that the information security governance framework is supported by an Information Assurance program. (SG.01.01.02c-2, The Standard of Good Practice for Information Security)
  • An Information Assurance program should be established which states that a suitable control framework is implemented. (SG.02.03.03c, The Standard of Good Practice for Information Security)
  • The Information Assurance program should be consistent with the management and reporting of other types of risk in the organization (for example, operational risk, financial risk, market risk). (SG.02.03.04b, The Standard of Good Practice for Information Security)
  • Security compliance obligations, together with the associated information security requirements and security controls, should be recorded in a matrix (e.g., in a database, via a specialised piece of software or on paper), which is fully populated. (SI.02.03.05b, The Standard of Good Practice for Information Security)
  • Security compliance obligations, together with the associated information security requirements and security controls, should be recorded in a matrix (e.g., in a database, via a specialised piece of software or on paper), which is maintained (i.e., updated and reviewed) on a regular basis. (SI.02.03.05c, The Standard of Good Practice for Information Security)
  • Methods of meeting security requirements should be defined, which include agreement on whether Information Security compliance metrics will be reflected in the organization's overall compliance scorecard or equivalent. (SI.02.03.06d, The Standard of Good Practice for Information Security)
  • The organization's governing body (eg board of directors or equivalent) should ensure that the information security governance framework is supported by an Information Assurance program. (SG.01.01.02c-2, The Standard of Good Practice for Information Security, 2013)
  • An Information Assurance program should be established which states that a suitable control framework is implemented. (SG.02.03.03c, The Standard of Good Practice for Information Security, 2013)
  • The Information Assurance program should be consistent with the management and reporting of other types of risk in the organization (for example, operational risk, financial risk, market risk). (SG.02.03.04b, The Standard of Good Practice for Information Security, 2013)
  • Security compliance obligations, together with the associated information security requirements and security controls, should be recorded in a matrix (e.g., in a database, via a specialised piece of software or on paper), which is fully populated. (SI.02.03.05b, The Standard of Good Practice for Information Security, 2013)
  • Security compliance obligations, together with the associated information security requirements and security controls, should be recorded in a matrix (e.g., in a database, via a specialised piece of software or on paper), which is maintained (i.e., updated and reviewed) on a regular basis. (SI.02.03.05c, The Standard of Good Practice for Information Security, 2013)
  • Methods of meeting security requirements should be defined, which include agreement on whether Information Security compliance metrics will be reflected in the organization's overall compliance scorecard or equivalent. (SI.02.03.06d, The Standard of Good Practice for Information Security, 2013)
  • The information security assurance program should be applied consistently throughout the organization. (SG.02.03.04c, The Standard of Good Practice for Information Security, 2013)
  • The information security assurance program should be applied consistently throughout the organization. (SG.02.03.04a, The Standard of Good Practice for Information Security, 2013)
  • Identify and document all relevant standards, regulations, legal/contractual, and statutory requirements, which are applicable to your organization. (GRC-07, Cloud Controls Matrix, v4.0)
  • § 3.8 Constraints. An organization should assess constraints when implementing an effective ICT security program. Constraints are normally set or recognized by the organization's management and influenced by the environment within which the organization operates. Some examples of constraints are; o… (§ 3.8, § 4.2, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Before starting any risk analysis activity, an organization should have a strategy in place for this analysis, and its constituent parts (methods, techniques, etc.) should be documented in the corporate IT security policy. The means and criteria for the selection of the risk analysis method should b… (¶ 8, ¶ 11.2, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • Security Compliance Checking. An organization should implement safeguards which assure that compliance is maintained with all required safeguards, and relevant laws, regulations and policies, since any safeguard, regulation or policy can only be working as long as users comply, and systems conform, … (¶ 8.1.2(1), ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 a), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • the compliance obligations referred to in 4.2; (§ 4.3 ¶ 2 b), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization should determine the boundaries and applicability of the compliance management system to establish its scope. (§ 4.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the requirements referred to in 4.2 and 4.5.1. (§ 4.3 ¶ 2 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Sources of compliance obligations should include compliance requirements and can include compliance commitments. (§ 4.5.1 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • the application and context of the system in relation to the size, nature and complexity of the organization and its operating environment; (§ 5.2.1 ¶ 2 Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • all levels of the organization: (§ 5.3.3 ¶ 1 d) 3) Bullet 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • identifying compliance obligations with the support of relevant resources and translating those obligations into actionable policies , procedures and processes; (§ 5.3.4 ¶ 2 a), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The service management plan shall include the defined scope of the service management system. (§ 4.5.1 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall implement and operate technical, physical, and administrative Information Security controls to achieve information security management objectives. (§ 6.6.2 ¶ 1(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Information Security controls shall be documented and describe the risks to the controls, their operation, and maintenance. (§ 6.6.2 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The scope shall be available as documented information. (§ 4.3 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • The organization shall determine the boundaries and applicability of the information security management system to establish its scope. (§ 4.3 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 a), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • the requirements referred to in 4.2; and (§ 4.3 ¶ 2 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • interfaces and dependencies between activities performed by the organization, and those that are performed by other organizations. (§ 4.3 ¶ 2 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • § 7.3: The organization should define scope and boundaries for its information security risk management. During this process, the organization should consider its business processes; strategies and policies, business objectives, functions, and structure; information security policy; risk management… (§ 7.3, Annex A, ISO 27005 Information technology -- Security techniques -- Information security risk management, 2011)
  • A formal scope statement shall be produced that defines the boundary of compliance activity in terms of people, processes, places, platforms and applications. (§ 6.1.1 Health-specific control ¶ 4, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The scope shall be available as documented information. (§ 4.3 ¶ 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall determine the boundaries and applicability of the compliance management system to establish its scope. (§ 4.3 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • all levels of the organization; (§ 5.3.2 ¶ 4 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the requirements referred to in 4.2, 4.5 and 4.6. (§ 4.3 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the compliance obligations identified (see 4.5); (§ 6.1 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the external and internal issues referred to in 4.1; (4.3 ¶ 2(a), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • The scope of the organization's quality management system shall be available and be maintained as documented information. The scope shall state the types of products and services covered, and provide justification for any requirement of this International Standard that the organization determines is… (4.3 ¶ 4, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • the external and internal issues referred to in 4.1; (§ 4.3 ¶ 2 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The scope shall be available as documented information. (§ 4.3 ¶ 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall determine the boundaries and applicability of the compliance management system to establish its scope. (§ 4.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the requirements referred to in 4.2 and 6.3. (§ 4.3 ¶ 2 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the compliance obligations identified (see 6.3) and (§ 6.1 ¶ 2 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • all levels of the organization; (§ 5.3.2 ¶ 6 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall determine the boundaries and applicability of the IT asset management system to establish its scope. The scope shall be aligned with the strategic IT asset management plan and the IT asset management policy. When determining this scope, the organization shall consider: (Section 4.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the processes and activities that are affected by mixed responsibilities between the organization and its personnel (including the scope and boundaries of the affected processes and activities); (Section 8.8 ¶ 3(a), ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The scope shall be available as documented information. (§ 4.3 ¶ 3, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The organization shall determine the boundaries and applicability of the information security management system to establish its scope. (§ 4.3 ¶ 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • Data. Data are an important resource for the organization and their protection and integrity should be an organizational objective. (§ 6.7.3 ¶ 1 Bullet 6, ISO/IEC 38507:2022, Information technology — Governance of IT — Governance implications of the use of artificial intelligence by organizations)
  • Policies and practices reflect expectations of competence necessary to support the achievement of objectives. (CC1.4 ¶ 3 Bullet 1 Establishes Policies and Practices, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization has established and applies appropriate controls to address the inherent risk of internal dependencies. (DM.ID-1.4, CRI Profile, v1.2)
  • The organization has established and applies appropriate controls to address the inherent risk of internal dependencies. (DM.ID-1.4, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The service organization designs, implements, and operates controls at the entity level that are necessary to support the achievement of its service commitments and system requirements. That is particularly true for controls that address the trust services criteria for the control environment compon… (¶ 2.127, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Policies and practices reflect expectations of competence necessary to support the achievement of objectives. (CC1.4 Establishes Policies and Practices, Trust Services Criteria)
  • Policies and practices reflect expectations of competence necessary to support the achievement of objectives. (CC1.4 ¶ 3 Bullet 1 Establishes Policies and Practices, Trust Services Criteria, (includes March 2020 updates))
  • Principle: Firms should implement technical controls to protect firm software and hardware that stores and processes data, as well as the data itself. Effective practices include: - implementing a defense-in-depth strategy; - selecting controls appropriate to the firm’s technology and threat envir… (Technical Controls, Report on Cybersecurity Practices)
  • The National Integrated Technical Surveillance Countermeasure Committee (NITC) shall provide policy guidance, strategic guidance, and procedural guidance on all Technical Surveillance Countermeasure matters. (§ D.2, Intelligence Community Directive Number 702, Technical Surveillance Countermeasures)
  • A business associate of a covered entity may use and disclose protected health information within the compliance requirements of the agreement between the two organizations following the same constraints as the covered entity. (§ 13404(a), American Recovery and Reinvestment Act of 2009, Division A Title XIII Health Information Technology)
  • The organization's compliance program should, at a minimum, be in writing, be approved by the Board of Directors, and be noted as approved in the Board minutes. The compliance program must include internal controls, independent testing, training, and daily monitoring of compliance. (Pg 5, Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Interview management to determine if the organization's internal controls ensure compliance with laws and regulations and minimize risk. (Pg 5, Obj 13 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • A comprehensive personal data privacy and security program that includes technical, physical, and administrative safeguards appropriate for the complexity and size of the business entity and the scope and nature of its activities must be implemented. (§ 302(a)(1), Leahy Personal Data Privacy and Security Act of 2009, Senate Bill 1490, 111th Congress)
  • The organization must conduct an Information Assurance review on an annual basis. (DCAR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The annual Information Assurance review must evaluate current policies and processes for procedural consistency. (DCAR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The annual Information Assurance review must verify that the Information Assurance policies and processes support the uninterrupted operations goal. (DCAR-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Commercial off the shelf products that are used for data separation, Access Control, or privacy on a classified system that is already protected by high-robustness products satisfies this requirement. (DCSR-3, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • The calibration standards that are being used for measuring, inspection, and test equipment shall be traceable to international or national standards. If a standard is not available or practical, the medical device manufacturer shall use an independent reproducible standard. If there is no applicabl… (§ 820.72(b)(1), 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Covered entities are required to comply with the administrative requirements of §§ 164.530(b), 164.530(d), 164.530(e), 164.530(g), 164.530(h), 164.5430(i), and 164.530(j) with respect to this subpart's requirements. (§ 164.414(a), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • A covered entity must have in place appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information. (§ 164.530(c)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • An organization should implement a protective program. The DIB protection program relies upon certain core actions and processes that consist of: • developing plans that address the remediation of vulnerabilities, mitigation, and consequence management for the facility; • developing protective c… (§ 5.3 ¶ 1, Defense Industrial Base Information Assurance Standard)
  • Scope. (App A Objective 2:10a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • If the audit vendor also performs the institution's external audit or other consulting services, determine whether the institution and the vendor have discussed, determined, and documented that applicable statutory and regulatory independence standards are being met. Note - If the institution is a p… (Exam Tier I Obj 11.9, FFIEC IT Examination Handbook - Audit, August 2003)
  • Departmental management and the quality of information security and GLBA 501(b) compliance policies relating to retail payment system-generated customer data. (App A Tier 1 Objectives and Procedures Objective 3:1 Bullet 4, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Policies and procedures for underwriting, account management, and collection activities. (App A Tier 1 Objectives and Procedures Objective 6:8 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • A description of the retail payment system activities performed and scope of operations, including check item processing, RDC, lock-box services that provide ACH check conversion or check truncation, ACH, bankcard issuing and acquiring, clearance, settlement, and EFT/POS network activity. (App A Tier 1 Objectives and Procedures Objective 2:4 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • The organization should enforce the regulations and compliance requirements for retail payment services. (Pg 36, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • The organization's compliance program should include internal controls to ensure compliance; independent testing for compliance by either internal or external personnel; an individual or group who is responsible for monitoring day-to-day compliance; and training for appropriate personnel. (Pg 29, Exam Tier I Obj 2.1, Exam Tier II Obj 13.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • Promote awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals. (T0248, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should use NIST Special Publication 800-53 to select, implement, and demonstrate the effectiveness of security controls. This standard complies with, and is complementary to, other established Information Security standards. (§ 1.3, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The development, implementation, assessment, authorization, and monitoring of controls should be coordinated by the organization. The identification of common controls should be done via an organization-wide exercise that involves the Chief Information Officer, Senior Information Security Officer, r… (§ 2.3 ¶ 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Promote awareness of security issues among management and ensure sound security principles are reflected in the organization's vision and goals. (T0248, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop, implement, and recommend changes to appropriate planning procedures and policies. (T0670, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)