Back

Establish, implement, and maintain a Governance, Risk, and Compliance framework.


CONTROL ID
01406
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Operational management, CC ID: 00805

This Control has the following implementation support Control(s):
  • Disseminate and communicate updates to the Governance, Risk, and Compliance framework to interested personnel and affected parties., CC ID: 06955
  • Include enterprise architecture in the Governance, Risk, and Compliance framework., CC ID: 13266
  • Acquire resources necessary to support Governance, Risk, and Compliance., CC ID: 12861
  • Establish, implement, and maintain a prioritized plan for updating the Governance, Risk, and Compliance framework., CC ID: 12853
  • Integrate the use of technology in supporting the Governance, Risk, and Compliance capabilities., CC ID: 12915
  • Implement the prioritized plan for updating the Governance, Risk, and Compliance framework., CC ID: 12791
  • Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities., CC ID: 12895
  • Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives., CC ID: 12809
  • Assign accountability for maintaining the Governance, Risk, and Compliance framework., CC ID: 12523
  • Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework., CC ID: 12524
  • Establish, implement, and maintain a compliance policy., CC ID: 14807
  • Establish, implement, and maintain a governance policy., CC ID: 15587
  • Establish, implement, and maintain a positive information control environment., CC ID: 00813
  • Establish, implement, and maintain an internal control framework., CC ID: 00820
  • Establish, implement, and maintain an information security program., CC ID: 00812
  • Establish, implement, and maintain nondisclosure agreements., CC ID: 04536
  • Establish, implement, and maintain a use of information agreement., CC ID: 06215
  • Implement and comply with the Governance, Risk, and Compliance framework., CC ID: 00818


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • The processes and procedures for ensuring the internal system of controls is effective should be reviewed regularly by the Board of Directors. (¶ 2.6.4, The King Committee on Corporate Governance, Executive Summary of the King Report 2002, March 2002)
  • Achieving a consistent standard of sound practices for IT controls across an AI requires clear direction and commitment from the Board and senior management. In this connection, senior management, who may be assisted by a delegated sub-committee, is responsible for developing a set of IT control pol… (2.1.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The organization must develop an overall optimization plan. This is a control item that constitutes a greater risk to financial information. This is a company-level IT control. (App 2-1 Item Number I.1.3(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • App 2-1 Item Number I.1.4(2): The organization must periodically review the overall optimization plan and when the business environment changes. This is a control item that constitutes a relatively small risk to financial information. This is a company-level IT control. App 2-1 Item Number VI.1.2(1)… (App 2-1 Item Number I.1.4(2), App 2-1 Item Number VI.1.2(1), Appendix 1 Correspondence of the System Management Standards - Supplementary Edition to other standards)
  • Practice Standard § I.5(2)[1]: Internal controls must be developed based on a consistent policy. Company Law requires the Board of Directors to determine the basic internal control policies. The basic plans and policies for operating internal control at the company level and process level should be… (Practice Standard § I.5(2)[1], Exhibit 1 (Control Environment), On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The organization shall define the operations management methods for conducting transactions using the Internet, mobile devices, and more. (O106, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Top management must participate in revising the security policy, since it may impact the security management for the entire organization. (O1.1, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Information security governance consists of the leadership, organizational structures and processes that protect information and mitigation of growing information security threats like the ones detailed above. (Information Security Governance ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • In view of the constant changes occurring in the internet environment and online delivery channels, management should institute a risk monitoring and compliance regime on an ongoing basis to ascertain the performance and effectiveness of the risk management process. When risk parameters change, the … (Critical components of information security 31) (v), Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • ensuring that senior management establishes appropriate governance structures and processes for sound and prudent risk management, such as a management body that reviews controls for consistency and alignment with a comprehensive institution-wide view of risk; and (5.2.2 (e), Guidelines on Outsourcing)
  • reviewing regularly the effectiveness of, and appropriately adjusting, policies, standards and procedures to reflect changes in the institution's overall risk profile and risk environment; (5.2.3 (c), Guidelines on Outsourcing)
  • The types of risks in CS that confront institutions are not distinct from that of other forms of outsourcing arrangements. Institutions should perform the necessary due diligence and apply sound governance and risk management practices articulated in this set of guidelines when subscribing to CS. (6.6, Guidelines on Outsourcing)
  • Due to rapid changes in the IT operating and security environment, policies, standards and procedures should be regularly reviewed and updated. (§ 3.2.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The framework should comprise the governance structure, processes and procedures for change management, software release management, incident and problem management as well as capacity management. (§ 7.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The FI should establish policies, standards and procedures and, where appropriate, incorporate industry standards and best practices to manage technology risks and safeguard information assets in the FI. The policies, standards and procedures should also be regularly reviewed and updated, taking int… (§ 3.2.1, Technology Risk Management Guidelines, January 2021)
  • develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; (Part III Section 12 ¶ 1(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012))
  • develop and implement policies and practices that are necessary for the organisation to meet the obligations of the organisation under this Act; (§ 12.(a), Singapore Personal Data Protection Act 2012 (No. 26 of 2012), Revised Edition 2021)
  • The organization should ensure the Standard Operating Procedures, the Security Risk Management Plan, the System Security Plan, and the incident response plan are consistent and logically connected for each system and with the information security policy. (Control: 0044, Australian Government Information Security Manual: Controls)
  • The organization should create and maintain a document framework that includes a hierarchical listing of the information security documentation, along with their relationships. (Control: 0787, Australian Government Information Security Manual: Controls)
  • The organization should develop and implement a policy to automatically logout and shutdown workstations after a predetermined period of inactivity. (Control: 0853, Australian Government Information Security Manual: Controls)
  • The organization must develop, implement, and maintain an intrusion detection and prevention strategy that includes periodically auditing the intrusion detection and prevention procedures. (Control: 0576 Bullet 3, Australian Government Information Security Manual: Controls)
  • The organization should continually update the information technology security Risk Management Framework. (¶ 31, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • All security documents should be reviewed on a regular basis. The reviews should be conducted at least yearly and when changes are made to the environment or system. The date the review was done should be included on each security document. (§ 2.2.16, § 2.8.3, Australian Government ICT Security Manual (ACSI 33))
  • The organization should create a document describing the documentation framework. It should include a hierarchical list of all security documents. (§ 2.2.11, Australian Government ICT Security Manual (ACSI 33))
  • The information commissioner may review the operation of an approved privacy code. (§ 18BH(1), Act No. 119 of 1988 as amended, taking into account amendments up to Freedom of Information Amendment (Parliamentary Budget Office) Act 2012)
  • The incident prevention plan may include a review of policies and procedures. (Step 4 Bullet 2, Key Steps for Organizations in Responding to Privacy Breaches)
  • The incident prevention plan may include reviewing and updating the plan on a regular basis. (Step 4 Bullet 2, Key Steps for Organizations in Responding to Privacy Breaches)
  • Financial institutions should ensure that the ICT and security risk management framework is documented, and continuously improved, based on 'lessons learned' during its implementation and monitoring. The ICT and security risk management framework should be approved and reviewed, at least once a year… (3.3.1 14, Final Report EBA Guidelines on ICT and security risk management)
  • includes governance processes (e.g. progress and budget monitoring and reporting) and relevant bodies (e.g. a project management office (PMO), an ICT steering group or equivalent) to effectively support the implementation of the ICT strategic programmes; (Title 2 2.2.2 27.a, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • a governance framework to achieve the objectives and priorities of the national strategy on the security of network and information systems, including roles and responsibilities of the government bodies and the other relevant actors; (Art. 7.1(b), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • The Board of Directors must review the relevance of all organizational instructions and, at least annually, ensure the instructions are up to date. (¶ III.3.5.1, Swedish Code of Corporate Governance; A Proposal by the Code Group, Stockholm 2004)
  • The Management Board must establish and maintain procedures to ensure all major financial information is reported to the Management Board in a timely manner without losing its integrity. (¶ V.1.3, The Dutch corporate governance code, Principles of good corporate governance and best practice provisions, 9 December 2003)
  • Data security regulations must be issued and available to all employees, so they can review it at anytime. (§ 14(6), Austria Data Protection Act)
  • being capable of being effectively supervised by the PRA; (§ 4.6 Bullet 1, SS2/21 Outsourcing and third party risk management, March 2021)
  • the 'suitability' Threshold Condition in Sections 4E (Part 1A) (insurers) and 5E (Part 1E) (banks) of FSMA. This should include retaining a clear and transparent organisational framework and structure; and (§ 4.6 Bullet 2, SS2/21 Outsourcing and third party risk management, March 2021)
  • The senior information risk officer is responsible to develop and implement the information risk policy and to regularly review it. (Policy owership ¶3, Guidance on the Departmental Information Risk Policy, March 2009)
  • The organization should implement robust procedures and policies to control residual risks. (¶ 115, Basel II: International Convergence of Capital Measurement and Capital Standards - A Revised Framework)
  • The Board of Directors should regularly review the risk framework for changes in the environment or market and the introduction of new products or systems. (¶ 15, BIS Sound Practices for the Management and Supervision of Operational Risk)
  • The organization should develop a corporate governance framework. This framework should be consistent with applicable laws and regulations and ensure the responsibilities between the different authorities are clearly stated. (§ I, OECD Principles of Corporate Governance, 2004)
  • How, and how often is the information policy and auditing process reviewed? (Table Row II.2, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • How often are the adequacy of policies, procedures, and standards that govern security requirements for outsourced service providers, customers, and business associates reviewed? (Table Row II.42, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Are outsourced security policies constantly updated? (Table Row II.48, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • The user manuals and Standard Operating Procedures for all systems are required to be maintained. (¶ 15.3 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • The procedures for issuing passwords and identification codes should be periodically checked, recalled, or updated. (¶ 19.3 Bullet 4, Good Practices For Computerized systems In Regulated GXP Environments)
  • Organizations must have a computerized systems validation policy with links to plans and Standard Operating Procedures, to include an inventory of all computerized systems classified by use, criticality, and validation status. (¶ 23.8, Good Practices For Computerized systems In Regulated GXP Environments)
  • The organization must review written policies and documented procedures no less than annually and revises as necessary. (CORE - 3(c), URAC Health Utilization Management Standards, Version 6)
  • Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly. (PO6.3 IT Policies Management, CobiT, Version 4.1)
  • Define, establish and align the IT governance framework with the overall enterprise governance and control environment. Base the framework on a suitable IT process and control model and provide for unambiguous accountability and practices to avoid a breakdown in internal control and oversight. Confi… (ME4.1 Establishment of an IT Governance Framework, CobiT, Version 4.1)
  • Establish a schedule for periodic reevaluation of the capability design in light of objectives, opportunities, threats, requirements, and changes to the context. (OCEG GRC Capability Model, v. 3.0, R1.1 Monitor and Evaluate Capability Design, OCEG GRC Capability Model, v 3.0)
  • Review information from periodic evaluations, detective and responsive actions and controls, monitoring, and assurance, to identify opportunities for capability improvements. (OCEG GRC Capability Model, v. 3.0, R3 Improvement, OCEG GRC Capability Model, v 3.0)
  • Identify and evaluate the existing capability (people, process, and technology) and how it affects ability to achieve objectives. (OCEG GRC Capability Model, v 3.0, A3.1 Review Capability, OCEG GRC Capability Model, v 3.0)
  • Establish an organizing structure for identifying, creating, approving, enforcing, and updating policies and related procedures (OCEG GRC Capability Model, v. 3.0, P2.2 Establish Policy Structure, OCEG GRC Capability Model, v 3.0)
  • Develop a plan and acquire resources to govern, assure and manage changes to approaches to addressing reward, risk and compliance. (OCEG GRC Capability Model, v 3.0, A5.9 Develop Integrated Plan, OCEG GRC Capability Model, v 3.0)
  • Develop usage policies for critical employee-facing technologies to define proper use of these technologies for all employees and contractors. (§ 12.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 2.0)
  • Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • A formal PCI DSS compliance program must be in place to include: (A3.1.2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for protecting stored cardholder data are documented, in use, and known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.2)
  • Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.2)
  • Are security policies and operational procedures for protecting stored cardholder data: - Documented - In use - Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for protecting stored cardholder data: - Documented - In use - Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Upon completion of a significant change, are all relevant PCI DSS requirements implemented on all new or changed systems and networks, and documentation updated as applicable? (6.4.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Are security policies and operational procedures for protecting stored cardholder data: - Documented - In use - Known to all affected parties? (3.7, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire P2PE and Attestation of Compliance, Version 3.2)
  • For a sample of significant changes, examine change records, interview personnel, and observe the affected systems/networks to verify that applicable PCI DSS requirements were implemented and documentation updated as part of the change. (6.4.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for protecting stored cardholder data are: - Documented, - In use, and - Known to all affected parties. (3.7, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • An implementation guide should be developed, maintained, and disseminated to resellers, customers, and integrators addressing all the requirements in this document. The guide should be reviewed annually and updated when changes are made to the software or the requirements. (§ 14.1 thru § 14.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • An implementation guide should be developed, maintained, and disseminated to resellers, customers, and integrators addressing all the requirements in this document. The guide should be reviewed annually and updated when changes are made to the software or the requirements. (§ 14.1.2, Payment Card Industry (PCI) Payment Application Data Security Standard, Version 1.1)
  • A formal PCI DSS compliance program is in place that includes: (A3.1.2, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Examine information security policies and procedures to verify that processes are defined for a formal PCI DSS compliance program that includes all elements specified in this requirement. (A3.1.2.a, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Interview personnel and observe compliance activities to verify that a formal PCI DSS compliance program is implemented in accordance with all elements specified in this requirement. (A3.1.2.b, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Examine change records and the affected systems/networks, and interview personnel to verify that all relevant PCI DSS requirements were confirmed to be implemented and documentation updated as part of the change. (A3.2.2.1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Management periodically reviews control activities to determine their continued relevance, and refreshes them when necessary. (§ 3 Principle 12 Points of Focus: Reassesses Policies and Procedures, COSO Internal Control - Integrated Framework (2013))
  • The organization should identify and document who is responsible to review, amend, and update the incident management plan and the business continuity plan. These should be accomplished at regular intervals. (§ 8.3.5, BS 25999-1, Business continuity management. Code of practice, 2006)
  • The business continuity management policy must be reviewed at planned intervals and whenever a significant change happens. The business continuity management system must be reviewed by management at planned intervals and whenever a significant change happens to ensure it continues to be suitable, ef… (§ 3.2.2.3(c), § 5.2.1, § 6.1.1, BS 25999-2, Business continuity management. Specification, 2007)
  • Standards support policy requirements and are intended to define the ways to achieve the organization's required objectives. Standards promote efficiency and enable the IT operating environment to be maintained more efficiently. Standards should be adopted for data structures. This will ensure consi… (§ 5.3.2, § 5.3.2 ¶ 3, IIA Global Technology Audit Guide (GTAG) 1: Information Technology Controls)
  • An ongoing maintenance process for all standards and policies should be developed to address the latest regulatory mandates. (§ 3.3.4 ¶ 4, IIA Global Technology Audit Guide (GTAG) 11: Developing the IT Audit Plan)
  • The organization should perform a privacy audit and create policies and procedures to create, store, and manage business data. (App A.5 (Recommendations for Privacy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • Policies and procedures that exist to support the business architecture and govern access management need to be reviewed. Standards, procedures, rules, and guidelines should exist to support each policy. The policy framework should provide sufficient information so all employees understand how user … (§ 4.1.2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The identity and access management (IAM) policy statement should be reviewed and revised periodically to reflect relevant current processes and activities. (§ 3.5.2, IIA Global Technology Audit Guide (GTAG) 9: Identity and Access Management)
  • The organizational resilience system documentation must include the organizational resilience management policy, the objectives, the targets, a description of the organizational resilience management system's scope, a description of the organizational resilience management system's main elements and… (§ 4.4.4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • The organizational policy statement must, within the scope of the organizational resilience management system, ensure it is documented, implemented, and maintained and a policy relevancy review is conducted annually. Top management must develop an organizational resilience management system maintena… (§ 4.2.1(h), § 4.2.1(o), § 4.6.4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • It is suggested that control questionnaires be used to assess the extent to which controls have been implemented in a communications network. It goes on to further state that the control questionnaires are normally grouped by subject or theme with the respondents being required to indicate if they a… (Pg 37, ISF Security Audit of Networks)
  • Customer access standards / procedures should be kept up-to-date. (CF.05.01.10b-2, The Standard of Good Practice for Information Security)
  • Acceptable usage policies should be kept up-to-date. (CF.01.01.07e, The Standard of Good Practice for Information Security)
  • Key staff documents, such as policies or job descriptions, should be reviewed by an Information Security specialist. (CF.02.01.06-1, The Standard of Good Practice for Information Security)
  • Key staff documents, such as policies or job descriptions, should be kept up-to-date. (CF.02.01.06-3, The Standard of Good Practice for Information Security)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be kept up-to-date. (CF.09.02.04a, The Standard of Good Practice for Information Security)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be subject to supervisory review. (CF.09.02.04c, The Standard of Good Practice for Information Security)
  • Customer access standards / procedures should be kept up-to-date. (CF.05.01.10b-2, The Standard of Good Practice for Information Security, 2013)
  • Acceptable usage policies should be kept up-to-date. (CF.01.01.07e, The Standard of Good Practice for Information Security, 2013)
  • Key staff documents, such as policies or job descriptions, should be reviewed by an Information Security specialist. (CF.02.01.06-1, The Standard of Good Practice for Information Security, 2013)
  • Key staff documents, such as policies or job descriptions, should be kept up-to-date. (CF.02.01.06-3, The Standard of Good Practice for Information Security, 2013)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be kept up-to-date. (CF.09.02.04a, The Standard of Good Practice for Information Security, 2013)
  • Network documentation (e.g., diagrams, inventories, and schedules) should be subject to supervisory review. (CF.09.02.04c, The Standard of Good Practice for Information Security, 2013)
  • The information privacy policy should be aligned with other information security-related policies, such as those covering document retention and cloud computing (e.g., as part of an information security policy framework). (SR.02.02.06, The Standard of Good Practice for Information Security, 2013)
  • Policies and procedures shall be established, and supporting business processes and technical measures implemented, for appropriate IT governance and service management to ensure appropriate planning, delivery and support of the organization's IT capabilities supporting business functions, workforce… (BCR-11, Cloud Controls Matrix, v3.0)
  • The organization should monitor the medical network for the auditing of non-technical risk control measures, such as policies and procedures. (§ 4.6.1 ¶ 2(f), Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • A document control procedure shall be used to ensure all documents in the medical Information Technology network lifecycle are reviewed, updated, and approved. (§ 5.1, Application of risk management for IT-networks incorporating medical devices Part 1: Roles, responsibilities and activities, Edition 1.0 2010-10)
  • § 5.2.2 An organization should include ICT security as a component of all planning, implementation and operational activities. Protection should continue throughout the life cycle of information and ICT systems, from planning to acquisition, testing and operation. An organizational structure should… (§ 5.2.2, § 6.2, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • Maintenance. The majority of safeguards will require maintenance and administrative support to ensure their correct and appropriate functioning during their life. These activities (maintenance and administration) should be planned and performed on a regular scheduled basis. In this manner their over… (¶ 11.1, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • ¶ 8.2.4 Network Management. An organization should implement safeguards to achieve network management, which includes planning, operation and administration of networks. The proper configuration and administration of networks is an effective means to reduce risks. Safeguards in the area of network … (¶ 8.2.4, ¶ 9.2 Table Row "Operational Procedures", ¶ 9.2 Table Row "System Planning", ¶ 9.2 Table Row "Network Configuration", ¶ 9.2 Table Row "Network Segregation", ¶ 9.2 Table Row "Network Monitoring", ¶ 9.2 Table Row "Intrusion Detection", ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • ¶ 13.2 Secure Service Management should be implemented for network security. ¶ 13.2.1 Introduction to Secure Service Management. A key security requirement for any network is that it is supported by secure service management activities, which will initiate and control the implementation, and opera… (¶ 13.2, ¶ 13.2.1, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The organization shall control all quality management system documents. The organization shall establish procedures to define the controls that are needed to review and approve a documents adequacy before issuance; to review and update the documents; to identify changes and the current revision stat… (§ 4.2.3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization shall review changes to documents and ensure they are approved by the original approving function or a designated function. (§ 4.2.3 ¶ 3, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • compliance obligations; (§ 6.1.4 ¶ 1 a) 2), ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall establish, implement and maintain the process(es) needed to evaluate fulfilment of its compliance obligations. (§ 9.1.2 ¶ 1, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall periodically review each project's lifecycle model to verify it is still suitable, adequate, and effective and make appropriate modifications. (§ 6.2.1.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The Administrators Guide should include the following: a description of the administrative functions and interfaces; procedures on how to securely administer the product; a list of the security parameters and their values that the Administrator has control over; procedures on how to change security … (§ 16.1, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The security requirements documentation should contain labeling and descriptive information in the introduction to allow for identification, registration, cataloging, and cross-referencing; describe the security requirements in narrative form; be understandable to the target audience; and be consist… (§ 8.3.3, § 9.3.3, § 9.3.5, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The organization should establish, develop, implement, evaluate, maintain and continually improve a compliance management system, including the processes needed and their interactions, in accordance with this International Standard, taking into consideration the following governance principles: (§ 4.4 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Organizations should have processes in place to identify new and changed laws, regulations, codes and other compliance obligations to ensure on-going compliance. Organizations should have processes to evaluate the impact of the identified changes and implement any changes in the management of the co… (§ 4.5.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • ensuring the compliance management system is reviewed at planned intervals; (§ 5.3.4 ¶ 2 j), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management should review the organization's compliance management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. The actual depth and frequency of such reviews will vary with the nature of the organization and its policies. (§ 9.3 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • make changes to the compliance management system, if necessary. (§ 10.1.1 ¶ 1 e), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • These controls should be maintained, periodically evaluated and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 3, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The organization should seek to continually improve the suitability, adequacy and effectiveness of the compliance management system. (§ 10.2 ¶ 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Effective controls are needed to ensure that the organization's compliance obligations are met and that noncompliances are prevented or detected and corrected. The types and levels of controls should be designed with sufficient rigour to facilitate achieving the compliance obligations that are parti… (§ 8.2 ¶ 2, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • Top management shall establish and communicate the scope, policy, and objectives for service management. (§ 4.1.1 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Top management shall ensure a service management plan is developed, implemented, and maintained in order to follow the policy, achieve the service management objectives, and fulfill the service requirements. (§ 4.1.1 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Top management shall ensure documented communication procedures have been established and implemented. (§ 4.1.3 ¶ 1(b), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall establish and maintain any additional documents it determines is necessary for the effective operation of the service management system and the delivery of services. (§ 4.3.1 ¶ 1(h), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The organization shall establish documented procedures, including authorities and responsibilities, for reviewing and maintaining documents. (§ 4.3.2 ¶ 2(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service management plans shall be reviewed at predetermined intervals and updated as necessary. (§ 4.5.2 ¶ 2, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Top management shall review the service management system and the services at planned intervals. (§ 4.5.4.3 ¶ 1, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The service provider shall revise and update the service management policies, plans, procedures, and processes, as necessary. (§ 4.5.5.2 ¶ 3(c), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Facilities, procedures, and policies that have been implemented should be operational 24x7. (§ 6.3.14, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • Relevant staff should be assigned to ensure all documents are periodically reviewed and updated. (§ 5.12, ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services, 2008)
  • documented information determined by the organization as being necessary for the effectiveness of the information security management system. (§ 7.5.1 ¶ 1 b), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • Documented information of external origin, determined by the organization to be necessary for the planning and operation of the information security management system, shall be identified as appropriate, and controlled. (§ 7.5.3 ¶ 3, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • review and approval for suitability and adequacy (§ 7.5.2 ¶ 1 c), ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
  • When the information security policy is being reviewed, the following items should be examined to improve the policy: Results of independent reviews; feedback from users; status of corrective actions; vulnerability trends; security incidents; organizational and network changes; and information secur… (§ 5.1.2, ISO 27002 Code of practice for information security management, 2005)
  • Communication and consultation should be timely and ensure that relevant information is collected, collated, synthesised and shared, as appropriate, and that feedback is provided and improvements are made. (§ 5.4.5 ¶ 2, ISO 31000 Risk management - Guidelines, 2018)
  • The risk management process and its outcomes should be documented and reported through appropriate mechanisms. Recording and reporting aims to: - communicate risk management activities and outcomes across the organization; - provide information for decision-making; - improve risk management activiti… (§ 6.7 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • Top management and oversight bodies, where applicable, should ensure that risk management is integrated into all organizational activities and should demonstrate leadership and commitment by: - customizing and implementing all components of the framework; - issuing a statement or policy that establi… (§ 5.2 ¶ 1, ISO 31000 Risk management - Guidelines, 2018)
  • When planning the approach, considerations include: - objectives and decisions that need to be made; - outcomes expected from the steps to be taken in the process; - time, location, specific inclusions and exclusions; - appropriate risk assessment tools and techniques; - resources required, responsi… (§ 6.3.2 ¶ 3, ISO 31000 Risk management - Guidelines, 2018)
  • The risk management process should be embedded in the practices and processes of the organization, especially policy development, business and strategic planning and review, and change management. (§ 4.3.4, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • § 4.5: The organization should periodically review the appropriateness of the risk management framework, policy, and plan and the effectiveness of the risk management framework to ensure risk management is effective and that it continues to support organizational performance. § 4.6: The organizati… (§ 4.5, § 4.6, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • evaluate the impact of the identified changes and implement any necessary changes in the management of the compliance obligations. (§ 4.5 ¶ 2 b), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • Governing body and top management shall review the organization's compliance management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. (§ 9.3.1 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • make changes to the compliance management system, if necessary. (§ 10.2 ¶ 1 e), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • ensuring that the compliance policy and compliance objectives are established and are compatible with the strategic direction of the organization; (§ 5.1.1 ¶ 1 bullet 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The governing body and top management shall establish a compliance policy that: (§ 5.2 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall establish, implement, maintain and continually improve a compliance management system, including the processes needed and their interactions, in accordance with the requirements of this document. (§ 4.4 ¶ 1, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • the design and operational effectiveness of the compliance management system; (§ 6.3 ¶ 2 bullet 2, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • support the compliance governance principles in accordance with 5.1.3; (§ 5.2 ¶ 2 bullet 3, ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • § 5.1.2: For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device manufacturer shall update the software development plan, as needed. § 9.5: For software systems assigned to Class A, Class B, and Class C software safety classes, the medical device … (§ 5.1.2, § 9.5, ISO 62304 - 2006 Medical device software - Software life cycle processes, 2006)
  • The organization shall establish, implement, evaluate, maintain and continually improve a compliance management system, including the processes needed and their interactions, in accordance with the requirements of this document. (§ 4.4 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The governing body and top management shall establish a compliance policy that: (§ 5.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensuring the compliance management system is reviewed at planned intervals (see 9.2 and 9.3). (§ 5.3.2 ¶ 4 bullet 3, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • evaluate the impact of the identified changes and implement any necessary changes in the management of the compliance obligations. (§ 6.3 ¶ 2 b), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall implement controls to manage its compliance obligations and associated compliance risks. These controls shall be maintained, periodically reviewed and tested to ensure their continuing effectiveness. (§ 8.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • Governing body and top management shall review the organization's compliance management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness. (§ 9.3 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • make changes to the compliance management system, if necessary. (§ 10.1 ¶ 1 e), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • the design and operational effectiveness of the compliance management system; (§ 10.2 ¶ 3 bullet 2, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • ensuring that the compliance policy and compliance objectives are established and are compatible with the strategic direction of the organization; (§ 5.1.1 ¶ 1 bullet 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • support the compliance governance principles in accordance with clause 5.1.3; (§ 5.2 ¶ 2 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall continually improve the suitability, adequacy and effectiveness of the compliance management system. (§ 10.2 ¶ 1, ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization shall evaluate and report on the effectiveness of the processes for managing risks and opportunities. (Section 9.1 ¶ 4, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the standards, legal requirements and other requirements relevant to the audit programme. (§ 7.2.1.2 f), ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection — Guidelines for information security management systems auditing, Third Edition)
  • The organization must implement policies and practices, including implementing procedures for protecting personal information; establishing procedures for receiving and responding to inquiries and complaints; communicating to and training staff about the practices and policies of the organization; a… (Sched 1 Clause 4.1.4, Canada Personal Information Protection Electronic Documents Act (PIPEDA), 2000, c.5)
  • Enforcing accountability for all actions: Management documents policies of accountability and adheres to them, demonstrating to personnel that lack of accountability is not tolerated and that practicing accountability is appropriately rewarded. (Embracing a Risk-Aware Culture ¶ 1 Bullet 3, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation. (GV.RM-3.3, CRI Profile, v1.2)
  • The organization's cyber risk management framework provides for segregation of duties between policy development, implementation, and oversight to ensure rigorous review of both policy and implementation. (GV.RM-3.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization's privacy policies should be approved by senior management and reviewed and updated at least annually. The organization should have an ongoing process in place to monitor the effect of changes in technology, law, contracts, business operations, and people on privacy. (ID 1.2.1, ID 1.2.7, AICPA/CICA Privacy Framework)
  • The organization should develop privacy policies and make them available to appropriate individuals. The privacy policies should be documented in clear and plain language and should include the choices individuals have and how consent should be obtained. (ID 1.1.0, ID 2.2.3, ID 3.1.0, AICPA/CICA Privacy Framework)
  • The entity's security policies are established and periodically reviewed and approved by a designated individual or group. (Security Prin. and Criteria Table § 1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity implemented procedures to achieve its documented system security objectives in accordance with the policies. (Security Prin. and Criteria Table § 3.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Environmental, regulatory, and technological changes are monitored and their system security effect is assessed on a regular basis and the policies are updated as necessary. (Security Prin. and Criteria Table § 4.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies are established and periodically reviewed and approved by a designated individual or group. (Availability Prin. and Criteria Table § 1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity implemented procedures to achieve its documented system availability objectives in accordance with its policies. (Availability Prin. and Criteria Table § 3.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Environmental, regulatory, and technological changes are monitored and their effect on system availability and system security is assessed on a regular basis and the policies are updated as necessary. (Availability Prin. and Criteria Table § 4.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's processing integrity and related security policies are established and periodically reviewed and approved by a designated individual or group. (Processing Integrity Prin. and Criteria Table § 1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity implemented procedures to achieve its documented system processing integrity objectives in accordance with its policies. (Processing Integrity Prin. and Criteria Table § 3.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Environmental, regulatory, and technological changes are monitored and their effect on system processing integrity and system security is assessed on a regular basis and the policies are updated as necessary. (Processing Integrity Prin. and Criteria Table § 4.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system confidentiality and related security policies are established and periodically reviewed and approved by a designated individual or group. (Confidentiality Prin. and Criteria Table § 1.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity implemented procedures to achieve its documented system confidentiality objectives in accordance with the policies. (Confidentiality Prin. and Criteria Table § 3.0, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Environmental, regulatory, and technological changes are monitored and their effect on system confidentiality and system security is assessed on a regular basis and the policies are updated as necessary. (Confidentiality Prin. and Criteria Table § 4.3, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Privacy policies and procedures must be reviewed and approved by management and updated as necessary. (Generally Accepted Privacy Principles and Criteria § 1.2.1, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The organization should develop policies, either written or oral. The policies should be implemented thoughtfully and consistently. (Pg 63, COSO Enterprise Risk Management (ERM) Integrated Framework (2004))
  • Privacy policies and procedures must be reviewed at least annually, and updated as necessary. (Table Ref 1.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should review the personal information program or service needs on a periodic basis. (Table Ref 4.2.1, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The organization should periodically update security policies and procedures based on the test results and the new and changing threats and vulnerabilities. (Table Ref 8.2.7, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • the involvement of board members, (¶ 3.59 Bullet 7 Sub-Bullet 1, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • An internal audit function performs assurance and consulting activities designed to evaluate and improve the effectiveness of the service organization's governance, risk management, and internal control processes. Activities similar to those performed by an internal audit function may be conducted b… (¶ 2.132, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Reading policy and procedure manuals, system documentation, flowcharts, narratives, hardware asset management records, and other system documentation to understand (¶ 3.59 Bullet 9, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The auditor should examine the policies and procedures used by the organization to ensure that management's directives are followed. (§ 314.89, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • The service auditor should read the reports of the internal audit function and regulatory examinations that relate to the services provided to user entities and the scope of the engagement, if any, to obtain an understanding of the nature and extent of the procedures performed and the related findin… (AT-C Section 320.23, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary. (CC5.3 Reassesses Policies and Procedures, Trust Services Criteria)
  • Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary. (CC5.3 ¶ 2 Bullet 6 Reassesses Policies and Procedures, Trust Services Criteria, (includes March 2020 updates))
  • Infrastructure, data, software, and policies and procedures are updated as necessary to remain consistent with the entity’s commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or … (CC7.2, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • Principle: Firms should conduct regular assessments to identify cybersecurity risks associated with firm assets and vendors and prioritize their remediation. Effective practices include establishing and implementing governance frameworks to: - identify and maintain an inventory of assets authorized… (Cybersecurity Risk Assessment, Report on Cybersecurity Practices)
  • Principle: Firms should establish and implement a cybersecurity governance framework that supports informed decision making and escalation within the organization to identify and manage cybersecurity risks. The framework should include defined risk management policies, processes and structures coupl… (Governance and Risk Management for Cybersecurity, Report on Cybersecurity Practices)
  • Information Systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (Section 4.C ¶ 1(4)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Assesses the sufficiency of policies, procedures, customer information systems and other safeguards in place to control risks. (Section 6 ¶ 1.C., Standards for Safeguarding Customer Information Model Regulation, NAIC MDL-673, April 2002)
  • Each Member firm should establish and implement a governance framework that supports informed decision making and escalation within the firm to identify and manage information security risks. In implementing an ISSP, each Member must adopt and enforce a written ISSP reasonably designed to provide sa… (Information Security Program Bullet 1 Written Program ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • Members should monitor and regularly review the effectiveness of their ISSPs, including the efficacy of the safeguards deployed, and make adjustments as appropriate. A Member should perform a regular review of its ISSP at least once every twelve months using either in-house staff with appropriate kn… (Review of Information Security Programs ¶ 1, 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs)
  • The responsible entity shall ensure the senior manager reviews and approves the cyber security policy annually. (§ R1.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • Is there a removable media policy or program (compact disks, digital video disks, tapes, disk drives) that has been assigned an owner to maintain and review the policy? (§ G.13, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there an operational Change Management/Change Control policy or program that has an owner to maintain and review the policy? (§ G.2, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • Is there an anti-virus/malware policy or program (workstations, servers, mobile devices) that has an owner to maintain and review the policy? (§ G.7, Shared Assessments Standardized Information Gathering Questionnaire - G. Communications and Operations Management, 7.0)
  • When electronic systems are used to transmit scoped systems and data, is there an access control policy that has an owner to maintain and review the policy? (§ H.1.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • When electronic systems are used to process scoped systems and data, is there an access control policy that has an owner to maintain and review the policy? (§ H.1.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • When electronic systems are used to store scoped systems and data, is there an access control policy that has an owner to maintain and review the policy? (§ H.1.1, Shared Assessments Standardized Information Gathering Questionnaire - H. Access Control, 7.0)
  • Is there a documented policy for incident management that has an owner to maintain and review the policy? (§ J.1.1, Shared Assessments Standardized Information Gathering Questionnaire - J. Incident Event and Communications Management, 7.0)
  • Is there a documented policy for Business Continuity and Disaster Recovery that has an owner to maintain and review the policy? (§ K.1, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • Is there a Business Continuity and Disaster Recovery program that has an owner or group to maintain and review the plan? (§ K.1.2, Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery, 7.0)
  • The organization must establish written standards for addressing the timeliness of access to care and member services; policies and procedures for allowing for individual medical necessity determinations; and for addressing provider consideration of beneficiary input into the proposed treatment plan… (§ 422.112(a)(6), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • A Medicare Advantage (MA) organization must establish a formal way for consulting with physicians who provide services under the MA plan with regard to the organization's medical policy, medical management procedures, and quality improvement programs and ensure practice and utilization management gu… (§ 422.202(b)(1)(iv), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • CSR 3.2.2: The organization must implement procedures for using and monitoring system software utilities and keeping them up-to-date. CSR 10.7.4: The organization must review and update the baseline configuration, system component inventory, and other system-related security or operations documentat… (CSR 3.2.2, CSR 10.7.4, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The system security plan and the risk assessment must be updated as needed. All identified findings or risks must be used to update the system security plan and the risk assessment. (§ 2.9, System Security Plan (SSP) Procedure, Version 1.1 Final)
  • Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (a), and take prompt action to remedy deficiencies in such policies and procedures. (§242.1001(a)(3), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Each SCI entity shall periodically review the effectiveness of the policies and procedures required by this paragraph (b), and take prompt action to remedy deficiencies in such policies and procedures. (§242.1001(b)(3), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • Each SCI entity shall periodically review the effectiveness of the policies and procedures required by paragraph (c)(1) of this section, and take prompt action to remedy deficiencies in such policies and procedures. (§242.1001(c)(2), 17 CFR PART 242, Regulations M, SHO, ATS, AC, NMS, and SBSR and Customer Margin Requirements for Security Futures)
  • The Facilities Protection Committee shall review, update, and disseminate the national strategy for Technical Surveillance Countermeasure on a biennially basis. (§ 149.2(b)(5), 32 CFR Part 149, Policy of Technical Surveillance Countermeasures)
  • Each airport operator must notify the Transportation Security Administration no more than 6 hours after a change is discovered in the security program that will affect operations of aircraft, physical structure for the screening process, or staffing structure. (§ 1542.107, 49 CFR Part 1542, Airport Security)
  • Verify that policies and procedures are updated and approved. (Obj 2 (Processes), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The organization should develop policies to comply with the requirements of the Bank Secrecy Act (BSA). (Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Verify that the compliance policy addresses independent testing. (Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Verify that the compliance policy addresses training. (Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Verify that the compliance policy addresses designating a compliance officer. (Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Verify that the compliance policy addresses reporting requirements. (Pg 86, Obj 2 (Policy), Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • The Director of the Office of Management and Budget must oversee agency information security policies and practices, including annually reviewing and approving or disapproving the information security program. This authority does not apply to national security systems. (§ 3543(a)(5), § 3543(b), Federal Information Security Management Act of 2002)
  • Procedures must be developed to periodically validate the hardware, software, and/or firmware is operating correctly. (§ 8-613.b, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • Security measures that are implemented to comply with the standards and implementation specifications shall be reviewed and modified in order to continue to provide reasonable and appropriate protection of electronic protected health information. (§ 164.306(e), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • If necessary, the group health plan must be corrected to incorporate the following: (1) the allowed and required uses and disclosures of protected health information by the plan sponsor; (2) protected health information will be disclosed to the plan sponsor upon certification that the plan documents… (§ 164.504(f)(2), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Whenever there is a material change to the uses or disclosures, the covered entity's legal duties, the individual's rights, or other privacy practices, the privacy notice must be promptly revised and distributed. Material changes may not be implemented before the notice's effective date, except when… (§ 164.520(b)(3), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Implemented policies and procedures shall be maintained in written (which may be electronic) form. A written record of any actions, activities, or assessments that require documentation shall be maintained. (§ 164.316(b)(1), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Whenever changes are made to the privacy practice and corresponding changes are made to the policies and procedures, the covered entity may make the changes effective for the protected health information created or received before the revisions if it included a statement in the privacy notice statin… (§ 164.530(i)(2)(ii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Changes to the policies and procedures can be made at any time, if they are documented and implemented in accordance with § 164.530(i)(5). (§ 164.530(i)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Whenever a law changes and it requires the policies and procedures to be changed, the covered entity must promptly document and implement the revised policies and procedures. If the change materially affects the privacy notice contents, the covered entity must promptly make the revisions in accordan… (§ 164.530(i)(3), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Changes to policies and procedures that do not materially affect the contents of the privacy notice may be made, if the revised policies and procedures comply with the requirements, standards, and implementation specifications and the revised policies and procedures are documented before the effecti… (§ 164.530(i)(5), 45 CFR Part 164 - Security and Privacy, current as of January 17, 2013)
  • Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard … (§ 164.316(a), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • Implementation specification: Changes in law. Whenever there is a change in law that necessitates a change to the covered entity's policies or procedures, the covered entity must promptly document and implement the revised policy or procedure. If the change in law materially affects the content of t… (§ 164.530(i)(3), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • A covered entity must change its policies and procedures as necessary and appropriate to comply with changes in the law, including the standards, requirements, and implementation specifications of this subpart or subpart D of this part. (§ 164.530(i)(2)(i), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
  • The criminal justice information services systems officer shall establish, maintain, and enforce policy that governs the operation of system components that comprise and support a telecommunications network and criminal justice information services systems that process, store, or transmit criminal j… (§ 3.2.2(2), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The agency coordinator shall maintain and update manuals associated with the contractor agreement and provide them to the contractor. (§ 3.2.7(4), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • The federal bureau of investigation criminal justice information services division information security officer shall maintain the criminal justice information services security policy. (§ 3.2.10(1), Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.2, Version 5.2)
  • Existing controls. (App A Objective 5:2a Bullet 3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Determine whether management documents, implements, and maintains policies, standards, and procedures related to AIO that address the following: (App A Objective 2:10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Guidance to develop and maintain effective processes related to AIO. (App A Objective 2:10e, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Review of the entity's AIO functions and activities and management's ability to oversee and control AIO-related risks. (App A Objective 2:11a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Establishes IT governance practices and security controls for shadow IT, including policies, standards, and procedures. (App A Objective 4:5a, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Management should implement an IT infrastructure that achieves and promotes the objectives of confidentiality, integrity, and availability, and meets the entity's business objectives. Management should develop, document, and implement infrastructure control policies, standards, and procedures to saf… (V Action Summary ¶ 1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether the board of directors oversees and senior management appropriately establishes an effective governance structure that includes oversight of IT activities. (App A Objective 2, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution boards of directors should oversee, while senior management should implement, a governance structure that includes the following: - Effective IT governance. - Appropriate oversight of IT activities. - Comprehensive IT management, including the various roles played by management… (I Governance, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Financial institution management should implement effective control and risk transfer practices as part of its overall IT risk mitigation strategy. These practices should include the following: - Establishing, implementing, and enforcing IT policies, standards, and procedures. - Documenting policies… (III.C Risk Mitigation, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether compliance staff reviews new products, systems, applications, or changes to evaluate compliance with applicable laws and regulations. (App A Objective 6:6, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Appropriate policies for information security, including cybersecurity risk management processes, and other relevant IT policies. (App A Objective 2:7 b., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether audit procedures for information security adequately consider compliance with the "Interagency Guidelines Establishing Standards for Safeguarding Customer Information," as mandated by Section 501(b) of the Gramm-Leach-Bliley Act of 1999. Consider evaluating whether management has â… (Exam Tier II Obj D.2, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine whether audit procedures for operations consider ▪ The adequacy of security policies, procedures, and practices in all units and at all levels of the financial institution and service providers. ▪ The adequacy of data controls over preparation, input, processing, and output. ▪ The ad… (Exam Tier II Obj C.1, FFIEC IT Examination Handbook - Audit, August 2003)
  • Determine whether the BCP addresses the assignment of responsibility for pandemic planning, preparing, testing, responding, and recovering. (Exam Tier I Obj 8.2, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • Determine whether the BCP includes the following elements, appropriately scaled for the size, activities and complexities of the organization: ▪ A preventive program to reduce the likelihood that an institution's operations will be significantly affected by a pandemic event, including: monitoring … (Exam Tier I Obj 8.3, FFIEC IT Examination Handbook - Business Continuity Planning, March 2008)
  • (Obj 2.2, FFIEC IT Examination Handbook - E-Banking, August 2003)
  • Management should ensure policies and procedures are reviewed and updated. (Pg 25, Pg 26, FFIEC IT Examination Handbook - Management)
  • The specific requirements for internal controls should be identified in the organization's policies, procedures, and standards in order to establish an auditable baseline. (Pg 26, FFIEC IT Examination Handbook - Management)
  • Review and assess policies, procedures, and standards as they apply to the institution's computer operations environment and controls. (Exam Tier I Obj 4.4, FFIEC IT Examination Handbook - Operations, July 2004)
  • Obtain the institution's written procedures for employees in the incoming, preparation, data entry, balance verification, transmission, accounting, reconciling and security functions of the funds transfer area. Determine if management reviews and approves the procedures periodically. Determine if th… (Exam Tier II Obj 3.1, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The operational policies and controls of the organization should cover all critical and core systems supporting the wholesale payment activities. The procedures and controls should include business continuity planning, physical and logical security, and vendor management. (Pg 22, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • The organization must develop, document, and distribute a security planning policy and procedures for implementing security planning controls. (Exhibit 4 PL-1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • Are there adequate policies and procedures for the website? (IT - General Q 39, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include system administration? (IT - Policy Checklist Q 4, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include router management? (IT - Policy Checklist Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the Credit Union Information Technology policy include server security management? (IT - Policy Checklist Q 5, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Is there a Board approved website operating policy? (IT - Web Site Review Q 1, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Does the written website operating policy include a general mission statement? (IT - Web Site Review Q 1a, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • The organization should have a contingency planning policy statement that defines the organization's overall contingency objectives and establishes the organizational framework and responsibilities for system contingency planning. (§ 3.1, Contingency Planning Guide for Information Technology Systems, NIST SP 800-34, Rev. 1 (Draft))
  • Review and update the CONOPS [Assignment: organization-defined frequency]. (PL-7b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information system… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • (§ 3.1.4, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Policy is senior management's directives to create a computer security program, establish its goals, and other managerial decisions. (§ 3.1, Generally Accepted Principles and Practices for Securing Information Technology Systems, NIST SP 800-14, September 1996)
  • Organizational records and documents should be examined to ensure the security planning policy and procedures are documented, disseminated, reviewed, and updated and specific responsibilities and actions are defined for the implementation of the security planning policy and procedures control. Any p… (PL-1, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • Reviews and updates the CONOPS [Assignment: organization-defined frequency]. (PL-7b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews and updates the CONOPS [Assignment: organization-defined frequency]. (PL-7b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and (PM-1c., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Review existing and proposed policies with stakeholders. (T0222, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing. (T0142, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and coordinate a risk management and compliance framework for privacy (T0892, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and implement the organizational governance structure to enable an ongoing understanding of the organization's risk management priorities that are informed by privacy risk. (GOVERN-P (GV-P), NIST Privacy Framework: A Tool For Improving Privacy Through Enterprise Risk Management, Version 1.0)
  • The organization should establish a comprehensive privacy program by establishing policies and procedures that address all of the Organization for Economic Cooperation and Development Fair Information Practices. (§ 2.3 ¶ 3, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must review and update the security awareness and training policy on an organization-defined frequency. (SG.AT-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the Audit and Accountability policy on a defined frequency. (SG.AU-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the security assessment and authorization policy on a defined frequency. (SG.CA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization's security program must implement a continuous improvement program to ensure best practices and learned lessons are inserted into the security policies and procedures. (SG.CA-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the Configuration Management security policy on a defined frequency. (SG.CM-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the Continuity Of Operations security policy on a defined frequency. (SG.CP-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the Identification and Authentication security policy on a defined frequency. (SG.IA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the information and document management policy on a defined frequency. (SG.ID-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review its policies and procedures for handling information on a defined frequency. (SG.ID-3 Requirement, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the smart grid information system maintenance security policy on a defined frequency. (SG.MA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the Media Protection security policy on a defined frequency. (SG.MP-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the physical and environmental security policy on a defined frequency. (SG.PE-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the strategic planning policy on a defined frequency. (SG.PL-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the security program security policy on a defined frequency. (SG.PM-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The Security Program Plan must be reviewed on a defined frequency. (SG.PM-2 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The Security Program Plan must be revised to include changes to the organization and problems identified during assessments or implementation. (SG.PM-2 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the personnel security policy on a defined frequency. (SG.PS-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the risk assessment security policy on a defined frequency. (SG.RA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the smart grid Information System and services acquisition security policy on a defined frequency. (SG.SA-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the smart grid Information System and communication protection security policy on a defined frequency. (SG.SC-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review and update the smart grid information System and Information Integrity policy on a defined frequency. (SG.SI-1 Requirement 1.a, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization should develop, disseminate, review, and update, on a predefined frequency, a formal, documented System and Communications Protection policy that addresses purpose, roles, responsibilities, scope, management commitment, compliance, and coordination among entities. (App F § SC-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefine frequency, a formal, documented personnel security policy that addresses purpose, roles, responsibilities, scope, management commitment, compliance, and coordination among entities. (App F § PS-1.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must update the security authorization on a predetermined frequency. (App F § CA-6.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review the incident response plans on a predefined frequency. (App F § IR-8.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization should review and update the Concept of Operations on a predefined frequency. (App F § PL-2(1)(b), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the personnel security policy and its associated controls. (App F § PS-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must review and update the access agreements on a predefined frequency. (App F § PS-6.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must develop, disseminate, review, and update, on a predefined frequency, formal, documented procedures for implementing the System and Communications Protection policy and its associated controls. (App F § SC-1.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must update the information security program plan to address organization changes and problems identified during security control assessments or plan implementation. (App G § PM-1.c, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Maintain knowledge of applicable cyber defense policies, regulations, and compliance documents specifically related to cyber defense auditing. (T0142, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Participate in Risk Governance process to provide security risks, mitigations, and input on other technical risk. (T0255, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and coordinate a risk management and compliance framework for privacy (T0892, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Review existing and proposed policies with stakeholders. (T0222, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization reviews and updates the current audit and accountability policy {organizationally documented frequency}. (AU-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability procedures {organizationally documented frequency}. (AU-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization policy {organizationally documented frequency}. (CA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization procedures {organizationally documented frequency}. (CA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management policy {organizationally documented frequency}. (CM-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management procedures {organizationally documented frequency}. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication policy {organizationally documented frequency}. (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication procedures {organizationally documented frequency}. (IA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews the incident response plan {organizationally documented frequency}. (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance policy {organizationally documented frequency}. (MA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance procedures {organizationally documented frequency}. (MA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection policy {organizationally documented frequency}. (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection procedures {organizationally documented frequency}. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection policy {organizationally documented frequency}. (PE-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection procedures {organizationally documented frequency}. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the rules of behavior {organizationally documented frequency}. (PL-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the CONOPS {organizationally documented frequency}. (PL-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security policy {organizationally documented frequency}. (PS-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security procedures {organizationally documented frequency}. (PS-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition policy {organizationally documented frequency}. (SA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition procedures {organizationally documented frequency}. (SA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection policy {organizationally documented frequency}. (SC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection procedures {organizationally documented frequency}. (SC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity policy {organizationally documented frequency}. (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity procedures {organizationally documented frequency}. (SI-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems are developed and maintained. (PM-14a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a process for ensuring that organizational plans for conducting security testing, training, and monitoring activities associated with organizational information systems continue to be executed in a timely manner. (PM-14a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-14b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization updates privacy plan, policies, and procedures {organizationally documented frequency, at least biennially}. (AR-1f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability policy {organizationally documented frequency}. (AU-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability procedures {organizationally documented frequency}. (AU-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization policy {organizationally documented frequency}. (CA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization procedures {organizationally documented frequency}. (CA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management policy {organizationally documented frequency}. (CM-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management procedures {organizationally documented frequency}. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication policy {organizationally documented frequency}. (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication procedures {organizationally documented frequency}. (IA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the incident response plan {organizationally documented frequency}. (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance policy {organizationally documented frequency}. (MA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance procedures {organizationally documented frequency}. (MA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection policy {organizationally documented frequency}. (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection procedures {organizationally documented frequency}. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection policy {organizationally documented frequency}. (PE-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection procedures {organizationally documented frequency}. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the rules of behavior {organizationally documented frequency}. (PL-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security policy {organizationally documented frequency}. (PS-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security procedures {organizationally documented frequency}. (PS-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition policy {organizationally documented frequency}. (SA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition procedures {organizationally documented frequency}. (SA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection policy {organizationally documented frequency}. (SC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection procedures {organizationally documented frequency}. (SC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity policy {organizationally documented frequency}. (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity procedures {organizationally documented frequency}. (SI-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability policy {organizationally documented frequency}. (AU-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability procedures {organizationally documented frequency}. (AU-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization policy {organizationally documented frequency}. (CA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization procedures {organizationally documented frequency}. (CA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management policy {organizationally documented frequency}. (CM-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management procedures {organizationally documented frequency}. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication policy {organizationally documented frequency}. (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication procedures {organizationally documented frequency}. (IA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the incident response plan {organizationally documented frequency}. (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance policy {organizationally documented frequency}. (MA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance procedures {organizationally documented frequency}. (MA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection policy {organizationally documented frequency}. (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection procedures {organizationally documented frequency}. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection policy {organizationally documented frequency}. (PE-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection procedures {organizationally documented frequency}. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the rules of behavior {organizationally documented frequency}. (PL-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security policy {organizationally documented frequency}. (PS-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security procedures {organizationally documented frequency}. (PS-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition policy {organizationally documented frequency}. (SA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition procedures {organizationally documented frequency}. (SA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection policy {organizationally documented frequency}. (SC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection procedures {organizationally documented frequency}. (SC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity policy {organizationally documented frequency}. (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity procedures {organizationally documented frequency}. (SI-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability policy {organizationally documented frequency}. (AU-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current audit and accountability procedures {organizationally documented frequency}. (AU-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization policy {organizationally documented frequency}. (CA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current security assessment and authorization procedures {organizationally documented frequency}. (CA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management policy {organizationally documented frequency}. (CM-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current configuration management procedures {organizationally documented frequency}. (CM-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication policy {organizationally documented frequency}. (IA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current identification and authentication procedures {organizationally documented frequency}. (IA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews the incident response plan {organizationally documented frequency}. (IR-8c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance policy {organizationally documented frequency}. (MA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system maintenance procedures {organizationally documented frequency}. (MA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection policy {organizationally documented frequency}. (MP-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current media protection procedures {organizationally documented frequency}. (MP-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection policy {organizationally documented frequency}. (PE-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current physical and environmental protection procedures {organizationally documented frequency}. (PE-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization updates the plan to address changes to the information system/environment of operation or problems identified during plan implementation or security control assessments. (PL-2d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the rules of behavior {organizationally documented frequency}. (PL-4c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security policy {organizationally documented frequency}. (PS-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current personnel security procedures {organizationally documented frequency}. (PS-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition policy {organizationally documented frequency}. (SA-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and services acquisition procedures {organizationally documented frequency}. (SA-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection policy {organizationally documented frequency}. (SC-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and communications protection procedures {organizationally documented frequency}. (SC-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity policy {organizationally documented frequency}. (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • The organization reviews and updates the current system and information integrity procedures {organizationally documented frequency}. (SI-1b.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Deprecated, Revision 4, Deprecated)
  • Reviews and updates the CONOPS [Assignment: organization-defined frequency]. (PL-7b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Updates privacy plan, policies, and procedures [Assignment: organization-defined frequency, at least biennially]. (AR-1f., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and (PM-1c., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Review and update the CONOPS [Assignment: organization-defined frequency]. (PL-7b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Updates the plan to address organizational changes and problems identified during plan implementation or security control assessments; and (PM-1c., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • The organization should develop policies, procedures, and controls to ensure that all applicable regulations and directives are being followed. (Pg 25, Implementation Guide for OMB Circular A-123 Management's Responsibility for Internal Control)
  • Management has the responsibility to develop and maintain effective policies and procedures to assure that any weaknesses would be prevented or detected. The policies and procedures should help to ensure that all objectives of the organization are met. (§ I, § II.C, OMB Circular A-123, Management's Responsibility for Internal Control)
  • Management should adopt and enforce appropriate policies and procedures to manage risk related to a bank's use of technology. (¶ 35, Technology Risk Management Guide for Bank Examiners - OCC Bulletin 98-3)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Section 27-62-4(c)(4) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Information systems, including, but not limited to, network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (Part VI(c)(3)(D)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • a process for reviewing policies and security measures at least annually; and (¶ 4e-70(b)(2)(C), Connecticut General Statutes, Title 4e, Chapter 62a, Section 4e-70, Requirements for state contractors who receive confidential information)
  • An information system, including network and software design and information classification, governance, processing, storage, transmission, and disposal. (§ 8604.(c)(4) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§431:3B-202(b)(4)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal. (Sec. 17.(4)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Information systems, including network and software design; and information classification, governance, processing, storage, transmission, and disposal. (507F.4 3.d.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (§2504.C.(4)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§2264 3.D.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Sec. 555.(3)(d)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 60A.9851 Subdivision 3(4)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§ 83-5-807 (3)(d)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 420-P:4 III.(d)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (26.1-02.2-03. 3.d.(2), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; (Section 3965.02 (C)(4)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal; and (SECTION 38-99-20. (C)(4)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 56-2-1004 (3)(D)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • A controller or processor that discloses personal data to a third-party controller or processor, in compliance with the requirements of this chapter, is not in violation of this chapter if the third-party controller or processor that receives and processes such personal data is in violation of this … (§ 59.1-582.D., Code of Virginia Title 59.1, Chapter 53, Consumer Data Protection Act)
  • Information systems, including the classification, governance, processing, storage, transmission, and disposal of information. (§ 601.952(2)(c)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
  • Guarantees sufficient for compliance with the general principles of protection and data subject's rights referred to in the lead sentence of this article shall also be analyzed in accordance with the technical and organizational measures adopted by the processor, according to the provisions of §§1… (Art. 35 § 5, Brazilian Law No. 13709, of August 14, 2018)