Disseminate and communicate compliance documents to all interested personnel and affected parties., CC ID: 06282
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
The organization should use the naming convention from this manual for its information security documentation. (Control: 0885, Australian Government Information Security Manual: Controls)
An APRA-regulated entity's information security policy framework would typically be consistent with other entity frameworks such as risk management, service provider management and project management. (22., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
the setting of the institution's or payment institution's strategies and policies (e.g. the business model, the risk appetite, the risk management framework); (4.6 36(d), Final Report on EBA Guidelines on outsourcing arrangements)
A Member State may decide to provide for the possibility to fully or partially authorise the use of 'real-time' remote biometric identification systems in publicly accessible spaces for the purpose of law enforcement within the limits and under the conditions listed in paragraphs 1, point (d), 2 and… (Article 5 4. ¶ 1, Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
The management board is responsible for ensuring that the regulations governing the organisational and operational structure of IT are defined on the basis of the IT strategy and are swiftly amended in the event of modifications to the activities and processes. The institution shall ensure that the … (II.2.4, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
The entity has a process for evaluating and addressing the potential impacts of required changes to information privacy policy and procedures as changes occur in entity operations and operating locations, and as applicable jurisdictional laws and regulations are enacted to become new regulatory comp… (M1.2 Policy changes, Privacy Management Framework, Updated March 1, 2020)
Documentation must exist to prove compliance with requirements when electronic records are used to store gxp data. (¶ 21.10 Bullet 1, Good Practices For Computerized systems In Regulated GXP Environments)
Implement, communicate, manage, enforce, and audit policies, related procedures and standards to ensure that they operate as intended and continue to be relevant. (OCEG GRC Capability Model, v. 3.0, P2.4 Implement and Manage Policies, OCEG GRC Capability Model, v 3.0)
Implement policies and associated procedures to address opportunities, threats and requirements and set clear expectations of conduct for the governing authority, management, the workforce and the extended enterprise. (OCEG GRC Capability Model, v. 3.0, P2 Policies, OCEG GRC Capability Model, v 3.0)
The organization shall establish a process to implement the requirements of this standard in accordance with its organizational strategies. (§ 6.2.1.3(a)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
The organization shall establish documented procedures, including authorities and responsibilities, for ensuring external origin documents are identified and their distribution controlled. (§ 4.3.2 ¶ 2(g), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
The organization shall plan, implement and control the processes needed to meet information security requirements, and to implement the actions determined in 6.1. The organization shall also implement plans to achieve information security objectives determined in 6.2. (§ 8.1 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Documented information required by the information security management system and by this International Standard shall be controlled to ensure: (§ 7.5.3 ¶ 1, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
Documented information required by the quality management system and by this International Standard shall be controlled to ensure: (7.5.3.1 ¶ 1, ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
implementing the control of the processes in accordance with the criteria; (Section 8.1 ¶ 1 bullet 2, ISO/IEC 19770-1, Information technology â IT asset management â Part 1: IT asset management systems â Requirements, Third Edition, 2017-12)
Aligning individual behavior with culture is critical. The most powerful influence comes from management who creates and sustains the organizational agenda. Explicitly, the organization develops policies, rules, and standards of conduct. Implicitly, the organization should lead by example to reflect… (Embracing a Risk-Aware Culture ¶ 2, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
Each of these Principles should be considered by members in determining whether or not to provide specific services in individual circumstances. In some instances, they may represent an overall constraint on the non-audit services that might be offered to a specific client. No hard-and-fast rules ca… (0.300.070.03, AICPA Code of Professional Conduct, August 31, 2016)
Implement the implementation specification if reasonable and appropriate; or (§ 164.306(d)(3)(ii)(A), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
When a standard adopted in §164.308, §164.310, §164.312, §164.314, or §164.316 includes required implementation specifications, a covered entity or business associate must implement the implementation specifications. (§ 164.306(d)(2), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Standard: Policies and procedures. Implement reasonable and appropriate policies and procedures to comply with the standards, implementation specifications, or other requirements of this subpart, taking into account those factors specified in §164.306(b)(2)(i), (ii), (iii), and (iv). This standard … (§ 164.316(a), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
A covered entity may make any other changes to policies and procedures at any time, provided that the changes are documented and implemented in accordance with paragraph (i)(5) of this section. (§ 164.530(i)(2)(iii), 45 CFR Part 164 - Security and Privacy, current as of July 6, 2020)
Updates the related policy or procedures or provides additional training. (App A Objective 13:2c, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Documentation of the architecture plan, including policies, standards, and procedures. (IV Action Summary ¶ 2 Bullet 3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
Written procedures are complete and address each EFT activity; (TIER II OBJECTIVES AND PROCEDURES E.2. Bullet 1, FFIEC IT Examination Handbook - Audit, April 2012)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., FedRAMP Security Controls High Baseline, Version 5)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., FedRAMP Security Controls High Baseline, Version 5)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., FedRAMP Security Controls High Baseline, Version 5)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., FedRAMP Security Controls Low Baseline, Version 5)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., FedRAMP Security Controls Low Baseline, Version 5)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., FedRAMP Security Controls Low Baseline, Version 5)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., FedRAMP Security Controls Moderate Baseline, Version 5)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., FedRAMP Security Controls Moderate Baseline, Version 5)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., FedRAMP Security Controls Moderate Baseline, Version 5)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Flow Down Controls)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Recommend policy and coordinate review and approval. (T0227, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Seek consensus on proposed policy changes from stakeholders. (T0506, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Contribute to the review and refinement of policy, to include assessments of the consequences of endorsing or not endorsing such policy. (T0759, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Recommend policy and coordinate review and approval. (T0227, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Seek consensus on proposed policy changes from stakeholders. (T0506, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Contribute to the review and refinement of policy, to include assessments of the consequences of endorsing or not endorsing such policy. (T0759, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Assess policy needs and collaborate with stakeholders to develop policies to govern cyber activities. (T0429, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions. (PL-8c., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Define and document organizational oversight and user roles and responsibilities with regard to external system services; and (SA-9b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Implement security directives in accordance with established time frames, or notify the issuing organization of the degree of noncompliance. (SI-5d., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
Collaboration to address advanced threats will only be effective if owners and operators of critical infrastructure have cybersecurity protections in place to make it harder for adversaries to disrupt them. The Administration has established new cybersecurity requirements in certain critical sectors… (PILLAR ONE ¶ 2, National Cybersecurity Strategy)
ESTABLISH CYBERSECURITY REGULATIONS TO SECURE CRITICAL INFRASTRUCTURE (STRATEGIC OBJECTIVE 1.1 Subsection 1, National Cybersecurity Strategy)
Regulations should be performance-based, leverage existing cybersecurity frameworks, voluntary consensus standards, and guidanceâincluding the Cybersecurity and Infrastructure Security Agency (CISA)'s Cybersecurity Performance Goals and the National Institute of Standards and Technology (NIST) Fra… (STRATEGIC OBJECTIVE 1.1 Subsection 1 ¶ 2, National Cybersecurity Strategy)
ESTABLISH CYBERSECURITY REGULATIONS TO SECURE CRITICAL INFRASTRUCTURE (STRATEGIC OBJECTIVE 1.1 Subsection 1, National Cybersecurity Strategy (Condensed))
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., TX-RAMP Security Controls Baseline Level 1)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., TX-RAMP Security Controls Baseline Level 1)
Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and (SA-9b., TX-RAMP Security Controls Baseline Level 2)
Implements security directives in accordance with established time frames, or notifies the issuing organization of the degree of noncompliance. (SI-5d., TX-RAMP Security Controls Baseline Level 2)
