Measure policy compliance when reviewing the internal control framework.

Back

CONTROL ID
06442

CONTROL TYPE
Actionable Reports or Measurements

CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS

This Control directly supports the implied Control(s):

Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.

SELECTED AUTHORITY DOCUMENTS COMPLIED WITH

The FI should clearly specify security requirements relating to system access control, authentication, transaction authorisation, data integrity, system activity logging, audit trail, security event tracking and exception handling in the early phase of system development or acquisition. The FI shoul… (§ 6.2.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
A certain amount of preliminary work is required to ensure that the gap analysis proceeds smoothly. It is first necessary to inspect all the in-house documentation which controls security-relevant processes, e.g. organisational instructions, work instructions, security instructions, manuals and "inf… (§ 8.4.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
Review and adjust IT policies, standards, procedures and methodologies to ensure that legal, regulatory and contractual requirements are addressed and communicated. (ME3.2 Optimisation of Response to External Requirements, CobiT, Version 4.1)
Measure and evaluate level of compliance to requirements currently and after actions and controls. (OCEG GRC Capability Model, v 3.0, A4.2 Analyze Compliance, OCEG GRC Capability Model, v 3.0)
The information security governance framework should address the need to measure its success in terms of contribution to the objectives of the organization. (SG.01.01.04e, The Standard of Good Practice for Information Security)
The information security governance framework should include a process that requires the governing body to monitor the success of information security management arrangements. (SG.01.01.05c-1, The Standard of Good Practice for Information Security)
The information security governance framework should address the need to measure its success in terms of contribution to the objectives of the organization. (SG.01.01.04e, The Standard of Good Practice for Information Security, 2013)
The information security governance framework should include a process that requires the governing body to monitor the success of information security management arrangements. (SG.01.01.05c-1, The Standard of Good Practice for Information Security, 2013)
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. (A.18.2.2 Control, ISO 27001:2013, Information Technology - Security Techniques - Information Security Management Systems - Requirements, 2013)
set expectations for internal controls, compliance, risk management and risk taking; (§ 6.3.3.1.2 ¶ 1 e), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
Managers should regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. (§ 18.2.2 Control, ISO/IEC 27002:2013(E), Information technology â Security techniques â Code of practice for information security controls, Second Edition)
Compliance with the organization's information security policy, topic-specific policies, rules and standards should be regularly reviewed. (§ 5.36 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection â Information security controls, Third Edition)
ISMS Auditors should confirm that the determined controls within the scope of the audit are related to the results of the risk assessment and risk treatment process, and can subsequently be traced back to the information security policy and objectives. (§ 6.4.6.2 ¶ 1, ISO/IEC 27007:2020, Information security, cybersecurity and privacy protection â Guidelines for information security management systems auditing, Third Edition)
Did the information security policy review contain policy compliance? (§ B.1.33.3, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
The Secretary will conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions when a preliminary review of the facts indicates a possible violation due to willful neglect. (§ 160.308(a), 45 CFR Part 160 - General Administrative Requirements)
The Secretary may conduct a compliance review to determine whether a covered entity or business associate is complying with the applicable administrative simplification provisions in any other circumstance. (§ 160.308(b), 45 CFR Part 160 - General Administrative Requirements)
Uses metrics to measure security policy implementation, the adequacy of security services delivery, and the impact of security events on business processes. (App A Objective 7.4.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
Financial institution management should ensure satisfactory monitoring and reporting of IT activities and risk. These practices should include the following: - Developing metrics to measure performance, efficiency, and compliance with policy. - Developing benchmarks for reviewing performance. - Esta… (III.D Monitoring and Reporting, FFIEC Information Technology Examination Handbook - Management, November 2015)
Determine whether the ITRM process addresses risks with an effective IT control structure in the institution's IT environment and through conformance with external legal and regulatory requirements. (App A Objective 12:3, FFIEC Information Technology Examination Handbook - Management, November 2015)
Agency managers and employees should identify deficiencies in internal control from the sources of information described above and the results of their assessment process. The assessment process must include an assessment of compliance with each of the Green Book components and principles. In additi… (Section IV (C) ¶ 1, OMB Circular No. A-123, Managementâs Responsibility for Enterprise Risk Management and Internal Control)