Back

Implement a corrective action plan in response to the audit report.


CONTROL ID
06777
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Corrective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an audit program., CC ID: 00684

This Control has the following implementation support Control(s):
  • Assign responsibility for remediation actions., CC ID: 13622
  • Monitor and report on the status of mitigation actions in the corrective action plan., CC ID: 15250
  • Review management's response to issues raised in past audit reports., CC ID: 01149
  • Define penalties for uncorrected audit findings or remaining non-compliant with the audit report., CC ID: 08963


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The communications authority shall notify the critical Database Administrator, in writing, with the actions required to correct the non-compliance, when the audit reveals a violation of the provisions. (§ 49(1)(b), The Electronic Communications and Transactions Act, 2002)
  • The communications authority shall notify the critical Database Administrator, in writing, of the time period for taking remedial action, when the audit reveals violations of the provisions. (§ 49(1)(c), The Electronic Communications and Transactions Act, 2002)
  • the senior management designate which function(s) (e.g. the main business line sponsoring the e-banking service, the risk management function or the internal audit function) to be responsible for the quality of, and undertaking proper follow-up actions arising from e-banking independent assessment. … (§ 3.3.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the senior management designate which function(s) (e.g. the main business line sponsoring the e-banking service, the risk management function or the internal audit function) to be responsible for the quality of, and undertaking proper follow-up actions arising from e-banking independent assessment. … (§ 3.3.1(i), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • IC-1 “General Risk Management Controls” sets out the general objective and the importance of independence and expertise of AIs’ internal audit function. As regards technology audits, AIs are expected to assess periodically their technology risk management process and IT controls. To ensure ade… (2.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Reviewing major findings identified from internal and external audits and cybersecurity reviews; endorsing and monitoring the completion of remedial actions; (3.1. ¶ 1 (e), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • Practice Standard § I.5(2)[3]: Before submitting the Internal Control Report, all deficiencies in internal control over financial reporting should be addressed and corrected. Management is required to improve and ensure the internal controls are effective. Practice Standard § II.3(4)[1].C.d: Compa… (Practice Standard § I.5(2)[3], Practice Standard § II.3(4)[1].C.d, Practice Standard § II.3(5)[1], On the Setting of the Standards and Practice Standards for Management Assessment and Audit concerning Internal Control Over Financial Reporting, Provisional Translation)
  • The system-auditing department and the auditees should verify all facts and exchange opinions on any recommendations submitted as a result of a system audit. The organization should correct any problems identified. (O91.3, FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • It is necessary to evaluate the results of checking the security observance status and to reflect it in the revised regulations such as security policy and security standards. (C13.3., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • For any recommendations submitted as a result of system auditing, verification of facts and adequate exchange of opinions should be performed between the system-auditing department and the auditees. Then, it is necessary to take corrective action properly for any problems identified. It is also nece… (A1.4., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • ensuring that appropriate and timely remedial actions are taken to address audit findings; and (5.2.3 (g), Guidelines on Outsourcing)
  • The independent audit and/or expert assessment on the service provider and its sub-contractors may be performed by the institution's internal or external auditors, the service provider's external auditors or by agents appointed by the institution. The appointed persons should possess the requisite k… (5.9.6, Guidelines on Outsourcing)
  • Consequently, a follow-up process to track and monitor IT audit issues, as well as an escalation process to notify the relevant IT and business management of key IT audit issues, should be established. (§ 14.1.4, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • The assessor must develop a compliance report for the Certification Authority that outlines the areas of noncompliance, along with suggested remediation actions. (Control: 1140, Australian Government Information Security Manual: Controls)
  • internal audit — consider the sufficiency of internal audit's coverage, skills, capacity and capabilities with respect to the provision of independent assurance that information security is maintained; form a view as to the effectiveness of information security controls based on audit conclusions;… (8(f)., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • A formal follow-up process including provisions for the timely verification and remediation of critical ICT audit findings should be established. (3.3.6 27, Final Report EBA Guidelines on ICT and security risk management)
  • engages the independent control and internal audit functions to provide assurance that the risks associated with ICT strategy implementation have been identified, assessed and effectively mitigated and that the governance framework in place to implement the ICT strategy is effective; and (Title 2 2.2.2 27.c, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Competent authorities should assess whether the institution has properly identified, assessed and mitigated its ICT risks. This process should be part of the operational risk management framework and congruent to the approach applying to operational risk. (Title 3 3.1 35., Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Based on the conclusions from the internal audit review, financial entities shall establish a formal follow-up process, including rules for the timely verification and remediation of critical ICT audit findings. (Art. 6.7., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • The results of the performance review must be used consistently to make appropriate corrections. This might mean that the security objectives, the security strategy, or the security concept must be changed and the security organisation must be adapted to the requirements. It may make sense to subjec… (§ 4.4 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • The implementation of the security safeguards should be evaluated at regular intervals by means of internal audits. These also serve the purpose of collecting and evaluating the experiences made in dayto-day practice. In addition to audits, it is also necessary to perform drills and awareness-raisin… (§ 7.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Integrate the results of the security process checks into the information security process in the form of improvements. (6.1 Bullet 11, BSI-Standard 100-2 IT-Grundschutz Methodology, Version 2.0)
  • Where nonconformities are identified, has the organization established appropriate processes for managing nonconformities and the related corrective actions? (Performance evaluation ¶ 6, ISO 22301: Self-assessment questionnaire)
  • Has the need for action been evaluated to eliminate the root cause of nonconformities to prevent reoccurrence? (Improvement ¶ 2, ISO 22301: Self-assessment questionnaire)
  • Have any actions identified been implemented and reviewed for effectiveness and given rise to improvements to the BCMS? (Improvement ¶ 3, ISO 22301: Self-assessment questionnaire)
  • Are the results of the management review documented, acted upon and communicated to interested parties as appropriate? (Performance evaluation ¶ 9, ISO 22301: Self-assessment questionnaire)
  • Measures for correcting potential deviations are initiated and pursued. (1.5.2 Requirements (must) Bullet 2, Information Security Assessment, Version 5.1)
  • Measures are derived from the results. (5.2.6 Requirements (must) Bullet 5, Information Security Assessment, Version 5.1)
  • Where pooled audits lead to common, shared findings, the PRA expects each participating firm to assess what these findings mean for it individually, and whether they require any follow-up on their part. (§ 8.14, SS2/21 Outsourcing and third party risk management, March 2021)
  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (M9.1 Documents and reports compliance review results, Privacy Management Framework, Updated March 1, 2020)
  • The organization should monitor and track the status of the risk mitigation process. (Supplement on Tin, Tantalum, and Tungsten Step 3: C, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • The organizational department overseeing and supporting due diligence should develop and implement modules to help suppliers mitigate risk and conduct due diligence. (Supplement on Tin, Tantalum, and Tungsten Step 4: B.2(b), OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Upstream companies should monitor and track the status of the risk mitigation process. (Supplement on Gold Step 3: § I.D, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Downstream companies should monitor and track the status of the risk mitigation process. (Supplement on Gold Step 3: § II.D, OECD Due Diligence Guidance for Responsible Supply Chains of Minerals from Conflict-Affected and High-Risk Areas, Second Edition)
  • Is progress against the action plan tracked and managed? (Table Row I.19, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Does any action result on account of these summaries, and if so, what kind? (Table Row I.24, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • A continuous improvement plan needs to be implemented and verified when the auditee is found to be non-compliant due to inadequate documentation. (Continuous Improvement Plans ¶ 1, Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee's continuous improvement plan must include providing the auditor with sufficient documentation to reasonably determine the source of the material. (Continuous Improvement Plans ¶ 3(1), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee's continuous improvement plan must include approval from the audit review committee before any actions are taken for the disposition of non-compliant material. Material must remain in the state it was furnished in or purchased until the auditee and audit review committee agrees on the di… (Continuous Improvement Plans ¶ 3(2), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee's continuous improvement plan must include the disposition plan for non-compliant materials and the use of the material or inadequate disposition action absent audit review committee approval will result in immediate noncompliance. (Continuous Improvement Plans ¶ 3(3), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee's continuous improvement plan must include documented changes to the purchasing policies, which must be implemented inside of 3 months following the audit. (Continuous Improvement Plans ¶ 3(4), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The auditee's continuous improvement plan must include a verification audit by the initial auditor to verify the auditee has implemented the corrective actions. (Continuous Improvement Plans ¶ 3(5), Conflict-Free Smelter (CFS) Program Audit Procedure for Tin, Tantalum, and Tungsten, 21 December 2012)
  • The refinery must implement a corrective action plan if it is found to be non-compliant. (§ D ¶ 2, EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • The corrective action plan must include documented changes to the refinery's internal management system, which must be implemented inside of 3 months following the audit. (§ D ¶ 2(B), EICC and GeSI Gold Supply Chain Transparency: Smelter Audit, Jule 12, 2012)
  • Obtain and report assurance of compliance and adherence to all internal policies derived from internal directives or external legal, regulatory or contractual requirements, confirming that any corrective actions to address any compliance gaps have been taken by the responsible process owner in a tim… (ME3.4 Positive Assurance of Compliance, CobiT, Version 4.1)
  • Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through: - Review, negotiation and establishment of management responses - Assignment of responsibility for remediation - Tracking of… (ME1.6 Remedial Actions, CobiT, Version 4.1)
  • Identify, initiate, track and implement remedial actions arising from control assessments and reporting. (ME2.7 Remedial Actions, CobiT, Version 4.1)
  • Perform procedures, evaluate results against criteria, make relevant recommendations, and report results and conclusions. (OCEG GRC Capability Model, v. 3.0, R2.2 Perform Assurance Assessment, OCEG GRC Capability Model, v 3.0)
  • Responsible personnel investigate and act on matters identified as a result of executing control activities. (§ 3 Principle 12 Points of Focus: Takes Corrective Action, COSO Internal Control - Integrated Framework (2013))
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (§ 3 Principle 17 Points of Focus: Communicates Deficiencies, COSO Internal Control - Integrated Framework (2013))
  • Action must be taken by the organization to eliminate the cause of nonconformities that are associated with implementing and operating the business continuity management system in order to prevent a recurrence of the nonconformities. Corrective action procedures must define the requirements for iden… (§ 6.1.3, BS 25999-2, Business continuity management. Specification, 2007)
  • Continuous risk assessment can be used by auditors for determining if recommendations have been implemented and if they are reducing the level of risk by linking together data-driven indicators and recommendations. The indicators used to identify and assess risk during the development of the audit s… (§ 5 (Follow-up on Audit Recommendations) ¶ 1, IIA Global Technology Audit Guide (GTAG) 3: Continuous Auditing: Implications for Assurance, Monitoring, and Risk Assessment)
  • The Chief Audit Executive should monitor the implementation status of any agreed upon improvements from the audit report. (§ 5.7 ¶ 1, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • Management shall ensure necessary corrective actions are taken to eliminate detected nonconformities. (§ 4.2.11 ¶ 5, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Management shall verify that actions were taken. (§ 4.2.11 ¶ 5, SAE AS6081, Fraudulent/Counterfeit Electronic Parts: Avoidance, Detection, Mitigation, and Disposition - Distributors)
  • Management must ensure detected discrepancies and their causes are eliminated without undue delay. Follow-up must be done to verify that actions were taken, and the results of the verification must be reported. (§ 4.5.5 ¶ 4, Organizational Resilience: Security, Preparedness, and Continuity Management Systems -- Requirements with Guidance for Use, ASIS SPC.1-2009)
  • (Further Issue 8 § 3.2, ISF Security Audit of Networks)
  • A security audit report should be produced, which provides a set of recommendations relating to each audit finding. (SI.01.04.04b, The Standard of Good Practice for Information Security)
  • A security audit report should be produced, which details the owners of findings and recommendations. (SI.01.04.04c, The Standard of Good Practice for Information Security)
  • A security audit report should be produced, which specifies the need for additional resources (e.g., to address particular audit findings). (SI.01.04.04f, The Standard of Good Practice for Information Security)
  • A security audit report should be produced, which provides a set of recommendations relating to each audit finding. (SI.01.04.04b, The Standard of Good Practice for Information Security, 2013)
  • A security audit report should be produced, which details the owners of findings and recommendations. (SI.01.04.04c, The Standard of Good Practice for Information Security, 2013)
  • A security audit report should be produced, which specifies the need for additional resources (e.g., to address particular audit findings). (SI.01.04.04f, The Standard of Good Practice for Information Security, 2013)
  • The organization should verify that identified vulnerabilities from vulnerability scans were addressed by implementing a control, patching, or accepting the risk. (Critical Control 4.8, Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines, Version 4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders. (A&A-06, Cloud Controls Matrix, v4.0)
  • The management responsible for the audited area shall ensure actions to eliminate detected nonconformities are taken without undue delay. The follow-up activities shall include verifying that actions were taken and reporting the results of the verifications. (§ 8.2.2 ¶ 4, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • When establishing the internal audit programme, the organization shall take into consideration the environmental importance of the processes concerned, changes affecting the organization and the results of previous audits. (§ 9.2.2 ¶ 2, ISO 14001:2015 - Environmental management systems — Requirements with guidance for use, Third Edition)
  • The organization shall implement the corrective action plan. (§ 6.2.5.3(c)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall make recommendations to correct identified variations from planned values or status. (§ 6.3.2.3(a)(8), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall initiate corrective actions to correct project goals or project outputs that are outside the acceptable limits or defined limits. (§ 6.3.2.3(b)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall initiate actions to resolve non-conformity problems. (§ 6.3.2.3(b)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall verify that management takes action once the risk treatment is selected. (§ 6.3.4.3(d)(4), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • The organization shall determine what actions to take when corrective action is required to correct problems due to a changed need. (§ 6.4.9.3(d)(2), ISO 15288-2008 Systems and software engineering - System life cycle processes, R 2008)
  • any follow-up activities to the planned audit; (§ 6.3.2.2 ¶ 3 Bullet 8, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • prepare recommendations, if specified by the audit plan; (§ 6.4.9.1 ¶ 1(c), ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • If applicable, the audit team leader should advise the auditee of situations encountered during the audit that may decrease the confidence that can be placed in the audit conclusions. If defined in the management system or by agreement with the audit client, the participants should agree on the time… (§ 6.4.10 ¶ 3, ISO 19011:2018, Guidelines for auditing management systems, Third edition)
  • Corrections and corrective actions shall be taken absent undue delay to eliminate nonconformities and their causes. (§ 4.5.4.2 ¶ 5, ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of… (§ 9.2 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • ensure that any necessary corrective actions are taken without undue delay to eliminate detected nonconformities and their causes; (§ 9.2.2 ¶ 1 f), ISO 22301:2019, Security and resilience — Business continuity management systems — Requirements, Second Edition)
  • implement any action needed; (§ 10.2 ¶ 1 c), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • determine and implement any action needed, including corrective action, in accordance with the hierarchy of controls (see 8.1.2) and the management of change (see 8.1.3); (§ 10.2 ¶ 2 d), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • take appropriate correction and corrective actions without undue delay; (9.2.2 ¶ 1(e), ISO 9001 Quality Management systems - Requirements, Fifth edition 2015-09-15)
  • implement any action needed; (§ 10.1 ¶ 1 c), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • description of short term correction and longer term corrective action to eliminate a detected nonconformity within a defined timeframe; and (§ 9.2 Guidance ¶ 15(k), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • deciding on the corrections in order to limit the impact of the nonconformity. Corrections can include switching to previous, failsafe or other appropriate states. Care should be taken that corrections do not make the situation worse; (§ 10.1 Guidance ¶ 2 Bullet 2, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • As an overall result, the handling process should lead to a managed status regarding the nonconformity and the associated consequences. However, corrections alone will not necessarily prevent recurrence of the nonconformity. (§ 10.1 Guidance ¶ 3, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • implement the corrective actions according to the plan; and (§ 10.1 Guidance ¶ 4(7), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • determine actions needed to correct the cause, evaluating if they are proportionate to the consequences and impact of the nonconformity, and checking they do not have side-effects which may lead to other nonconformities or significant new information security risks; (§ 10.1 Guidance ¶ 4(5), ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Conduct initial remediation actions on the controls and reassess remediated controls. (TASK A-5, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (CC4.2 ¶ 2 Bullet 2 Communicates Deficiencies, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Responsible personnel investigate and act on matters identified as a result of executing control activities. (CC5.3 ¶ 2 Bullet 4 Takes Corrective Action, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 ¶ 2 Bullet 4 Documents and Reports Compliance Review Results, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. (GV.AU-3.2, CRI Profile, v1.2)
  • An independent audit function identifies, tracks, and reports significant changes in the organization's cyber risk exposure to the appropriate governing authority (e.g., the Board or one of its committees). (GV.AU-3, CRI Profile, v1.2)
  • An independent audit function tracks identified issues and corrective actions from internal audits and independent testing/assessments to ensure timely resolution. (GV.AU-3.2, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • The organization should verify that appropriate corrective actions are taken to resolve security vulnerabilities and privacy breaches in a timely way. (Table Ref 10.2.4, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • After the service auditor has assessed the risks of material misstatement, paragraphs .20–.21 of AT-C section 205, Examination Engagements, require the service auditor to respond to the assessed risks when designing and performing examination procedures. Specifically, they require the service audi… (¶ 3.04, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Although it is not the objective of a service auditor's engagement, a service auditor may develop recommendations to improve a service organization's controls. The service auditor and service organization management agree on whether and how such recommendations will be communicated. Typically, the s… (¶ 4.94, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If deviations in tests of controls have been identified, it may be helpful to report users for management to disclose, to the extent known, the causative factors for the deviations, the controls that mitigate the effect of the deviations, corrective actions taken, and other qualitative factors that … (¶ 4.20, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If management's responses to deviations in tests of controls are included in the description of the service organization's system, such responses usually are included along with the description of the applicable control and related criteria. In these circumstances, the service auditor should determi… (¶ 4.21, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • If the auditor determines that management has not implemented controls for the significant risks, the auditor should notify the personnel in charge of governance. (§ 314.116, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • Although it is not the objective of a service auditor's engagement, a service auditor may develop recommendations to improve a service organization's controls. The service auditor and service organization management agree on whether and how such recommendations will be communicated. Typically, the s… (¶ 4.100, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • As discussed in paragraph 2.61, one way service organization management can monitor the controls of the subservice organization is by obtaining a SOC 2 report. When management has obtained such a report, management's monitoring procedures should adequately address any description misstatements or de… (¶ 3.169, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • There are material inconsistencies between the other information and the description of the service organization's system, management's assertion, or the service auditor's report. (¶ 4.104 a., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • A material misstatement of fact exists in the other information, the description of the service organization's system, management's assertion, or the service auditor's report. (Other information may bring to light a material misstatement of fact in the description, assertion, or in the service audit… (¶ 4.104 b., SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • The service auditor should take appropriate action when the service auditor concludes that management refuses to correct a misstatement of fact or material inconsistency. (¶ .41, SSAE No. 16 Reporting on Controls at a Service Organization)
  • The practitioner should design and implement overall responses to address the assessed risks of material misstatement for the subject matter or assertion. (AT-C Section 205.20, SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (CC4.2 Communicates Deficiencies, Trust Services Criteria)
  • Responsible personnel investigate and act on matters identified as a result of executing control activities. (CC5.3 Takes Corrective Action, Trust Services Criteria)
  • Compliance with objectives related to privacy are reviewed and documented, and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 Documents and Reports Compliance Review Results, Trust Services Criteria)
  • Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate. (CC4.2 ¶ 2 Bullet 2 Communicates Deficiencies, Trust Services Criteria, (includes March 2020 updates))
  • Responsible personnel investigate and act on matters identified as a result of executing control activities. (CC5.3 ¶ 2 Bullet 4 Takes Corrective Action, Trust Services Criteria, (includes March 2020 updates))
  • Compliance with objectives related to privacy are reviewed and documented and the results of such reviews are reported to management. If problems are identified, remediation plans are developed and implemented. (P8.1 ¶ 2 Bullet 4 Documents and Reports Compliance Review Results, Trust Services Criteria, (includes March 2020 updates))
  • The design and operating effectiveness of controls are periodically evaluated against the entity’s commitments and system requirements as they relate to [insert the principle(s) addressed by the engagement: security, availability, processing integrity, confidentiality, or privacy, or any combinati… (CC4.1, TSP 100A - Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy)
  • The insurer is required to provide a description of remedial actions taken or proposed to correct unremediated material weaknesses, if the actions are not described in the accountant's communication. (Section 11.B., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • Annually, each insurer domiciled in this State shall submit to the Commissioner, a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in Section 4 of this Act. Each insurer shall maintain for examination by the Department all records, sched… (Section 4.I ¶ 1, Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • The responsible entity shall, at least annually, assess adherence to its critical cyber asset information protection program and implement an action plan to remediate deficiencies identified during the assessment. (§ R4.3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • An entity seeking to contract as a Medicare Advantage (MA) organization must adopt and implement an effective compliance program that includes measures for preventing, detecting, and correcting noncompliance with the Centers for Medicare & Medicaid Services (CMS) program requirements and measures fo… (§ 422.503(b)(4)(vi)(G), 42 CFR Parts 412, 413, 422 et al., Medicare and Medicaid Programs; Electronic Health Record Incentive Program, Final Rule)
  • § 1.1: Within 90 days of receiving the final audit or evaluation report, the CMS business partner shall correct findings, weaknesses, gaps, and other deficiencies, unless otherwise authorized by CMS. § 3.5.5.2 ¶ 2: Within 30 days of receiving the final results of the internal/external audit/revie… (§ 1.1, § 3.5.5.2 ¶ 2, CMS Business Partners Systems Security Manual, Rev. 10)
  • Top management must initiate prompt actions to correct deficiencies and verify the corrective actions are implemented effectively. The organization must designate personnel to assign, track, and update all risk mitigation efforts. These designated personnel must define and authorize the corrective a… (CSR 1.8.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • The organization should ensure actions are taken to correct any identified deficiencies. (Pg 6, Obj 3, Bank Secrecy Act (aka The Currency and Foreign Transaction Reporting Act), September 2000)
  • Each agency must develop, document, and implement an information security program agency wide that includes processes for planning, implementing, evaluating, and documenting any remedial actions. (§ 3544(b)(6), Federal Information Security Management Act of 2002, Deprecated)
  • a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in the information security policies, procedures, and practices of the agency; (§ 3554(b)(6), Federal Information Security Modernization Act of 2014)
  • If the public accounting firm, after notifying the audit committee of an illegal act, determines that the illegal act has a material effect on the financial statement, remedial action has not been taken in a timely manner by senior management, and failing to take remedial action will cause the audit… (§ 78j-1(b)(2), Securities Exchange Act of 1934)
  • Corrective action(s) shall be conducted, when necessary, including reauditing deficient matters. (§ 820.22, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • Adequacy and timing of corrective action; (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 1, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Discuss corrective action and communicate findings. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Discuss your findings with management and obtain proposed corrective action and deadlines for remedying significant deficiencies. (TIER I OBJECTIVES AND PROCEDURES Conclusions Objective 13:3, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Discuss corrective action and communicate findings. (App A Objective 13, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Management's responses and corrective actions to audit issues. (App A Objective 6:3 d., FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management takes appropriate and timely action on IT audit findings and recommendations and whether audit or management reports the action to the board of directors or its audit committee. Also, determine if IT audit reviews or tests management's statements regarding the resolution… (TIER I OBJECTIVES AND PROCEDURES Objective 6:1, FFIEC IT Examination Handbook - Audit, April 2012)
  • Determine whether management sufficiently corrects the root causes of all significant deficiencies noted in the audit reports and, if not, determine why corrective action is not sufficient. (TIER I OBJECTIVES AND PROCEDURES Objective 6:3, FFIEC IT Examination Handbook - Audit, April 2012)
  • The auditor should have the authority to require management to respond and take corrective action in a timely manner to any adverse findings. (Pg 8, Exam Tier I Obj 6.1, Exam Tier I Obj 6.3, FFIEC IT Examination Handbook - Audit, August 2003)
  • Adequacy and timing of corrective action. (App A Tier 1 Objectives and Procedures Objective 2:5 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Discuss findings with management and obtain proposed corrective action for significant deficiencies. (AppE.7 Objective 7:2, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Adequacy and timing of corrective action. (AppE.7 Objective 1:2 a., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Management effectively responds to issues raised or problems related to MFS. (AppE.7 Objective 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Resolution of root causes rather than just specific audit deficiencies. (AppE.7 Objective 1:2 b., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Exam Tier II Obj 8.7 Determine the adequacy of the ODFI's practices regarding originators' annual or more frequent security audits of physical, logical, and network security. Determine whether: • The ODFI receives summaries or full audit reports from the originators. • The audits are adequate in… (Exam Tier II Obj 8.7, Exam Tier II Obj 8.15, FFIEC IT Examination Handbook - Retail Payment Systems, March 2004)
  • If a TSP has weak risk management controls requiring corrective action, the TSP's serviced institutions may also have to take remedial actions because the institutions have the ultimate responsibility to properly manage their risks. Management of TSPs and financial institutions should monitor change… (Risk Management ¶ 3, FFIEC IT Examination Handbook - Supervision of Technology Service Providers, October 2012)
  • Review all audit reports related to the FTS and determine the current status of any exceptions noted in the audit report. (Exam Tier I Obj 4.3, FFIEC IT Examination Handbook - Wholesale Payment Systems, July 2004)
  • (SP-5.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Are developed and maintained; (PM-4a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: (PM-4a., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Are developed and maintained; (PM-4a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: (PM-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Are developed and maintained; (PM-4a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: (PM-4a., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: (PM-4a., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Are developed and maintained; (PM-4a.1., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. (T0264, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Assist in the development of individual/collective development, training, and/or remediation plans. (T0320, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Develop and apply corrective action procedures (T0912, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify and correct potential company compliance gaps and/or areas of risk to ensure full compliance with privacy regulations (T0915, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The smart grid Information System must take predefined actions when an audit processing failure occurs. (SG.AU-5 Requirement 2, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must develop a Plan of Action and Milestones documenting the remedial actions for weaknesses or deficiencies found in security control assessments and to reduce or eliminate known vulnerabilities. (App F § CA-5.a, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must establish and maintain a Plan of Action and Milestones for the security program and associated Information Systems, which includes remedial actions to mitigate risk to operations, assets, individuals, other organizations, and the nation. (App G § PM-4, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Ensure that plans of actions and milestones or remediation plans are in place for vulnerabilities identified during risk assessments, audits, inspections, etc. (T0264, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Identify and correct potential company compliance gaps and/or areas of risk to ensure full compliance with privacy regulations (T0915, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Develop and apply corrective action procedures (T0912, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Assist in the development of individual/collective development, training, and/or remediation plans. (T0320, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are developed and maintained. (PM-4a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems document the remedial information security actions to adequately respond to risk to organizational operations and assets, individuals, oth… (PM-4a.2., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • The organization implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems are reported in accordance with OMB FISMA reporting requirements. (PM-4a.3., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Deprecated, Revision 4, Deprecated)
  • Implements a process for ensuring that plans of action and milestones for the security program and associated organizational information systems: (PM-4a., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; (PM-4a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Are developed and maintained; (PM-4a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: (PM-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Are developed and maintained; (PM-4a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Implement a process to ensure that plans of action and milestones for the information security, privacy, and supply chain risk management programs and associated organizational systems: (PM-4a., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Management should be responsible for correcting deficiencies in a timely and effective manner. Correcting these deficiencies should be a priority for the organization. Management should track all corrective actions and the resolution of the deficiencies. Management should appoint one employee to ove… (§ V, App A § VI, OMB Circular A-123, Management's Responsibility for Internal Control)
  • As managers consider Office of Inspectors General (OIG), GAO, and other investigative audit reports in identifying and correcting internal control deficiencies, they must be mindful of the statutory requirements included in the Inspector General Act, as amended, and OMB Circular No. A-50, Audit Foll… (Section V (C) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • The board of directors must ensure appropriate actions are taken to correct significant performance degradation or address material issues or changing risks identified during monitoring processes. ("Board of Directors" Bullet 7, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • Employees who directly manage third party relationships should verify that identified issues are addressed by the bank or the third party. ("Bank Employees Who Directly Manage Third-Party Relationships" Bullet 4, Third-Party Relationships Risk Management Guidance, OCC bulletin 2013-29, October 30, 2013)
  • The organization shall correct all deficiencies identified during the independent security reviews of the general support systems and major applications. (§ A.5.a, Appendix III to OMB Circular No. A-130: Security of Federal Automated Information Resources)
  • Each insurer domiciled in this state, annually on or before February 15, shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this chapter. Each insurer shall maintain for examination by the department all records, sched… (Section 27-62-4(i), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Annual Certification to Commissioner of Domiciliary State. Except as provided in subdivision (10) of this subsection, each insurer domiciled in this state shall submit to the Insurance Commissioner a written statement, not later than February fifteenth, annually, certifying that such insurer is in c… (Part VI(c)(9), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • To the extent an insurer has identified an area, system, or process that requires material improvement, updating, or redesign, document the identification and the remedial effort planned and underway to address the identified area, system, or process. Documentation under this paragraph (i)(3) must b… (§ 8604.(i)(3), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • To the extent an insurer has identified areas, systems, or processes that require material improvement, updating, or redesign, the insurer shall document the identification and the remedial efforts planned and underway to address those areas, systems, or processes. The documentation shall be availab… (§431:3B-208(c), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Annually, not later than April 15, each insurer domiciled in Indiana shall submit to the commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in sections 16 through 19 of this chapter and this section. Each insurer shall maintain for examinati… (Sec. 20.(c), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • An insurer domiciled in this state shall annually submit to the commissioner on or before April 15 a written certification that the insurer is in compliance with this section. Each insurer shall maintain all records, schedules, documentation, and data supporting the insurer’s certification for fiv… (507F.4 8., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • To the extent an insurer identifies areas, systems, or processes that require material improvement, update, or redesign, the insurer shall document the identification and the remediation efforts planned and underway to address the areas, systems, or processes. The documentation shall be made availab… (§2504.I.(3), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Annual certification to superintendent. By April 15th annually, an insurance carrier domiciled in this State shall submit to the superintendent a written statement certifying that the insurance carrier is in compliance with the requirements set forth in this section. An insurance carrier shall maint… (§2264 9., Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • By February 15 of each year, each insurer domiciled in this state shall submit to the director a written statement, certifying that the insurer is in compliance with the requirements of this section. Each insurer shall maintain for examination by the department all records, schedules, and data suppo… (Sec. 555.(9), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • Subject to paragraph (b), by April 15 of each year, an insurer domiciled in this state shall certify in writing to the commissioner that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain all records, schedules, and data supporting this certific… (§ 60A.9851 Subdivision 9(a), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Annually, each insurer domiciled in this state shall submit to the commissioner a written statement by February 15, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and d… (§ 83-5-807 (9), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Annually, each insurer domiciled in this state shall submit to the commissioner, a written statement by March 1, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules and data… (§ 420-P:4 IX., New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • Annually, an insurer domiciled in this state shall submit to the commissioner, a written statement by April fifteenth, certifying the insurer is in compliance with the requirements set forth in this section. An insurer shall maintain for examination by the department all records, schedules, and data… (26.1-02.2-03. 10., North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • By the fifteenth day of February of each year, unless otherwise permitted to file on the first day of June in division (I)(2) of this section, each insurer domiciled in this state shall submit to the superintendent of insurance a written statement certifying that the insurer is in compliance with th… (Section 3965.02 (I)(1), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • Annually, each insurer domiciled in this State shall submit to the director, a written statement by February fifteenth, certifying that the insurer is in compliance with the requirements set forth in this section. Each insurer shall maintain for examination by the department all records, schedules, … (SECTION 38-99-20. (I), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • If an insurer identifies areas, systems, or processes requiring material improvement, updating, or redesign, then the insurer must document planned and ongoing remedial efforts to address those areas, systems, or processes, and the documentation must be made available for inspection by the commissio… (§ 56-2-1004 (9)(B), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Beginning in 2023 and annually thereafter, each insurer domiciled in the Commonwealth shall, by February 15, submit to the Commissioner a written statement certifying that the insurer is in compliance with the requirements set forth in this section, any rules adopted pursuant to this article, and an… (§ 38.2-623.H., Code of Virginia, Title 38.2, Chapter 6, Article 2, Sections 621-629, Insurance Data Security Act)
  • Program adjustments. The licensee shall monitor, evaluate, and adjust the information security program under sub. (1) consistent with changes in technology, the sensitivity of the nonpublic information, internal and external threats to nonpublic information, and changes to the licensee's business op… (§ 601.952(4), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)