Back

Authorize and document all exceptions to the internal control framework.


CONTROL ID
06781
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Apart from technology outsourcing, AIs may rely on some outside technology service providers in the provision of technology-related support and services (e.g. telecommunications and network operators). AIs should have in place guidelines on how to manage different kinds of major outside technology s… (7.2.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • The appropriateness of approved exceptions and the assessment of the risks resulting from this are reviewed by an independent third party at least once a year as to whether they reflect a realistic picture of the current and future expected threat environment regarding information security (see SPN-… (Section 5.2 SA-03 Description of additional requirements (confidentiality and availability) ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Monitor account usage to determine dormant accounts, notifying the user or user’s manager. Disable such accounts if not needed, or document and monitor exceptions (e.g., vendor maintenance accounts needed for system recovery or continuity operations). Require that managers match active employees a… (Control 16.6, The CIS Critical Security Controls for Effective Cyber Defense, Version 6.0)
  • The entity's security policies include providing for handling of exceptions and situations that are not specifically addressed in the system security policies. (Security Prin. and Criteria Table § 1.2 l, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system availability and related security policies include providing for handling of exceptions and situations that are not specifically addressed in the system availability and related security policies. (Availability Prin. and Criteria Table § 1.2 l, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's system processing integrity and related security policies include providing for handling of exceptions and situations that are not specifically addressed in the system processing integrity and related security policies. (Processing Integrity Prin. and Criteria Table § 1.2 l, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The entity's policies related to the system's protection of confidential information and security include providing for handling of exceptions and situations that are not specifically addressed in the system confidentiality and related security policies. (Confidentiality Prin. and Criteria Table § 1.2 l, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • The senior manager shall authorize and document any exception from the requirements of the cyber security policy. (§ R2.4, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • Instances where the responsible entity cannot conform to its cyber security policy must be documented as exceptions and authorized by the senior manager or delegate(s). (§ R3, North American Electric Reliability Corporation Critical Infrastructure Protection Cyber Security Standards CIP-003-3, version 3)
  • The organization should document traffic flow policy exceptions with a supporting business or mission need and the duration of the need. (App F § SC-7(4)(d), Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The statement of assurance is made available to the public. However, relevant information that is specifically prohibited from disclosure by any provision of law, or specifically required by Executive Order to protect the interest of national defense or the conduct of foreign affairs, must not be in… (Section VI (H) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)