Back

Include monitoring in the corrective action plan.


CONTROL ID
11645
CONTROL TYPE
Monitor and Evaluate Occurrences
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a corrective action plan., CC ID: 00675

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • the AI has an adequate system of checks and balances. Where material control deficiencies are identified, appropriate follow-up actions should be considered and monitored by the Board or senior management. (§ 3.1.1 (iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
  • the AI has an adequate system of checks and balances. Where material control deficiencies are identified, appropriate follow-up actions should be considered and monitored by the Board or senior management. (§ 3.1.1 (iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, V.3)
  • IC-1 “General Risk Management Controls” sets out the general objective and the importance of independence and expertise of AIs’ internal audit function. As regards technology audits, AIs are expected to assess periodically their technology risk management process and IT controls. To ensure ade… (2.4.1, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Issues identified from testing, including system defects or software bugs, should be properly tracked and addressed. Major issues that could have an adverse impact on the FI's operations or delivery of service to customers should be reported to the project steering committee and addressed prior to d… (§ 5.7.5, Technology Risk Management Guidelines, January 2021)
  • The organization should use the audit/compliance issue tracking process to report and monitor any findings of the assurance testing. (¶ 83, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • Under CPS 234, an APRA-regulated entity must annually review and test its information security response plans to ensure they remain effective and fit-for-purpose. It is important that the success criteria for such tests are clearly defined, including the circumstances under which re-testing would be… (74., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • It is important that success criteria for tests are clearly defined, including the circumstances under which re-testing would be required. Test results would be reported to the appropriate governing body or individual, with associated follow-up actions formally tracked and reported. (81., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Traditionally, assurance work has been executed by Internal Audit. However, given the specialist nature of this work, other appropriately trained and sufficiently independent (to avoid conflicts of interest) IT security experts could be used to complement such work. APRA envisages that any findings … (¶ 83, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • the institution has an ICT risk management reporting in place that provides timely information to senior management and the management body, and which allows senior management and/or the management body to assess and monitor whether the institution ́s ICT risk mitigation plans and measures are cons… (Title 3 3.3.1 49.d, Final Report Guidelines on ICT Risk Assessment under the Supervisory Review and Evaluation process (SREP))
  • Review and follow-up of internal audits are called for. (§ II.43, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Is there a follow-up with whom to remediate internal audit findings? (Table Row II.43.c, OECD / World Bank Technology Risk Checklist, Version 7.3)
  • Identify and initiate remedial actions based on performance monitoring, assessment and reporting. This includes follow-up of all monitoring, reporting and assessments through: - Review, negotiation and establishment of management responses - Assignment of responsibility for remediation - Tracking of… (ME1.6 Remedial Actions, CobiT, Version 4.1)
  • Identify, initiate, track and implement remedial actions arising from control assessments and reporting. (ME2.7 Remedial Actions, CobiT, Version 4.1)
  • Examine the security policies and procedures to verify procedures have been define for investigating exceptions and anomalies discovered during the review process. (Testing Procedures § 10.6.3.a, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and observe processes to verify follow-up to anomalies and exceptions is conducted. (Testing Procedures § 10.6.3.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Exceptions and anomalies that are identified during the review process must be investigated. (PCI DSS Requirements § 10.6.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Is follow up to exceptions and anomalies identified during the review process performed? (PCI DSS Question 10.6.3(b), PCI DSS Self-Assessment Questionnaire A-EP and Attestation of Compliance, Version 3.0)
  • Is follow up to exceptions and anomalies identified during the review process performed? (PCI DSS Question 10.6.3(b), PCI DSS Self-Assessment Questionnaire C and Attestation of Compliance, Version 3.0)
  • Is follow up to exceptions and anomalies identified during the review process performed? (PCI DSS Question 10.6.3(b), PCI DSS Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.0)
  • Management tracks whether deficiencies are remediated on a timely basis. (§ 3 Principle 17 Points of Focus: Monitors Corrective Actions, COSO Internal Control - Integrated Framework (2013))
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes details of any areas of major concern (e.g., key risks) that remain unaddressed. (SG.02.03.05c, The Standard of Good Practice for Information Security)
  • An enterprise-wide approach for monitoring the performance of the Information Assurance program should be agreed by executive management, which includes details of any areas of major concern (e.g., key risks) that remain unaddressed. (SG.02.03.05c, The Standard of Good Practice for Information Security, 2013)
  • Define and implement a process for tracking and reporting vulnerability identification and remediation activities that includes stakeholder notification. (TVM-09, Cloud Controls Matrix, v4.0)
  • Establish, document, approve, communicate, apply, evaluate and maintain a risk-based corrective action plan to remediate audit findings, review and report remediation status to relevant stakeholders. (A&A-06, Cloud Controls Matrix, v4.0)
  • Establish and maintain a risk-based remediation strategy documented in a remediation process, with monthly, or more frequent, reviews. (CIS Control 7: Safeguard 7.2 Establish and Maintain Remediation Process, CIS Controls, V8)
  • Management of IT security includes the ongoing task of dealing with various follow up activities, which can lead to changes to earlier results and decisions. Follow-up activities include: maintenance, security compliance checking, change management, monitoring, and incident handling. (¶ 6, ISO 13335-3 Information technology - Guidelines for the management of IT Security - Part 3: Techniques for the management of IT Security, 1998)
  • areas to be monitored for potential future noncompliance; (§ 9.3 ¶ 4 c), ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • The management responsible for the area being audited shall ensure that any necessary corrections and corrective actions are taken without undue delay to eliminate detected nonconformities and their causes. Follow-up activities shall include the verification of the actions taken and the reporting of… (§ 9.2 ¶ 4, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • Management reviews shall consider the performance of the organization, including - follow-up actions from previous management reviews, - the need for changes to the BCMS, including the policy and objectives, - opportunities for improvement, - results of BCMS audits and reviews, including those of ke… (§ 9.3 ¶ 3, ISO 22301: Societal Security - Business Continuity Management Systems - Requirements, Corrected Version)
  • The organization should report on risk, progress with its risk management plan, and how closely policy is being followed to ensure risk management is effective and supports the organizational performance. (§ 4.5, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • monitoring the situation to ensure that corrections have had the intended effect and have not produced unintended side-effects; (§ 10.1 Guidance ¶ 2 Bullet 5, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Conduct initial remediation actions on the controls and reassess remediated controls. (TASK A-5, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Management tracks whether deficiencies are remedied on a timely basis. (CC4.2 ¶ 2 Bullet 3 Monitors Corrective Action, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified. (PR.IP-1.3, CRI Profile, v1.2)
  • The organization performs regular enforcement checks to ensure that non-compliance with baseline system security standards is promptly rectified. (PR.IP-1.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • The organization should monitor the correction of the issues and vulnerabilities noted in the compliance review to verify corrective action is taken in a timely way. (Table Ref 10.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • If the auditor determines that management has not implemented controls for the significant risks, the auditor should notify the personnel in charge of governance. (§ 314.116, SAS No. 109, Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatement)
  • whether the matter can be resolved; (AT-C Section 105.28 a., SSAE No. 18, Attestation Standards: Clarification and Recodification)
  • Management tracks whether deficiencies are remedied on a timely basis. (CC4.2 Monitors Corrective Action, Trust Services Criteria)
  • Management tracks whether deficiencies are remedied on a timely basis. (CC4.2 ¶ 2 Bullet 3 Monitors Corrective Action, Trust Services Criteria, (includes March 2020 updates))
  • Reporting – The head of the internal audit function shall report to the audit committee regularly, but no less than annually, on the periodic audit plan, factors that may adversely impact the internal audit function's independence or effectiveness, material findings from completed audits and the a… (Section 15.D., Annual Financial Reporting Model Regulation, NAIC MDL-205, 3rd Quarter 2015)
  • When a web site is supported that has access to scoped systems and data, are the vulnerability scan results tracked? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is hosted that has access to scoped systems and data, are the vulnerability scan results tracked? (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • When a web site is maintained that has access to scoped systems and data, are the vulnerability scan results tracked. (§ I.5.1, Shared Assessments Standardized Information Gathering Questionnaire - I. Information Systems Acquisition Development & Maintenance, 7.0)
  • Is there an internal audit department with responsibility for identifying and tracking resolution of outstanding regulatory issues? (§ L.1, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a Risk Management department with responsibility for identifying and tracking resolution of outstanding regulatory issues? (§ L.1, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • Is there a compliance department with responsibility for identifying and tracking resolution of outstanding regulatory issues? (§ L.1, Shared Assessments Standardized Information Gathering Questionnaire - L. Compliance, 7.0)
  • § 3.5.2: Business partners must submit monthly plan of action and milestones (POA&M) packages. § 3.5.2.1 ¶ 1: In the case of Federal Information Security Management Act of 2002 (FISMA), CMS business partners shall report and include in the periodic plan of action and milestones (POA&M) report any… (§ 3.5.2, § 3.5.2.1 ¶ 1, § 3.5.2.1 ¶ 2, § 3.5.5.2 ¶ 4, § 3.5.5.2 ¶ 5, CMS Business Partners Systems Security Manual, Rev. 10)
  • Management should identify the reports and define the contents, format, and responsible elements for each software anomaly report. (§ 5.2.1 ¶ 3, General Principles of Software Validation; Final Guidance for Industry and FDA Staff, Version 2.0)
  • Monitoring systems used to track the implementation of recommendations on an on- going basis (TIER I OBJECTIVES AND PROCEDURES Examination Scope Objective 1:2 Bullet 4, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, February 2015)
  • Retesting to validate corrective action. (App A Objective 1:2d, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Prioritize and track issues through final resolution. (App A Objective 10:28e, FFIEC Business Continuity Planning (BCP) IT Examination Handbook, November 2019)
  • Issues and corrective actions from internal audits and independent testing/assessments are formally tracked to ensure procedures and control lapses are resolved in a timely manner. (Domain 1: Assessment Factor: Risk Management, AUDIT Baseline 3 ¶ 4, FFIEC Cybersecurity Assessment Tool, Baseline, May 2017)
  • Retesting to validate corrective action. (App A Objective 1:2d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Implements corrective action plans to address deviations or negative trends, assigns individuals responsible, and monitors progress to completion. (App A Objective 17:2f, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Methods to track and report on nonconformance to entity policies and the timeliness and remediation progress of all identified vulnerabilities, including those related to security procedures, physical layout, or internal controls. (App A Objective 15:3a Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Developing longer-term action plans to monitor and address issues. (App A Objective 16:4b Bullet 10, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Determine whether IT management participates in the enterprise-wide risk management process to identify and measure risk from the use of IT, support decisions on how to mitigate the risks, implement the mitigation decisions, and monitor and report on the resulting outcomes. (App A Objective 8:4, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • Determine whether management has an adequate method of testing the effectiveness of control design and implementation and whether management and the board appropriately monitor risk mitigation activities. Determine whether management considers all forms of controls, including governance of controls,… (App A Objective 13:5, FFIEC Information Technology Examination Handbook - Management, November 2015)
  • The audit function should verify that effective controls have been implemented and should follow up to ensure any findings have been corrected. (Pg 10, FFIEC IT Examination Handbook - Management)
  • Monitoring systems used to track the implementation of recommendations on an ongoing basis. (AppE.7 Objective 1:2 d., FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Updates existing plan of action and milestones [FedRAMP Assignment: at least monthly] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • Is a follow-up process implemented to ensure material findings and weaknesses are corrected? (IT - Audit Program Q 10, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Was any action taken, and documented, on the vulnerabilities identified during the vulnerability scans? (IT - Servers Q 21, Automated Integrated Regulatory Examination System (AIRES) IT Exam Questionnaires, version 073106A)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Calls for Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to corre… (§ 3, FIPS Pub 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • Track audit findings and recommendations to ensure that appropriate mitigation actions are taken. (T0234, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization may regularly review and analyze audit records for unusual activity or inappropriate activity that affects Personally Identifiable Information, investigate suspected violations or suspicious activity, report the findings to the appropriate personnel, and take any necessary actions. (§ 4.3 Bullet Audit Review, Analysis, and Reporting (AU-6), NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must periodically review and update the Plan of Action and Milestones based on security control assessments, security impact analysis, and continuous monitoring activities. (App F § CA-5.b, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Track audit findings and recommendations to ensure that appropriate mitigation actions are taken. (T0234, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Reviews plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Update existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities. (CA-5b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Review plans of action and milestones for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions. (PM-4b., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Updates existing plan of action and milestones [Assignment: organization-defined frequency] based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities. (CA-5b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)