Back

Disseminate and communicate the testing program to all interested personnel and affected parties.


CONTROL ID
11871
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a testing program., CC ID: 00654

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • An APRA-regulated entity must notify APRA as soon as possible and, in any case, no later than 10 business days, after it becomes aware of a material information security control weakness which the entity expects it will not be able to remediate in a timely manner. (36., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • The management level must be informed regularly and in an appropriate form of the results of the examinations and the status of the security process by the ISO. This should include pointing out successes, problems and potential improvements. The management level is aware of the management reports an… (§ 5.2.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.1 April 2015)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, v3.2.1)
  • Ensure that security policies and operational procedures for security monitoring and testing are documented, in use, and known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, Version 3.2)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.1)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Merchants, Version 3.2)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.1)
  • Are security policies and operational procedures for security monitoring and testing: - Documented - In use - Known to all affected parties? (11.6, Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers, Version 3.2)
  • Examine documentation and interview personnel to verify that security policies and operational procedures for security monitoring and testing are: - Documented, - In use, and - Known to all affected parties. (11.6, Payment Card Industry (PCI) Data Security Standard, Testing Procedures, Version 3.2)
  • Personnel. (App A Objective 10.2.b, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Inform stakeholders (e.g., collection managers, asset managers, processing, exploitation and dissemination centers) of evaluation results using established procedures. (T0730, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Inform stakeholders (e.g., collection managers, asset managers, processing, exploitation and dissemination centers) of evaluation results using established procedures. (T0730, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)