Back

Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy.


CONTROL ID
12833
CONTROL TYPE
Testing
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain a compliance testing strategy., CC ID: 00659

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Arranging to conduct a self-assessment of the overall cybersecurity risk management framework on a regular basis; (3.1. ¶ 1 (c), Guidelines for Reducing and Mitigating Hacking Risks Associated with Internet Trading)
  • A regulated institution would normally implement processes that ensure compliance with regulatory and prudential requirements and the internal IT security risk management framework. APRA envisages that this would include ongoing checks by the compliance function (or equivalent), supported by reporti… (¶ 28, APRA Prudential Practice Guide 234: Management of security risk in information and information technology, May 2013)
  • The FTC can investigate compliance with the Principles, as well as false claims of adherence to the Principles or participation in the EU-U.S. DPF by organisations which either are no longer on the DPF List or have never certified. The FTC can enforce compliance by seeking administrative or federal … (2.3.4 (61), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • Evaluate the completeness and effectiveness of management's control over IT processes, policies and contracts through a continuing programme of self-assessment. (ME2.4 Control Self-assessment, CobiT, Version 4.1)
  • Establish a self-assessment approach that integrates assessment of performance, risk, and compliance responsibilities and outcomes with other self-assessments imposed on management. (OCEG GRC Capability Model, v. 3.0, P7.3 Establish an Integrated Approach to Self-Assessment, OCEG GRC Capability Model, v 3.0)
  • The cloud service provider should provide documented evidence to the cloud service customer to substantiate its claim of implementing information security controls. Where individual cloud service customer audits are impractical or can increase risks to information security, the cloud service provide… (§ 18.2.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • Often the service organization's system of internal control includes monitoring activities and system reports for management that permit management to continuously or periodically monitor the operating effectiveness of controls. Management may also make use of internal audit evaluations as part of i… (¶ 2.119, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Periodic evaluation of control effectiveness through self-assessment programs (¶ 2.120 Bullet 2, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy, October 15, 2022)
  • Determine whether management uses control self-assessments, risk control self-assessments, or other methods to monitor the effectiveness of IT operations controls and gauge performance, assess the criticality of systems, and identify existing risks. Determine whether management evaluates results and… (App A Objective 17:3, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Independent assurance and security reports (e.g., penetration tests and vulnerability assessments) and internal reports that self-identify concerns related to AIO issues. (App A Objective 1:1d, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Periodic self-assessments performed by the organizational unit being assessed. (App A Objective 10.3.a, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Determine whether management has an adequate method of testing the effectiveness of control design and implementation and whether management and the board appropriately monitor risk mitigation activities. Determine whether management considers all forms of controls, including governance of controls,… (App A Objective 13:5, FFIEC Information Technology Examination Handbook - Management, November 2015)