Back

Review the information that the organization collects, processes, and stores, as necessary.


CONTROL ID
12988
CONTROL TYPE
Business Processes
CLASSIFICATION
Detective

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain records management procedures., CC ID: 11619

This Control has the following implementation support Control(s):
  • Review the information classification of the information that the organization collects, processes, and stores, as necessary., CC ID: 13008
  • Review the electronic storage media for the information the organization collects and processes., CC ID: 13009
  • Remove non-public information from publicly accessible systems., CC ID: 14246


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • It is common for APRA-regulated entities to leverage existing business continuity impact analyses to assess an information asset's criticality. APRA-regulated entities would also typically maintain processes to systematically assess information asset sensitivity. (33., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • internal review and approval for suitability and adequacy. (7.5.2 ¶ 1 Bullet 3, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • information maintained by the organization is regularly reviewed, revised as necessary and approved by authorized personnel prior to issue; (7.5.3 ¶ 1 Bullet 2, ISO 14004:2016, Environmental management systems — General guidelines on implementation, Third Edition)
  • how and when information is to be collected, analysed and evaluated; (Section 7.5 ¶ 1(b) bullet 3, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • review and approval for suitability and adequacy. (§ 7.5.2 ¶ 1 c), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • The documentation approach should ensure timely review of the documented information and that all documentation changes are subject to approval. Suitable review criteria can be timing related (e.g. maximum time periods between document reviews) or content related. Approval criteria should be defined… (§ 7.5.2 Guidance ¶ 7, ISO/IEC 27003:2017, Information technology — Security techniques — Information security management systems — Guidance, Second Edition, 2017-03)
  • Identify the types of information to be processed, stored, and transmitted by the system. (TASK P-12, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The information may be produced only once or on a recurring basis for use in the execution of a control. The information may be produced manually by management or generated from a system. When the information produced by the system is provided to the service auditor, the service auditor assesses how… (¶ 3.124, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • Control information posted or processed on publicly accessible information systems. (AC.L1-3.1.22 Control Public Information, Cybersecurity Maturity Model Certification, Version 2.0, Level 1)
  • Control information posted or processed on publicly accessible information systems. (AC.L1-3.1.22 Control Public Information, Cybersecurity Maturity Model Certification, Version 2.0, Level 2)
  • Bibliographic citation of the intervention (clinical research/guideline); (§ 170.315 (a) (9) (v) (A) (1), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • For linked referential CDS in paragraph (a)(9)(iv) of this section and drug-drug, drug-allergy interaction checks in paragraph (a)(4) of this section, the developer of the intervention, and where clinically indicated, the bibliographic citation of the intervention (clinical research/guideline). (§ 170.315 (a) (9) (v) (B), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Bibliographic citation of the intervention (clinical research/guideline); (§ 170.315 (a) (9) (v) (A) (1), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • For linked referential CDS in paragraph (a)(9)(iv) of this section and drug-drug, drug-allergy interaction checks in paragraph (a)(4) of this section, the developer of the intervention, and where clinically indicated, the bibliographic citation of the intervention (clinical research/guideline). (§ 170.315 (a) (9) (v) (B), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Definition of a data strategy, evaluation of data and its usage (including the consideration of data planning and the analytics platform), and development of metrics for monitoring data activities. (App A Objective 2:9b Bullet 8, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • Check processing, particularly check imaging, remotely created checks (RCCs), and remote deposit capture (App A Tier 1 Objectives and Procedures Objective 1:1 Bullet 3, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Identify the bank staff, customers, and technology service providers (if applicable) involved in the RDC function. Obtain and review reports of RDC volume (number of transactions and dollar ranges) for the financial institution as a whole and for individual customers. (App A Tier 2 Objectives and Procedures N.1 Bullet 1, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Determine the frequency and process for management review of logical and physical access privileges and audit trails/logs. (App A Tier 2 Objectives and Procedures N.9 Bullet 3:, FFIEC IT Examination Handbook - Retail Payment Systems, April 2016)
  • Management should use quality information to achieve the entity’s objectives. (13.01, Standards for Internal Control in the Federal Government)
  • Identify the types of information to be processed, stored, or transmitted by a system. (T0942, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Identify the types of information to be processed, stored, or transmitted by a system. (T0942, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firm’s information and technology systems; (3… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 1, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)