This Control directly supports the implied Control(s):
Audit in scope audit items and compliance documents., CC ID: 06730
This Control has the following implementation support Control(s):
Audit the potential costs of compromise to information systems., CC ID: 13012
SELECTED AUTHORITY DOCUMENTS COMPLIED WITH
independent assessment are performed by trusted assessors with the necessary expertise in the underlying financial services and/or electronic delivery channel, and who are independent from the parties that design, implement or operate the e-banking service. Moreover, the assessors should be able to … (§ 3.3.1(iii), Hong Kong Monetary Authority Supervisory Policy Manual TM-E-1 Risk Management of E-Banking, v.2)
In the operation of computer systems, and development, and modification of systems, it is necessary for auditors who are independent from the computer system-related departments to conduct overall evaluation and verification of computer systems and then report the results of the audit to management … (A1.1. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Auditees include those (including outsourcees) involved in the development and operation of computer systems. In practice, however, it is preferable that individual departments in the head office, the departments that use the computer systems in branch offices, and the departments that implement EUC… (A1.1. ¶ 2, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
Auditing compares current practices against a set of policies/standards/guidelines formulated by the institution, regulator including any legal requirements. Bank management is responsible for demonstrating that the standards it adopts are appropriate for the institution. Audits should not only look… (Critical components of information security 30) b) ¶ 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Carrying out logging and auditing is critical along with correlating server and network logs across virtual and physical infrastructures to reveal security vulnerabilities and risk (EMERGING TECHNOLOGIES AND INFORMATION SECURITY 1 ¶ 9 i., Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
Gateways undergo a security assessment by an IRAP assessor at least every 24 months. (Control: ISM-0100; Revision: 11, Australian Government Information Security Manual, June 2023)
Gateways undergo a security assessment by an IRAP assessor at least every 24 months. (Control: ISM-0100; Revision: 11, Australian Government Information Security Manual, September 2023)
pooled audits organised jointly with other clients of the same service provider, and performed by them and these clients or by a third party appointed by them, to use audit resources more efficiently and to decrease the organisational burden on both the clients and the service provider; (4.13.3 91(a), Final Report on EBA Guidelines on outsourcing arrangements)
Obtain independent assurance (internal or external) about the conformance of IT with relevant laws and regulations; the organisation's policies, standards and procedures; generally accepted practices; and the effective and efficient performance of IT. (ME4.7 Independent Assurance, CobiT, Version 4.1)
adequate auditing, and monitoring, of information technology to ensure its responsible, including ethical, use and that it meets the governing body's intentions and expectations as well as the organization's compliance obligations; (§ 6.8.3.4 ¶ 2 c), ISO 37000:2021, Governance of organizations â Guidance, First Edition)
the requirements of this document; (§ 9.2.1 ¶ 1 a) 2), ISO 45001:2018, Occupational health and safety management systems â Requirements with guidance for use, First Edition)
An audit programme defines the structure and responsibilities for planning, conducting, reporting and following up on individual audit activities. As such it should ensure that audits conducted are appropriate, have the right scope, minimize the impact on the operations of the organization and maint… (§ 9.2 Guidance ¶ 1, ISO/IEC 27003:2017, Information technology â Security techniques â Information security management systems â Guidance, Second Edition, 2017-03)
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. (M1047 Audit, MITRE ATT&CK®, Enterprise Mitigations, Version 13.1)
Assess the sufficiency of policies, procedures, Information Systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the Licensee's operations, including: (Section 4.C ¶ 1(4), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
Verifies mainframe security auditing (e.g., regular review and validation of security controls, privileges, roles, and access profiles). (App A Objective 13:6h Bullet 7, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
The production system is free from security compromises and provides information on the nature and extent of compromises as feasible, should they occur. (§ 6.2.3 ICS-specific Recommendations and Guidance ¶ 1 Bullet 2, Guide to Industrial Control Systems (ICS) Security, Revision 2)
Develop and implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity require… (T0301, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
Develop and implement cybersecurity independent audit processes for application software/networks/systems and oversee ongoing independent audits to ensure that operational and Research and Design (R&D) processes and procedures are in compliance with organizational and mandatory cybersecurity require… (T0301, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)â, July 7, 2020)
Conduct a periodic assessment of: (1) the nature, sensitivity and location of information that the firm collects, processes and/or stores, and the technology systems it uses; (2) internal and external cybersecurity threats to and vulnerabilities of the firmâs information and technology systems; (3… (CYBERSECURITY GUIDANCE ¶ 3 Bullet 1, IM Guidance Update: Cybersecurity Guidance, No. 2015-02)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the operations of the licensee, including all of the following: (Section 27-62-4(c)(4), Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage the threats identified pursuant to subparagraph (B) of this subdivision by considering such threats in the following areas of such licensee's operations: (Part VI(c)(3)(D), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage a threat identified under paragraph (c)(2) of this section, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (§ 8604.(c)(4), Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the reasonably foreseeable internal or external threats, including consideration of threats in each relevant area of the licensee's operations, including: (§431:3B-202(b)(4), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
Assessing the sufficiency of the policies, procedures, information systems, and other safeguards currently in place to manage the threats identified in subdivision (2), including an assessment of threats in each relevant area of the licensee's operations, including the following: (Sec. 17.(4), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
Assesses the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats identified in paragraph âbâ. This assessment must include consideration of threats identified in each relevant area of the licenseeâs operations, including all of the foll… (507F.4 3.d., Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (§2504.C.(4), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including all of the following: (Sec. 555.(3)(d), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including: (§ 60A.9851 Subdivision 3(4), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licenseeâs operations, including: (§ 83-5-807 (3)(d), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
Assess the sufficiency of policies, procedures, information systems and other safeguards in place to manage these threats, including consideration of threats in each relevant area of the licensee's operations, including: (§ 420-P:4 III.(d), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage any threats, including consideration of threats in each relevant area of the licensee's operations, including: (26.1-02.2-03. 3.d., North Dakota Century Code, Title 26.1, Chapter 26.1â02.2, Sections 1-11, Insurance Data Security)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage the threats described in division (C)(2) of this section, including consideration of such threats in each relevant area of the licensee's operations, including all of the following: (Section 3965.02 (C)(4), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage these threats, taking into consideration threats in each relevant area of the licensee's operations, including: (SECTION 38-99-20. (C)(4), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
Assess the sufficiency of policies, procedures, information systems, and other safeguards in place to manage threats throughout the licensee's operations, including in: (§ 56-2-1004 (3)(D), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
Assess the sufficiency of policies, procedures, information systems, and other safeguards to manage the threats identified under par. (a) in each relevant area of the licensee's operations, including all of the following: (§ 601.952(2)(c), Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)
