Back

Establish, implement, and maintain a system and information integrity policy.


CONTROL ID
14034
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Technical security, CC ID: 00508

This Control has the following implementation support Control(s):
  • Include compliance requirements in the system and information integrity policy., CC ID: 14151
  • Include coordination amongst entities in the system and information integrity policy., CC ID: 14150
  • Include management commitment in the system and information integrity policy., CC ID: 14149
  • Include roles and responsibilities in the system and information integrity policy., CC ID: 14148
  • Include the scope in the system and information integrity policy., CC ID: 14147
  • Include the purpose in the system and information integrity policy., CC ID: 14146
  • Disseminate and communicate the system and information integrity policy to interested personnel and affected parties., CC ID: 14145
  • Establish, implement, and maintain system and information integrity procedures., CC ID: 14051


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • For the purposes of adequately protecting ICT systems and with a view to organising response measures, financial entities shall continuously monitor and control the security and functioning of ICT systems and tools and shall minimise the impact of ICT risk on ICT systems through the deployment of ap… (Art. 9.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • Pursuant to federal statutory authority, including the Federal Information Security Modernisation Act of 2014, the OMB and the National Institute of Standards and Technology (NIST) have developed standards which are binding on federal agencies (including criminal law enforcement authorities) and tha… (3.1.1.2 (104), COMMISSION IMPLEMENTING DECISION of 10.7.2023 pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council on the adequate level of protection of personal data under the EU-US Data Privacy Framework)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., StateRAMP Security Controls Baseline Summary Category 1, Version 1.1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., StateRAMP Security Controls Baseline Summary Category 2, Version 1.1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., StateRAMP Security Controls Baseline Summary Category 3, Version 1.1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., StateRAMP Security Controls Baseline Summary High Sensitivity Level, Version 1.1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • System and information integrity policy [FedRAMP Assignment: at least annually]; and (SI-1b.1. High Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • System and information integrity policy [FedRAMP Assignment: at least every 3 years]; and (SI-1b.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • System and information integrity policy [FedRAMP Assignment: at least every 3 years]; and (SI-1b.1. Low Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. Moderate Baseline Controls, FedRAMP Baseline Security Controls, 8/28/2018)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., FedRAMP Security Controls High Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), FedRAMP Security Controls High Baseline, Version 5)
  • Policy [FedRAMP Assignment: at least annually] and following [Assignment: organization-defined events]; and (SI-1c.1., FedRAMP Security Controls High Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., FedRAMP Security Controls Low Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), FedRAMP Security Controls Low Baseline, Version 5)
  • Review and update the current system and information integrity: Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (SI-1c.1., FedRAMP Security Controls Low Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), FedRAMP Security Controls Moderate Baseline, Version 5)
  • Review and update the current system and information integrity: Policy [FedRAMP Assignment: at least every 3 years] and following [Assignment: organization-defined events]; and (SI-1c.1., FedRAMP Security Controls Moderate Baseline, Version 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1. Low Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1. Moderate Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1. High Baseline Controls, Guide to Industrial Control Systems (ICS) Security, Revision 2)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, High Impact Baseline, Revision 4)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Low Impact Baseline, Revision 4)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Moderate Impact Baseline, Revision 4)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • [Selection (one or more): organization-level; mission/business process-level; system-level] system and information integrity policy that: (SI-1a.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and (SI-1c.1., Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and (SI-1a.1(b), Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • System and information integrity policy [Assignment: organization-defined frequency]; and (SI-1b.1., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., TX-RAMP Security Controls Baseline Level 1)
  • System and communications protection policy [TX-RAMP Assignment: at least every 3 years]; and (SC-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • System and information integrity policy [TX-RAMP Assignment: at least every 3 years]; and (SI-1b.1., TX-RAMP Security Controls Baseline Level 1)
  • A system and information integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and (SI-1a.1., TX-RAMP Security Controls Baseline Level 2)
  • System and communications protection policy [TX-RAMP Assignment: at least every 3 years]; and (SC-1b.1., TX-RAMP Security Controls Baseline Level 2)
  • System and information integrity policy [TX-RAMP Assignment: at least every 3 years]; and (SI-1b.1., TX-RAMP Security Controls Baseline Level 2)