Back

Disseminate and communicate the internal control framework to all interested personnel and affected parties.


CONTROL ID
15229
CONTROL TYPE
Communicate
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • One of the main tasks of the security management is to show the information security risks to the management level and to correspondingly create transparency regarding required decisions or actions. For this, the ISO must get an overview on the business processes and/or specialised tasks that are es… (§ 8.1.2 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to log events on all assets which are used for the development or operation of the cloud service and to store them in a central place. The logging includes def… (Section 5.6 RB-10 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Policies and instructions with technical and organisational safeguards are documented, communicated and provided according to SA-01 in order to ensure the prompt identification and addressing of vulnerabilities over all levels of the cloud service, for which they are responsible. The safeguards incl… (Section 5.6 RB-17 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization must post notices and send e-mail to all employees notifying them that the organization follows the ASCDI/NATD Anti-Counterfeit Policy. (Art 5(d), ASCDI/NATD Anti-Counterfeit Policy, Revision 1)
  • Develop and maintain a set of policies to support IT strategy. These policies should include policy intent; roles and responsibilities; exception process; compliance approach; and references to procedures, standards and guidelines. Their relevance should be confirmed and approved regularly. (PO6.3 IT Policies Management, CobiT, Version 4.1)
  • Translate business, risk and compliance requirements into an overall IT security plan, taking into consideration the IT infrastructure and the security culture. Ensure that the plan is implemented in security policies and procedures together with appropriate investments in services, personnel, softw… (DS5.2 IT Security Plan, CobiT, Version 4.1)
  • Trademark owners should educate the public about their trademarks on an ongoing basis. (Best Practices for Trademark Owners - Relating to Search, Online Marketplace, and Shopping Sites ¶ 1, Addressing the Sale of Counterfeits on the Internet)
  • Examine the information security policy and verify that the policy is published and disseminated to all relevant system users. (§ 12.1, Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire D and Attestation of Compliance All other Merchants and all SAQ-Eligible Service Providers, Version 2.0)
  • Interview personnel and examine documentation to verify security policies and operational procedures to manage the firewalls are known to all affected personnel. (Testing Procedures § 1.5 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify operational procedures and security policies for managing vendor defaults and other security parameters are known to all affected parties. (Testing Procedures § 2.5 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures to protect cardholder data are known to all affected parties. (Testing Procedures § 3.7 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for encrypting cardholder data transmissions are known to all affected parties. (Testing Procedures § 4.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for protecting systems against malware are known to all affected parties. (Testing Procedures § 5.4 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for developing and maintaining secure systems and applications are known to all affected parties. (Testing Procedures § 6.7 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify the security policies and operational procedures for restricting access to cardholder data are known to all affected parties. (Testing Procedures § 7.3 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the internal processes and user or customer documentation from service providers to verify non-consumer users are given guidance on when and why passwords must be changed. (Testing Procedures § 8.2.4.b Bullet 2, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the authentication policies and procedures to verify they include guidance on how to select strong authentication credentials. (Testing Procedures § 8.4.b Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the authentication policies and procedures to verify they include instructions on not to reuse passwords. (Testing Procedures § 8.4.b Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Review the authentication policies and procedures to verify they include instructions to change passwords when they are suspected of being compromised. (Testing Procedures § 8.4.b Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify security policies and operational procedures for Identification and Authentication are known to all affected parties. (Testing Procedures § 8.8 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the documented policies and procedures to verify they include training personnel to report on tampering or substitution of devices and to be aware of suspicious behavior. (Testing Procedures § 9.9 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine documentation to verify the security policies and operational procedures for restricting physical access to cardholder data are known to all affected parties. (Testing Procedures § 9.10 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for monitoring all access to network resources and cardholder data are known to all affected parties. (Testing Procedures § 10.8 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview personnel and examine the documentation to verify security policies and operational procedures for security monitoring and testing are known to all affected parties. (Testing Procedures § 11.6 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Examine the information security policy and verify it was published and disseminated to all relevant personnel. (Testing Procedures § 12.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • Interview a sample of personnel to verify they understand the security policies. (Testing Procedures § 12.4.b, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures - Testing Procedures, 3)
  • The security policies and operational procedures to manage firewalls must be documented, in use, and known to all affected personnel. (PCI DSS Requirements § 1.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for managing vendor defaults and other security parameters must be documented, implemented, and communicated to all affected parties. (PCI DSS Requirements § 2.5, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The security policies and operational procedures for protecting cardholder data must be documented, implemented, and known to all parties. (PCI DSS Requirements § 3.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for encrypting cardholder data transmissions must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 4.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for protecting systems against malware must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 5.4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for developing and maintaining secure systems and applications must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 6.7, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for restricting access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 7.3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Authentication policies and procedures must be documented and communicated to all users, to include guidance for selecting strong authentication credentials. (PCI DSS Requirements § 8.4 Bullet 1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Authentication policies and procedures must be documented and communicated to all users, to include instructions on not to reuse previously used passwords. (PCI DSS Requirements § 8.4 Bullet 3, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Authentication policies and procedures must be documented and communicated to all users, to include instructions to change a password when there is a suspicion of a password compromise. (PCI DSS Requirements § 8.4 Bullet 4, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for Identification and Authentication must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 8.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operating procedures for restricting physical access to cardholder data must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 9.10, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for monitoring access to cardholder data and network resources must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 10.8, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • Security policies and operational procedures for security monitoring and testing must be documented, implemented, and known to all affected parties. (PCI DSS Requirements § 11.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • A security policy must be established, maintained, published, and disseminated. (PCI DSS Requirements § 12.1, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • A formal security awareness program must be implemented to make personnel aware of how important cardholder data security is. (PCI DSS Requirements § 12.6, Payment Card Industry (PCI) Data Security Standard, Requirements and Security Assessment Procedures, 3.0)
  • The organization's governing body (e.g., board of directors or equivalent) should communicate an information security governance framework. (SG.01.01.01-4, The Standard of Good Practice for Information Security)
  • The information security governance framework should include a process that requires the governing body to communicate the status of high-level information security-related activity to external stakeholders. (SG.01.01.05d-1, The Standard of Good Practice for Information Security)
  • The information security policy should define the Information Security principles to be followed by all staff. (CF.01.01.02-3, The Standard of Good Practice for Information Security)
  • The information security policy should require that staff are made aware of Information Security. (CF.01.01.03d, The Standard of Good Practice for Information Security)
  • The security profile shall contain important details about individuals in the local environment (e.g., staff and contractors), including level of security awareness (i.e., the extent to which individuals understand the importance of Information Security, the level of security required by the organis… (CF.12.01.03e, The Standard of Good Practice for Information Security)
  • The information security policy should be communicated to all staff with access to the organization's information or systems. (CF.01.01.04b-1, The Standard of Good Practice for Information Security)
  • The information security policy should be communicated to all external individuals (e.g., consultants, contractors, and employees of external parties) with access to the organization's information or systems. (CF.01.01.04b-2, The Standard of Good Practice for Information Security)
  • The Digital Rights Management system should reduce the likelihood of users circumventing Digital Rights Management controls by informing Digital Rights Management users of their obligation not to circumvent the Digital Rights Management features (e.g., by printing screenshots or using a camera to pe… (CF.08.08.08b, The Standard of Good Practice for Information Security, 2013)
  • The information security function should represent a 'centre of excellence' for information security by running an ongoing, continuous programme of information security awareness. (CF.01.02.03b-1, The Standard of Good Practice for Information Security, 2013)
  • The service provider shall ensure personnel are aware of how they contribute to fulfilling service requirements and achieving the service management objectives. (§ 4.4.2 ¶ 1(d), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • Management shall communicate the information security policy and the importance of following it to personnel, customers, and suppliers. (§ 6.6.1 ¶ 1(a), ISO 20000-1, Information Technology - Service Management - Part 1: Service Management System Requirements, Second Edition)
  • The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service, along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as pa… (Annex A: § CLD.6.3.1 Table: Cloud service provider, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • It is management's responsibility to cultivate open communication and transparency about risk and the risk-taking expectations. Management demonstrates that risk is not a discussion to be left for the boardroom. It does that by sending clear and consistent messages to employees that managing risk is… (Keeping Communication Open and Free from Retribution ¶ 1, Enterprise Risk Management - Integrating with Strategy and Performance, June 2017)
  • The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties. (PR.IP-8.1, CRI Profile, v1.2)
  • The organization shares appropriate types of information about the effectiveness of its protective measures with appropriate parties. (PR.IP-8.1, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Data processors must develop procedures for processing information requests, the correction or the deletion of personal data, and training the public officials responsible for attention and monitoring. (Art 6.II, Guanajuato Personal Data Protection Law)
  • Has the risk management program been communicated to appropriate constituents? (§ A.1, Shared Assessments Standardized Information Gathering Questionnaire - A. Risk Management, 7.0)
  • Is there an information security policy that has been communicated to appropriate constituents? (§ B.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Does the information security policy cover security awareness training and education? (§ B.1.3, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is the information security policy communicated to constituents? (§ B.1.35, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is the information security policy communicated to full time employees? (§ B.1.35.1, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is the information security policy communicated to part time employees? (§ B.1.35.2, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is the information security policy communicated to contractors? (§ B.1.35.3, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Is the information security policy communicated to temporary employees? (§ B.1.35.4, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • All users should be aware of the procedures and policies for the appropriate use of networks, systems, and applications. Lessons learned from previous incidents should be shared with users. By improving user awareness, the frequency of incidents should decline, especially those that involve maliciou… (§ 3.1.2 ¶ 3, Computer Security Incident Handling Guide, NIST SP 800-61, Revision 1)
  • Provide legal analysis and decisions to inspectors general, privacy officers, oversight and compliance personnel regarding compliance with cybersecurity policies and relevant legal and regulatory requirements. (T0474, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers. (T0603, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide enterprise cybersecurity and supply chain risk management guidance. (T0525, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • Provide enterprise cybersecurity and supply chain risk management guidance. (T0525, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Communicate new developments, breakthroughs, challenges and lessons learned to leadership, and internal and external customers. (T0603, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • FMFIA also requires OMB, in consultation with GAO, to establish guidelines for agencies to evaluate their systems of internal control to determine FMFIA compliance. Instead of considering internal control as an isolated management tool, agencies must integrate their efforts to meet the requirements … (Section III ¶ 3, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • Service Organizations are responsible for providing assurances to their customers and assisting customers in understanding the relationship between the service provider's controls and the customer's user controls. Together, service organizations and customers manage the risks of third party provider… (Section III (B1) ¶ 1 Bullet 4 Service Organization Responsibility., OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • The statement of assurance is made available to the public. However, relevant information that is specifically prohibited from disclosure by any provision of law, or specifically required by Executive Order to protect the interest of national defense or the conduct of foreign affairs, must not be in… (Section VI (H) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)