Back

Include identification of the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.


CONTROL ID
15481
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain Responding to Failures in Security Controls procedures., CC ID: 12514

There are no implementation support Controls.


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Identifying and documenting the cause(s) of failure, including root cause, and documenting remediation required to address the root cause. (A3.3.1.2 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Requirements, Version 4.0)
  • Identification of cause(s) of the failure. (10.7.3.b Bullet 1, Payment Card Industry Data Security Standard Requirements and Testing Procedures, Defined Approach Testing Procedures, Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Self-Assessment Questionnaire D for Merchants and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Identifying and documenting the cause(s) of failure and documenting required remediation. (10.7.3 Bullet 3, Self-Assessment Questionnaire D for Service Providers and Attestation of Compliance for use with PCI DSS Version 4.0)
  • Agencies should perform a root-cause analysis of the deficiency to ensure that subsequent strategies and plans address the root of the problem and not just the symptoms. Identifying and developing an understanding of the root cause of control deficiencies is management's responsibility. Management s… (Section V (B) ¶ 1, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)