Back

Monitoring and measurement


CONTROL ID
00636
CONTROL TYPE
IT Impact Zone
CLASSIFICATION
IT Impact Zone

SUPPORTING AND SUPPORTED CONTROLS




This is a top level control.

This Control has the following implementation support Control(s):
  • Establish and maintain an Information Technology inventory with asset discovery audit trails., CC ID: 00689
  • Establish and maintain Security Control System monitoring and reporting procedures., CC ID: 12506
  • Implement Security Control System monitoring and reporting procedures., CC ID: 13500
  • Respond to failures of security controls., CC ID: 12516
  • Establish and maintain a Responding to Failures in Security Controls procedure., CC ID: 12514
  • Establish, implement, and maintain logging and monitoring operations., CC ID: 00637
  • Establish and maintain a risk monitoring program., CC ID: 00658
  • Establish and maintain testing programs, necessary., CC ID: 00654
  • Monitor the usage and capacity of critical IT assets., CC ID: 00668
  • Establish and maintain a service management monitoring and metrics program., CC ID: 13916
  • Establish and maintain a compliance monitoring policy., CC ID: 00671
  • Monitor the performance of the governance, risk, and compliance capability., CC ID: 12857
  • Monitor the organizational culture., CC ID: 12782
  • Create a plan of action to correct control deficiencies identified in an audit., CC ID: 00675
  • Monitor the activities to correct control deficiencies identified in an audit., CC ID: 11645
  • Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary., CC ID: 00676
  • Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis., CC ID: 12330
  • Report known security issues to the Board of Directors or Senior Executive Committee on a regular basis., CC ID: 12329
  • Protect against misusing automated audit tools., CC ID: 04547
  • Provide intelligence support to the organization, as necessary., CC ID: 14020


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • § 7.6: The organization shall determine what measuring and monitoring devices are needed to monitor and measure the product to provide evidence that it conforms to the requirements. The organization shall establish procedures to execute monitoring and measurement in such a way to be consistent with… (§ 7.6, § 8.1, ISO 13485:2003 Medical devices -- Quality management systems -- Requirements for regulatory purposes, 2003)
  • The organization should measure risk management performance; periodically measure risk management progress; periodically review the risk management framework, policy, and plan; report on risk, the risk management plan progress, and the degree to which the risk management policy is being followed; an… (§ 4.5, ISO 31000 Risk management -- Principles and guidelines, 2009)
  • The organization must include the following in the information system continuous monitoring activities: information system component controls; configuration management; on-going security control assessment; security impact analyses of system changes; and status reporting. (CSR 1.9.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)