compliance controls are associated with this Policy definition 'Govern policies and procedures' (1a2a03a4-9992-5788-5953-d8f6615306de)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
AC-1 |
FedRAMP_High_R4_AC-1 |
FedRAMP High AC-1 |
Access Control |
Access Control Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed.
The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| FedRAMP_High_R4 |
AU-1 |
FedRAMP_High_R4_AU-1 |
FedRAMP High AU-1 |
Audit And Accountability |
Audit And Accountability Policy And
Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| FedRAMP_Moderate_R4 |
AC-1 |
FedRAMP_Moderate_R4_AC-1 |
FedRAMP Moderate AC-1 |
Access Control |
Access Control Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed.
The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| FedRAMP_Moderate_R4 |
AU-1 |
FedRAMP_Moderate_R4_AU-1 |
FedRAMP Moderate AU-1 |
Audit And Accountability |
Audit And Accountability Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| hipaa |
0114.04b1Organizational.1-04.b |
hipaa-0114.04b1Organizational.1-04.b |
0114.04b1Organizational.1-04.b |
01 Information Protection Program |
0114.04b1Organizational.1-04.b 04.01 Information Security Policy |
Shared |
n/a |
The security policies are regularly reviewed and updated to ensure they reflect leading practices (e.g., for systems and services development and acquisition), and are communicated throughout the organization. |
|
9 |
| hipaa |
0115.04b2Organizational.123-04.b |
hipaa-0115.04b2Organizational.123-04.b |
0115.04b2Organizational.123-04.b |
01 Information Protection Program |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy |
Shared |
n/a |
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. |
|
20 |
| hipaa |
12101.09ab1Organizational.3-09.ab |
hipaa-12101.09ab1Organizational.3-09.ab |
12101.09ab1Organizational.3-09.ab |
12 Audit Logging & Monitoring |
12101.09ab1Organizational.3-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization specifies how often audit logs are reviewed, how the reviews are documented, and the specific roles and responsibilities of the personnel conducting the reviews, including the professional certifications or other qualifications required. |
|
18 |
| hipaa |
1780.10a1Organizational.1-10.a |
hipaa-1780.10a1Organizational.1-10.a |
1780.10a1Organizational.1-10.a |
17 Risk Management |
1780.10a1Organizational.1-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
The organization formally addresses the purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance with system and information integrity requirements and facilitates the implementation of system and information integrity requirements/controls. |
|
3 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.9.1.1 |
ISO27001-2013_A.9.1.1 |
ISO 27001:2013 A.9.1.1 |
Access Control |
Access control policy |
Shared |
n/a |
An access control policy shall be established, documented, and reviewed based on business and information security requirements. |
link |
4 |
| ISO27001-2013 |
C.4.4 |
ISO27001-2013_C.4.4 |
ISO 27001:2013 C.4.4 |
Context of the organization |
Information security management system |
Shared |
n/a |
The organization shall establish, implement, maintain and continually improve an information security
management system, in accordance with the requirements of this International Standard. |
link |
5 |
| ISO27001-2013 |
C.5.1.a |
ISO27001-2013_C.5.1.a |
ISO 27001:2013 C.5.1.a |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
a) ensuring the information security policy and the information security objectives are established
and are compatible with the strategic direction of the organization; |
link |
6 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.a |
ISO27001-2013_C.5.2.a |
ISO 27001:2013 C.5.2.a |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
a) is appropriate to the purpose of the organization. |
link |
4 |
| ISO27001-2013 |
C.5.2.b |
ISO27001-2013_C.5.2.b |
ISO 27001:2013 C.5.2.b |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
b) includes information security objectives (see 6.2) or provides the framework for setting information
security objectives. |
link |
4 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| ISO27001-2013 |
C.5.2.e |
ISO27001-2013_C.5.2.e |
ISO 27001:2013 C.5.2.e |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
e) be available as documented information. |
link |
4 |
| ISO27001-2013 |
C.5.2.f |
ISO27001-2013_C.5.2.f |
ISO 27001:2013 C.5.2.f |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy. The information security policy shall:
f) be communicated within the organization. |
link |
4 |
|
mp.info.1 Personal data |
mp.info.1 Personal data |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.info.6 Backups |
mp.info.6 Backups |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
mp.s.2 Protection of web services and applications |
mp.s.2 Protection of web services and applications |
404 not found |
|
|
|
n/a |
n/a |
|
102 |
| NIST_SP_800-53_R4 |
AC-1 |
NIST_SP_800-53_R4_AC-1 |
NIST SP 800-53 Rev. 4 AC-1 |
Access Control |
Access Control Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the access control policy and associated access controls; and
b. Reviews and updates the current:
1. Access control policy [Assignment: organization-defined frequency]; and
2. Access control procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed.
The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| NIST_SP_800-53_R4 |
AU-1 |
NIST_SP_800-53_R4_AU-1 |
NIST SP 800-53 Rev. 4 AU-1 |
Audit And Accountability |
Audit And Accountability Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. An audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the audit and accountability policy and associated audit and accountability controls; and
b. Reviews and updates the current:
1. Audit and accountability policy [Assignment: organization-defined frequency]; and
2. Audit and accountability procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the AU family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
4 |
| NIST_SP_800-53_R5 |
AC-1 |
NIST_SP_800-53_R5_AC-1 |
NIST SP 800-53 Rev. 5 AC-1 |
Access Control |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] access control policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the access control policy and the associated access controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the access control policy and procedures; and
c. Review and update the current access control:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
4 |
| NIST_SP_800-53_R5 |
AU-1 |
NIST_SP_800-53_R5_AU-1 |
NIST SP 800-53 Rev. 5 AU-1 |
Audit and Accountability |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] audit and accountability policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the audit and accountability policy and the associated audit and accountability controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the audit and accountability policy and procedures; and
c. Review and update the current audit and accountability:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
4 |
|
op.acc.2 Access requirements |
op.acc.2 Access requirements |
404 not found |
|
|
|
n/a |
n/a |
|
64 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
10.1.1 |
PCI_DSS_v4.0_10.1.1 |
PCI DSS v4.0 10.1.1 |
Requirement 10: Log and Monitor All Access to System Components and Cardholder Data |
Processes and mechanisms for logging and monitoring all access to system components and cardholder data are defined and documented |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 10 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
4 |
| PCI_DSS_v4.0 |
7.1.1 |
PCI_DSS_v4.0_7.1.1 |
PCI DSS v4.0 7.1.1 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 7 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
4 |
| PCI_DSS_v4.0 |
7.1.2 |
PCI_DSS_v4.0_7.1.2 |
PCI DSS v4.0 7.1.2 |
Requirement 07: Restrict Access to System Components and Cardholder Data by Business Need to Know |
Processes and mechanisms for restricting access to system components and cardholder data by business need to know are defined and understood |
Shared |
n/a |
Roles and responsibilities for performing activities in Requirement 7 are documented, assigned, and understood. |
link |
3 |