compliance controls are associated with this Policy definition 'Undergo independent security review' (9b55929b-0101-47c0-a16e-d6ac5c7d21f8)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-7 |
FedRAMP_High_R4_CA-7 |
FedRAMP High CA-7 |
Security Assessment And Authorization |
Continuous Monitoring |
Shared |
n/a |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
References: OMB Memorandum 11-33; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137; US-CERT Technical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts. |
link |
3 |
| FedRAMP_High_R4 |
SA-9 |
FedRAMP_High_R4_SA-9 |
FedRAMP High SA-9 |
System And Services Acquisition |
External Information System Services |
Shared |
n/a |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7.
References: NIST Special Publication 800-35. |
link |
4 |
| FedRAMP_Moderate_R4 |
CA-7 |
FedRAMP_Moderate_R4_CA-7 |
FedRAMP Moderate CA-7 |
Security Assessment And Authorization |
Continuous Monitoring |
Shared |
n/a |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
References: OMB Memorandum 11-33; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137; US-CERT Technical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts. |
link |
3 |
| FedRAMP_Moderate_R4 |
SA-9 |
FedRAMP_Moderate_R4_SA-9 |
FedRAMP Moderate SA-9 |
System And Services Acquisition |
External Information System Services |
Shared |
n/a |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7.
References: NIST Special Publication 800-35. |
link |
4 |
| hipaa |
0604.06g2Organizational.2-06.g |
hipaa-0604.06g2Organizational.2-06.g |
0604.06g2Organizational.2-06.g |
06 Configuration Management |
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization has developed a continuous monitoring strategy and implemented a continuous monitoring program. |
|
7 |
| hipaa |
069.06g2Organizational.56-06.g |
hipaa-069.06g2Organizational.56-06.g |
069.06g2Organizational.56-06.g |
06 Configuration Management |
069.06g2Organizational.56-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The internal security organization reviews and maintains records of compliance results (e.g., organization-defined metrics) in order to better track security trends within the organization, respond to the results of correlation and analysis, and address longer term areas of concern as part of its formal risk assessment process. |
|
7 |
| hipaa |
0824.09m3Organizational.1-09.m |
hipaa-0824.09m3Organizational.1-09.m |
0824.09m3Organizational.1-09.m |
08 Network Protection |
0824.09m3Organizational.1-09.m 09.06 Network Security Management |
Shared |
n/a |
The impact of the loss of network service to the business is defined. |
|
10 |
| hipaa |
0835.09n1Organizational.1-09.n |
hipaa-0835.09n1Organizational.1-09.n |
0835.09n1Organizational.1-09.n |
08 Network Protection |
0835.09n1Organizational.1-09.n 09.06 Network Security Management |
Shared |
n/a |
Agreed services provided by a network service provider/manager are formally managed and monitored to ensure they are provided securely. |
|
7 |
| hipaa |
0837.09.n2Organizational.2-09.n |
hipaa-0837.09.n2Organizational.2-09.n |
0837.09.n2Organizational.2-09.n |
08 Network Protection |
0837.09.n2Organizational.2-09.n 09.06 Network Security Management |
Shared |
n/a |
Formal agreements with external information system providers include specific obligations for security and privacy. |
|
20 |
| hipaa |
0888.09n2Organizational.6-09.n |
hipaa-0888.09n2Organizational.6-09.n |
0888.09n2Organizational.6-09.n |
08 Network Protection |
0888.09n2Organizational.6-09.n 09.06 Network Security Management |
Shared |
n/a |
The contract with the external/outsourced service provider includes the specification that the service provider is responsible for the protection of covered information shared. |
|
17 |
| hipaa |
1408.09e1System.1-09.e |
hipaa-1408.09e1System.1-09.e |
1408.09e1System.1-09.e |
14 Third Party Assurance |
1408.09e1System.1-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
Service Level Agreements (SLAs) or contracts with an agreed service arrangement address liability, service definitions, security controls, and other aspects of services management. |
|
6 |
| hipaa |
1411.09f1System.1-09.f |
hipaa-1411.09f1System.1-09.f |
1411.09f1System.1-09.f |
14 Third Party Assurance |
1411.09f1System.1-09.f 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The results of monitoring activities of third-party services are compared against the Service Level Agreements or contracts at least annually. |
|
9 |
| hipaa |
1422.05j2Organizational.3-05.j |
hipaa-1422.05j2Organizational.3-05.j |
1422.05j2Organizational.3-05.j |
14 Third Party Assurance |
1422.05j2Organizational.3-05.j 05.02 External Parties |
Shared |
n/a |
All security requirements resulting from work with external parties or internal controls are reflected by the agreement with the external party. |
|
6 |
| hipaa |
1423.05j2Organizational.4-05.j |
hipaa-1423.05j2Organizational.4-05.j |
1423.05j2Organizational.4-05.j |
14 Third Party Assurance |
1423.05j2Organizational.4-05.j 05.02 External Parties |
Shared |
n/a |
For all system connections that allow customers to access the organization's computing assets such as websites, kiosks, and public access terminals, the organization provides appropriate text or a link to the organization's privacy policy for data use and protection as well as the customer's responsibilities when accessing the data. |
|
9 |
| hipaa |
1438.09e2System.4-09.e |
hipaa-1438.09e2System.4-09.e |
1438.09e2System.4-09.e |
14 Third Party Assurance |
1438.09e2System.4-09.e 09.02 Control Third Party Service Delivery |
Shared |
n/a |
The service provider protects the company's data with reasonable controls (e.g., policies and procedures) designed to detect, prevent, and mitigate risk. |
|
14 |
| hipaa |
1450.05i2Organizational.2-05.i |
hipaa-1450.05i2Organizational.2-05.i |
1450.05i2Organizational.2-05.i |
14 Third Party Assurance |
1450.05i2Organizational.2-05.i 05.02 External Parties |
Shared |
n/a |
The organization obtains satisfactory assurances that reasonable information security exists across its information supply chain by performing an annual review, which includes all partners/third-party providers upon which their information supply chain depends. |
|
10 |
| hipaa |
1451.05iCSPOrganizational.2-05.i |
hipaa-1451.05iCSPOrganizational.2-05.i |
1451.05iCSPOrganizational.2-05.i |
14 Third Party Assurance |
1451.05iCSPOrganizational.2-05.i 05.02 External Parties |
Shared |
n/a |
Cloud service providers design and implement controls to mitigate and contain data security risks through proper separation of duties, role-based access, and least-privilege access for all personnel within their supply chain. |
|
21 |
| hipaa |
1453.05kCSPOrganizational.2-05.k |
hipaa-1453.05kCSPOrganizational.2-05.k |
1453.05kCSPOrganizational.2-05.k |
14 Third Party Assurance |
1453.05kCSPOrganizational.2-05.k 05.02 External Parties |
Shared |
n/a |
Supply chain agreements (e.g., SLAs) between cloud service providers and customers (tenants) incorporate at least the following mutually-agreed upon provisions and/or terms: (i) scope of business relationship and services offered, data acquisition, exchange and usage, feature sets and functionality, personnel and infrastructure network and systems components for service delivery and support, roles and responsibilities of provider and customer (tenant) and any subcontracted or outsourced business relationships, physical geographical location of hosted services, and any known regulatory compliance considerations; (ii) information security requirements, points of contact, and references to detailed supporting and relevant business processes and technical measures implemented; (iii) notification and/or pre-authorization of any changes controlled by the provider with customer (tenant) impacts; (iv) timely notification of a security incident to all customers (tenants) and other business relationships impacted; (v) assessment and independent verification of compliance with agreement provisions and/or terms (e.g., industry-acceptable certification, attestation audit report, or equivalent forms of assurance) without posing an unacceptable business risk of exposure to the organization being assessed; (vi) expiration of the business relationship and treatment of customer (tenant) data impacted; and, (vii) customer (tenant) service-to-service application (API) and data interoperability and portability requirements for application development and information exchange, usage, and integrity persistence. |
|
10 |
| hipaa |
1454.05kCSPOrganizational.3-05.k |
hipaa-1454.05kCSPOrganizational.3-05.k |
1454.05kCSPOrganizational.3-05.k |
14 Third Party Assurance |
1454.05kCSPOrganizational.3-05.k 05.02 External Parties |
Shared |
n/a |
Service agreements (e.g., SLAs) between providers and customers (tenants) across the relevant supply chain (upstream/downstream) are reviewed consistently and no less than annually to identify any non-conformance to established agreements. The reviews result in actions to address service-level conflicts or inconsistencies resulting from disparate supplier relationships. |
|
8 |
| hipaa |
1455.05kCSPOrganizational.4-05.k |
hipaa-1455.05kCSPOrganizational.4-05.k |
1455.05kCSPOrganizational.4-05.k |
14 Third Party Assurance |
1455.05kCSPOrganizational.4-05.k 05.02 External Parties |
Shared |
n/a |
Third-party service providers demonstrate compliance with information security and confidentiality, access control, service definitions, and service-level agreements included in third-party contracts. Third-party reports, records, and services undergo audit and review at least annually to govern and maintain compliance with the service delivery agreements. |
|
9 |
| ISO27001-2013 |
A.13.1.2 |
ISO27001-2013_A.13.1.2 |
ISO 27001:2013 A.13.1.2 |
Communications Security |
Security of network services |
Shared |
n/a |
Security mechanisms, service levels and management requirements of all network services shall be identified and included in network services agreements, whether these services are provided in-house or outsourced. |
link |
16 |
| ISO27001-2013 |
A.13.2.2 |
ISO27001-2013_A.13.2.2 |
ISO 27001:2013 A.13.2.2 |
Communications Security |
Agreements on information transfer |
Shared |
n/a |
Agreements shall address the secure transfer of business information between the organization and external parties. |
link |
11 |
| ISO27001-2013 |
A.15.2.1 |
ISO27001-2013_A.15.2.1 |
ISO 27001:2013 A.15.2.1 |
Supplier Relationships |
Monitoring and review of supplier services |
Shared |
n/a |
Organizations shall be regularly monitor, review and audit supplier service delivery. |
link |
4 |
| ISO27001-2013 |
A.15.2.2 |
ISO27001-2013_A.15.2.2 |
ISO 27001:2013 A.15.2.2 |
Supplier Relationships |
Managing changes to supplier services |
Shared |
n/a |
Changes to the provision of services by suppliers, including maintaining and improving existing information security policies, procedures and controls, shall be managed, taking account of the criticality of business information, systems and processes involved and re-assessment of risks. |
link |
15 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
A.6.1.5 |
ISO27001-2013_A.6.1.5 |
ISO 27001:2013 A.6.1.5 |
Organization of Information Security |
Information security in project management |
Shared |
n/a |
Information security shall be addressed in project management, regardless of the type of the project. |
link |
25 |
| ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
| ISO27001-2013 |
C.9.1.a |
ISO27001-2013_C.9.1.a |
ISO 27001:2013 C.9.1.a |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
The organization shall determine:
a) what needs to be monitored and measured, including information security processes and controls. |
link |
3 |
| ISO27001-2013 |
C.9.1.b |
ISO27001-2013_C.9.1.b |
ISO 27001:2013 C.9.1.b |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
The organization shall determine:
b) the methods for monitoring, measurement, analysis and evaluation, as applicable, to ensure
valid results. |
link |
3 |
| ISO27001-2013 |
C.9.1.c |
ISO27001-2013_C.9.1.c |
ISO 27001:2013 C.9.1.c |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
c) when the monitoring and measuring shall be performed.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results. |
link |
3 |
| ISO27001-2013 |
C.9.1.d |
ISO27001-2013_C.9.1.d |
ISO 27001:2013 C.9.1.d |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
d) who shall monitor and measure;
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results. |
link |
3 |
| ISO27001-2013 |
C.9.1.e |
ISO27001-2013_C.9.1.e |
ISO 27001:2013 C.9.1.e |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
e) when the results from monitoring and measurement shall be analysed and evaluated.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results. |
link |
3 |
| ISO27001-2013 |
C.9.1.f |
ISO27001-2013_C.9.1.f |
ISO 27001:2013 C.9.1.f |
Performance Evaluation |
Monitoring, measurement, analysis and evaluation |
Shared |
n/a |
The organization shall evaluate the information security performance and the effectiveness of the
information security management system.
NOTE The methods selected should produce comparable and reproducible results to be considered valid.
f) who shall analyse and evaluate these results.
The organization shall retain appropriate documented information as evidence of the monitoring and
measurement results. |
link |
3 |
|
mp.com.1 Secure perimeter |
mp.com.1 Secure perimeter |
404 not found |
|
|
|
n/a |
n/a |
|
49 |
|
mp.com.2 Protection of confidentiality |
mp.com.2 Protection of confidentiality |
404 not found |
|
|
|
n/a |
n/a |
|
55 |
|
mp.com.3 Protection of integrity and authenticity |
mp.com.3 Protection of integrity and authenticity |
404 not found |
|
|
|
n/a |
n/a |
|
62 |
|
mp.com.4 Separation of information flows on the network |
mp.com.4 Separation of information flows on the network |
404 not found |
|
|
|
n/a |
n/a |
|
51 |
| NIST_SP_800-171_R2_3 |
.12.3 |
NIST_SP_800-171_R2_3.12.3 |
NIST SP 800-171 R2 3.12.3 |
Security Assessment |
Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess and analyze security controls and information security-related risks at a frequency sufficient to support risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Providing access to security information on a continuing basis through reports or dashboards gives organizational officials the capability to make effective and timely risk management decisions. Automation supports more frequent updates to hardware, software, firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Monitoring requirements, including the need for specific monitoring, may also be referenced in other requirements. [SP 800-137] provides guidance on continuous monitoring. |
link |
3 |
| NIST_SP_800-53_R4 |
CA-7 |
NIST_SP_800-53_R4_CA-7 |
NIST SP 800-53 Rev. 4 CA-7 |
Security Assessment And Authorization |
Continuous Monitoring |
Shared |
n/a |
The organization develops a continuous monitoring strategy and implements a continuous monitoring program that includes:
a. Establishment of [Assignment: organization-defined metrics] to be monitored;
b. Establishment of [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessments supporting such monitoring;
c. Ongoing security control assessments in accordance with the organizational continuous monitoring strategy;
d. Ongoing security status monitoring of organization-defined metrics in accordance with the organizational continuous monitoring strategy;
e. Correlation and analysis of security-related information generated by assessments and monitoring;
f. Response actions to address results of the analysis of security-related information; and
g. Reporting the security status of organization and the information system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency].
Supplemental Guidance: Continuous monitoring programs facilitate ongoing awareness of threats, vulnerabilities, and information security to support organizational risk management decisions. The terms continuous and ongoing imply that organizations assess/analyze security controls and information security-related risks at a frequency sufficient to support organizational risk-based decisions. The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time in highly dynamic environments of operation with changing mission/business needs, threats, vulnerabilities, and technologies. Having access to security-related information on a continuing basis through reports/dashboards gives organizational officials the capability to make more effective and timely risk management decisions, including ongoing security authorization decisions. Automation supports more frequent updates to security authorization packages, hardware/software/firmware inventories, and other system information. Effectiveness is further enhanced when continuous monitoring outputs are formatted to provide information that is specific, measurable, actionable, relevant, and timely. Continuous monitoring activities are scaled in accordance with the security categories of information systems. Related controls: CA-2, CA-5, CA-6, CM-3, CM-4, PM-6, PM-9, RA-5, SA-11, SA-12, SI-2, SI-4.
References: OMB Memorandum 11-33; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137; US-CERT Technical Cyber Security Alerts; DoD Information Assurance Vulnerability Alerts. |
link |
3 |
| NIST_SP_800-53_R4 |
SA-9 |
NIST_SP_800-53_R4_SA-9 |
NIST SP 800-53 Rev. 4 SA-9 |
System And Services Acquisition |
External Information System Services |
Shared |
n/a |
The organization:
a. Requires that providers of external information system services comply with organizational information security requirements and employ [Assignment: organization-defined security controls] in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance;
b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and
c. Employs [Assignment: organization-defined processes, methods, and techniques] to monitor security control compliance by external service providers on an ongoing basis.
Supplemental Guidance: External information system services are services that are implemented outside of the authorization boundaries of organizational information systems. This includes services that are used by, but not a part of, organizational information systems. FISMA and OMB policy require that organizations using external service providers that are processing, storing, or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the same security requirements that federal agencies are required to meet. Organizations establish relationships with external service providers in a variety of ways including, for example, through joint ventures, business partnerships, contracts, interagency agreements, lines of business arrangements, licensing agreements, and supply chain exchanges. The responsibility for managing risks from the use of external information system services remains with authorizing officials. For services external to organizations, a chain of trust requires that organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered. The extent and nature of this chain of trust varies based on the relationships between organizations and the external providers. Organizations document the basis for trust relationships so the relationships can be monitored over time. External information system services documentation includes government, service providers, end user security roles and responsibilities, and service-level agreements. Service-level agreements define expectations of performance for security controls, describe measurable outcomes, and identify remedies and response requirements for identified instances of noncompliance. Related controls: CA-3, IR-7, PS-7.
References: NIST Special Publication 800-35. |
link |
4 |
| NIST_SP_800-53_R5 |
CA-7 |
NIST_SP_800-53_R5_CA-7 |
NIST SP 800-53 Rev. 5 CA-7 |
Assessment, Authorization, and Monitoring |
Continuous Monitoring |
Shared |
n/a |
Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:
a. Establishing the following system-level metrics to be monitored: [Assignment: organization-defined system-level metrics];
b. Establishing [Assignment: organization-defined frequencies] for monitoring and [Assignment: organization-defined frequencies] for assessment of control effectiveness;
c. Ongoing control assessments in accordance with the continuous monitoring strategy;
d. Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy;
e. Correlation and analysis of information generated by control assessments and monitoring;
f. Response actions to address results of the analysis of control assessment and monitoring information; and
g. Reporting the security and privacy status of the system to [Assignment: organization-defined personnel or roles] [Assignment: organization-defined frequency]. |
link |
3 |
| NIST_SP_800-53_R5 |
SA-9 |
NIST_SP_800-53_R5_SA-9 |
NIST SP 800-53 Rev. 5 SA-9 |
System and Services Acquisition |
External System Services |
Shared |
n/a |
a. Require that providers of external system services comply with organizational security and privacy requirements and employ the following controls: [Assignment: organization-defined controls];
b. Define and document organizational oversight and user roles and responsibilities with regard to external system services; and
c. Employ the following processes, methods, and techniques to monitor control compliance by external service providers on an ongoing basis: [Assignment: organization-defined processes, methods, and techniques]. |
link |
4 |
|
op.acc.6 Authentication mechanism (organization users) |
op.acc.6 Authentication mechanism (organization users) |
404 not found |
|
|
|
n/a |
n/a |
|
78 |
|
op.exp.2 Security configuration |
op.exp.2 Security configuration |
404 not found |
|
|
|
n/a |
n/a |
|
112 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.ext.2 Daily management |
op.ext.2 Daily management |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
op.ext.4 Interconnection of systems |
op.ext.4 Interconnection of systems |
404 not found |
|
|
|
n/a |
n/a |
|
68 |
|
op.mon.1 Intrusion detection |
op.mon.1 Intrusion detection |
404 not found |
|
|
|
n/a |
n/a |
|
50 |
|
op.mon.2 Metrics system |
op.mon.2 Metrics system |
404 not found |
|
|
|
n/a |
n/a |
|
3 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
34 |
|
org.1 Security policy |
org.1 Security policy |
404 not found |
|
|
|
n/a |
n/a |
|
94 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
127 |
| PCI_DSS_v4.0 |
12.4.2 |
PCI_DSS_v4.0_12.4.2 |
PCI DSS v4.0 12.4.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews are performed at least once every three months, by personnel other than those responsible for performing the given task to confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures, including but not limited to the following tasks:
• Daily log reviews.
• Configuration reviews for network security controls.
• Applying configuration standards to new systems.
• Responding to security alerts.
• Change-management processes. |
link |
6 |
| PCI_DSS_v4.0 |
12.4.2.1 |
PCI_DSS_v4.0_12.4.2.1 |
PCI DSS v4.0 12.4.2.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews conducted in accordance with Requirement 12.4.2 are documented to include:
• Results of the reviews.
• Documented remediation actions taken for any tasks that were found to not be performed at Requirement 12.4.2.
• Review and sign-off of results by personnel assigned responsibility for the PCI DSS compliance program. |
link |
7 |
| PCI_DSS_v4.0 |
12.8.4 |
PCI_DSS_v4.0_12.8.4 |
PCI DSS v4.0 12.8.4 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Risk to information assets associated with third-party service provider (TPSP) relationships is managed |
Shared |
n/a |
A program is implemented to monitor TPSPs’ PCI DSS compliance status at least once every 12 months. |
link |
8 |
| PCI_DSS_v4.0 |
12.9.2 |
PCI_DSS_v4.0_12.9.2 |
PCI DSS v4.0 12.9.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Third-party service providers (TPSPs) support their customers’ PCI DSS compliance |
Shared |
n/a |
TPSPs support their customers’ requests for information to meet Requirements
12.8.4 and 12.8.5 by providing the following upon customer request:
• PCI DSS compliance status information for any service the TPSP performs on behalf of customers (Requirement 12.8.4).
• Information about which PCI DSS requirements are the responsibility of the TPSP and which are the responsibility of the customer, including any shared responsibilities (Requirement 12.8.5). |
link |
3 |
| SOC_2 |
CC5.3 |
SOC_2_CC5.3 |
SOC 2 Type 2 CC5.3 |
Control Activities |
COSO Principle 12 |
Shared |
The customer is responsible for implementing this recommendation. |
Establishes Policies and Procedures to Support Deployment of Management’s Directives — Management establishes control activities that are built into business
processes and employees’ day-to-day activities through policies establishing what is
expected and relevant procedures specifying actions.
• Establishes Responsibility and Accountability for Executing Policies and Procedures — Management establishes responsibility and accountability for control activities with management (or other designated personnel) of the business unit or function in which the relevant risks reside.
• Performs in a Timely Manner — Responsible personnel perform control activities in
a timely manner as defined by the policies and procedures.
• Takes Corrective Action — Responsible personnel investigate and act on matters
identified as a result of executing control activities.
• Performs Using Competent Personnel — Competent personnel with sufficient authority perform control activities with diligence and continuing focus.
• Reassesses Policies and Procedures — Management periodically reviews control
activities to determine their continued relevance and refreshes them when necessary |
|
4 |
| SWIFT_CSCF_v2022 |
1.1 |
SWIFT_CSCF_v2022_1.1 |
SWIFT CSCF v2022 1.1 |
1. Restrict Internet Access & Protect Critical Systems from General IT Environment |
Ensure the protection of the user's local SWIFT infrastructure from potentially compromised elements of the general IT environment and external environment. |
Shared |
n/a |
A separated secure zone safeguards the user's SWIFT infrastructure from compromises and attacks on the broader enterprise and external environments. |
link |
22 |
| SWIFT_CSCF_v2022 |
2.8.5 |
SWIFT_CSCF_v2022_2.8.5 |
SWIFT CSCF v2022 2.8.5 |
2. Reduce Attack Surface and Vulnerabilities |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
Shared |
n/a |
Ensure a consistent and effective approach for the customers’ messaging monitoring. |
link |
8 |