compliance controls are associated with this Policy definition 'Review and update system and communications protection policies and procedures' (adf517f3-6dcd-3546-9928-34777d0c277e)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
SC-1 |
FedRAMP_High_R4_SC-1 |
FedRAMP High SC-1 |
System And Communications Protection |
System And Communications Protection Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
1 |
| FedRAMP_Moderate_R4 |
SC-1 |
FedRAMP_Moderate_R4_SC-1 |
FedRAMP Moderate SC-1 |
System And Communications Protection |
System And Communications Protection Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
1 |
| hipaa |
0115.04b2Organizational.123-04.b |
hipaa-0115.04b2Organizational.123-04.b |
0115.04b2Organizational.123-04.b |
01 Information Protection Program |
0115.04b2Organizational.123-04.b 04.01 Information Security Policy |
Shared |
n/a |
The owner of the security policies has management approval and assigned responsibility to develop, review, update (based on specific input), and approve the security policies; and such reviews, updates, and approvals occur no less than annually. |
|
20 |
| hipaa |
0859.09m1Organizational.78-09.m |
hipaa-0859.09m1Organizational.78-09.m |
0859.09m1Organizational.78-09.m |
08 Network Protection |
0859.09m1Organizational.78-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization ensures the security of information in networks, availability of network services and information services using the network, and the protection of connected services from unauthorized access. |
|
14 |
| hipaa |
0866.09m3Organizational.1516-09.m |
hipaa-0866.09m3Organizational.1516-09.m |
0866.09m3Organizational.1516-09.m |
08 Network Protection |
0866.09m3Organizational.1516-09.m 09.06 Network Security Management |
Shared |
n/a |
The organization describes the groups, roles, and responsibilities for the logical management of network components, and ensures coordination of and consistency in the elements of the network infrastructure. |
|
11 |
| hipaa |
0914.09s1Organizational.6-09.s |
hipaa-0914.09s1Organizational.6-09.s |
0914.09s1Organizational.6-09.s |
09 Transmission Protection |
0914.09s1Organizational.6-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization ensures that communication protection requirements, including the security of exchanges of information, are the subject of policy development and compliance audits. |
|
6 |
| ISO27001-2013 |
A.10.1.1 |
ISO27001-2013_A.10.1.1 |
ISO 27001:2013 A.10.1.1 |
Cryptography |
Policy on the use of cryptographic controls |
Shared |
n/a |
A policy on the use of cryptographic controls for protection of information shall be developed and implemented. |
link |
18 |
| ISO27001-2013 |
A.10.1.2 |
ISO27001-2013_A.10.1.2 |
ISO 27001:2013 A.10.1.2 |
Cryptography |
Key Management |
Shared |
n/a |
A policy on the use, protection and lifetime of cryptographic keys shall be developed and implemented through their whole lifecycle. |
link |
15 |
| ISO27001-2013 |
A.12.1.1 |
ISO27001-2013_A.12.1.1 |
ISO 27001:2013 A.12.1.1 |
Operations Security |
Documented operating procedures |
Shared |
n/a |
Operating procedures shall be documented and made available to all users who need them. |
link |
31 |
| ISO27001-2013 |
A.18.1.1 |
ISO27001-2013_A.18.1.1 |
ISO 27001:2013 A.18.1.1 |
Compliance |
Identification applicable legislation and contractual requirements |
Shared |
n/a |
All relevant legislative statutory, regulatory, contractual requirements and the organization's approach to meet these requirements shall be explicitly identified, documented and kept up to date for each information system and the organization. |
link |
30 |
| ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
| ISO27001-2013 |
A.5.1.1 |
ISO27001-2013_A.5.1.1 |
ISO 27001:2013 A.5.1.1 |
Information Security Policies |
Policies for information security |
Shared |
n/a |
A set of policies for information security shall be defined, approved by management, published and communicated to employees and relevant external parties. |
link |
42 |
| ISO27001-2013 |
A.5.1.2 |
ISO27001-2013_A.5.1.2 |
ISO 27001:2013 A.5.1.2 |
Information Security Policies |
Review of the policies for information security |
Shared |
n/a |
The policies for information security shall be reviewed at planned intervals or if significant changes occur to ensure their continuing suitability, adequacy, and effectiveness. |
link |
29 |
| ISO27001-2013 |
A.6.1.1 |
ISO27001-2013_A.6.1.1 |
ISO 27001:2013 A.6.1.1 |
Organization of Information Security |
Information security roles and responsibilities |
Shared |
n/a |
All information security responsibilities shall be clearly defined and allocated. |
link |
73 |
| ISO27001-2013 |
C.5.1.b |
ISO27001-2013_C.5.1.b |
ISO 27001:2013 C.5.1.b |
Leadership |
Leadership and commitment |
Shared |
n/a |
Top management shall demonstrate leadership and commitment with respect to the information
security management system by:
b) ensuring the integration of the information security management system requirements into the
organization’s processes. |
link |
28 |
| ISO27001-2013 |
C.5.2.c |
ISO27001-2013_C.5.2.c |
ISO 27001:2013 C.5.2.c |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
c) includes a commitment to satisfy applicable requirements related to information security. |
link |
23 |
| ISO27001-2013 |
C.5.2.d |
ISO27001-2013_C.5.2.d |
ISO 27001:2013 C.5.2.d |
Leadership |
Policy |
Shared |
n/a |
Top management shall establish an information security policy that:
d) includes a commitment to continual improvement of the information security management system. |
link |
23 |
| NIST_SP_800-53_R4 |
SC-1 |
NIST_SP_800-53_R4_SC-1 |
NIST SP 800-53 Rev. 4 SC-1 |
System And Communications Protection |
System And Communications Protection Policy And Procedures |
Shared |
n/a |
The organization:
a. Develops, documents, and disseminates to [Assignment: organization-defined personnel or roles]:
1. A system and communications protection policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
2. Procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls; and
b. Reviews and updates the current:
1. System and communications protection policy [Assignment: organization-defined frequency]; and
2. System and communications protection procedures [Assignment: organization-defined frequency].
Supplemental Guidance: This control addresses the establishment of policy and procedures for the effective implementation of selected security controls and control enhancements in the SC family. Policy and procedures reflect applicable federal laws, Executive Orders, directives, regulations, policies, standards, and guidance. Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary. The policy can be included as part of the general information security policy for organizations or conversely, can be represented by multiple policies reflecting the complex nature of certain organizations. The procedures can be established for the security program in general and for particular information systems, if needed. The organizational risk management strategy is a key factor in establishing policy and procedures. Related control: PM-9.
Control Enhancements: None.
References: NIST Special Publications 800-12, 800-100. |
link |
1 |
| NIST_SP_800-53_R5 |
SC-1 |
NIST_SP_800-53_R5_SC-1 |
NIST SP 800-53 Rev. 5 SC-1 |
System and Communications Protection |
Policy and Procedures |
Shared |
n/a |
a. Develop, document, and disseminate to [Assignment: organization-defined personnel or roles]:
1. [Selection (OneOrMore): Organization-level;Mission/business process-level;System-level] system and communications protection policy that:
(a) Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
(b) Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the system and communications protection policy and the associated system and communications protection controls;
b. Designate an [Assignment: organization-defined official] to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and
c. Review and update the current system and communications protection:
1. Policy [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]; and
2. Procedures [Assignment: organization-defined frequency] and following [Assignment: organization-defined events]. |
link |
1 |
| PCI_DSS_v4.0 |
1.1.1 |
PCI_DSS_v4.0_1.1.1 |
PCI DSS v4.0 1.1.1 |
Requirement 01: Install and Maintain Network Security Controls |
Processes and mechanisms for installing and maintaining network security controls are defined and understood |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 1 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
2 |
| PCI_DSS_v4.0 |
11.1.1 |
PCI_DSS_v4.0_11.1.1 |
PCI DSS v4.0 11.1.1 |
Requirement 11: Test Security of Systems and Networks Regularly |
Processes and mechanisms for regularly testing security of systems and networks are defined and understood |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 11 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
3 |
| PCI_DSS_v4.0 |
3.1.1 |
PCI_DSS_v4.0_3.1.1 |
PCI DSS v4.0 3.1.1 |
Requirement 03: Protect Stored Account Data |
Processes and mechanisms for protecting stored account data are defined and understood |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 3 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
3 |
| PCI_DSS_v4.0 |
4.1.1 |
PCI_DSS_v4.0_4.1.1 |
PCI DSS v4.0 4.1.1 |
Requirement 04: Protect Cardholder Data with Strong Cryptography During Transmission Over Open, Public Networks |
Processes and mechanisms for protecting cardholder data with strong cryptography during transmission over open, public networks are defined and documented |
Shared |
n/a |
All security policies and operational procedures that are identified in Requirement 4 are:
• Documented.
• Kept up to date.
• In use.
• Known to all affected parties. |
link |
1 |