compliance controls are associated with this Policy definition 'Select additional testing for security control assessments' (f78fc35e-1268-0bca-a798-afcba9d2330a)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CA-2(2) |
FedRAMP_High_R4_CA-2(2) |
FedRAMP High CA-2 (2) |
Security Assessment And Authorization |
Specialized Assessments |
Shared |
n/a |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
link |
1 |
FedRAMP_Moderate_R4 |
CA-2(2) |
FedRAMP_Moderate_R4_CA-2(2) |
FedRAMP Moderate CA-2 (2) |
Security Assessment And Authorization |
Specialized Assessments |
Shared |
n/a |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
link |
1 |
hipaa |
0177.05h1Organizational.12-05.h |
hipaa-0177.05h1Organizational.12-05.h |
0177.05h1Organizational.12-05.h |
01 Information Protection Program |
0177.05h1Organizational.12-05.h 05.01 Internal Organization |
Shared |
n/a |
An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. |
|
5 |
hipaa |
0614.06h2Organizational.12-06.h |
hipaa-0614.06h2Organizational.12-06.h |
0614.06h2Organizational.12-06.h |
06 Configuration Management |
0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Technical compliance checks are performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks are performed annually, but more frequently where needed, based on risk as part of an official risk assessment process. |
|
6 |
hipaa |
0662.09sCSPOrganizational.2-09.s |
hipaa-0662.09sCSPOrganizational.2-09.s |
0662.09sCSPOrganizational.2-09.s |
06 Configuration Management |
0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information |
Shared |
n/a |
Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. |
|
3 |
hipaa |
0709.10m1Organizational.1-10.m |
hipaa-0709.10m1Organizational.1-10.m |
0709.10m1Organizational.1-10.m |
07 Vulnerability Management |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. |
|
11 |
hipaa |
0712.10m2Organizational.4-10.m |
hipaa-0712.10m2Organizational.4-10.m |
0712.10m2Organizational.4-10.m |
07 Vulnerability Management |
0712.10m2Organizational.4-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Internal and external vulnerability assessments of covered information systems, virtualized environments, and networked environments, including both network- and application-layer tests, are performed by a qualified individual on a quarterly basis or after significant changes. |
|
2 |
hipaa |
12102.09ab1Organizational.4-09.ab |
hipaa-12102.09ab1Organizational.4-09.ab |
12102.09ab1Organizational.4-09.ab |
12 Audit Logging & Monitoring |
12102.09ab1Organizational.4-09.ab 09.10 Monitoring |
Shared |
n/a |
The organization periodically tests its monitoring and detection processes, remediates deficiencies, and improves its processes. |
|
7 |
ISO27001-2013 |
A.12.6.1 |
ISO27001-2013_A.12.6.1 |
ISO 27001:2013 A.12.6.1 |
Operations Security |
Management of technical vulnerabilities |
Shared |
n/a |
Information about technical vulnerabilities of information systems being used shall be obtained in a timely fashion, the organization's exposure to such vulnerabilities evaluated and appropriate measures taken to address the associated risk. |
link |
12 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
60 |
NIST_SP_800-53_R4 |
CA-2(2) |
NIST_SP_800-53_R4_CA-2(2) |
NIST SP 800-53 Rev. 4 CA-2 (2) |
Security Assessment And Authorization |
Specialized Assessments |
Shared |
n/a |
The organization includes as part of security control assessments, [Assignment: organization- defined frequency], [Selection: announced; unannounced], [Selection (one or more): in-depth monitoring; vulnerability scanning; malicious user testing; insider threat assessment; performance/load testing; [Assignment: organization-defined other forms of security assessment]].
Supplemental Guidance: Organizations can employ information system monitoring, insider threat assessments, malicious user testing, and other forms of testing (e.g., verification and validation) to improve readiness by exercising organizational capabilities and indicating current performance levels as a means of focusing actions to improve security. Organizations conduct assessment activities in accordance with applicable federal laws, Executive Orders, directives, policies, regulations, and standards. Authorizing officials approve the assessment methods in coordination with the organizational risk executive function. Organizations can incorporate vulnerabilities uncovered during assessments into vulnerability remediation processes. Related controls: PE-3, SI-2. |
link |
1 |
NIST_SP_800-53_R5 |
CA-2(2) |
NIST_SP_800-53_R5_CA-2(2) |
NIST SP 800-53 Rev. 5 CA-2 (2) |
Assessment, Authorization, and Monitoring |
Specialized Assessments |
Shared |
n/a |
Include as part of control assessments, [Assignment: organization-defined frequency], [Selection: announced;unannounced] , [Selection (OneOrMore): in-depth monitoring;security instrumentation;automated security test cases;vulnerability scanning;malicious user testing;insider threat assessment;performance and load testing;data leakage or data loss assessment; [Assignment: organization-defined other forms of assessment] ] . |
link |
1 |
PCI_DSS_v4.0 |
12.4.2 |
PCI_DSS_v4.0_12.4.2 |
PCI DSS v4.0 12.4.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews are performed at least once every three months, by personnel other than those responsible for performing the given task to confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures, including but not limited to the following tasks:
• Daily log reviews.
• Configuration reviews for network security controls.
• Applying configuration standards to new systems.
• Responding to security alerts.
• Change-management processes. |
link |
6 |
SOC_2 |
CC4.1 |
SOC_2_CC4.1 |
SOC 2 Type 2 CC4.1 |
Monitoring Activities |
COSO Principle 16 |
Shared |
The customer is responsible for implementing this recommendation. |
• Considers a Mix of Ongoing and Separate Evaluations — Management includes a
balance of ongoing and separate evaluations.
• Considers Rate of Change — Management considers the rate of change in business
and business processes when selecting and developing ongoing and separate evaluations.
• Establishes Baseline Understanding — The design and current state of an internal
control system are used to establish a baseline for ongoing and separate evaluations.
• Uses Knowledgeable Personnel — Evaluators performing ongoing and separate
evaluations have sufficient knowledge to understand what is being evaluated.
• Integrates With Business Processes — Ongoing evaluations are built into the business processes and adjust to changing conditions.
• Adjusts Scope and Frequency — Management varies the scope and frequency of
separate evaluations depending on risk.
Page 26
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
• Objectively Evaluates — Separate evaluations are performed periodically to provide
objective feedback.
Additional point of focus specifically related to all engagements using the trust services criteria:
• Considers Different Types of Ongoing and Separate Evaluations — Management
uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications
(for example, ISO certifications), and internal audit assessments |
|
3 |