compliance controls are associated with this Policy definition 'Develop security assessment plan' (1c258345-5cd4-30c8-9ef3-5ee4dd5231d6)
Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
FedRAMP_High_R4 |
CA-2 |
FedRAMP_High_R4_CA-2 |
FedRAMP High CA-2 |
Security Assessment And Authorization |
Security Assessments |
Shared |
n/a |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4.
References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. |
link |
4 |
FedRAMP_Moderate_R4 |
CA-2 |
FedRAMP_Moderate_R4_CA-2 |
FedRAMP Moderate CA-2 |
Security Assessment And Authorization |
Security Assessments |
Shared |
n/a |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4.
References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. |
link |
4 |
hipaa |
0125.05a3Organizational.2-05.a |
hipaa-0125.05a3Organizational.2-05.a |
0125.05a3Organizational.2-05.a |
01 Information Protection Program |
0125.05a3Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Annual risk assessments are performed by an independent organization. |
|
8 |
hipaa |
0177.05h1Organizational.12-05.h |
hipaa-0177.05h1Organizational.12-05.h |
0177.05h1Organizational.12-05.h |
01 Information Protection Program |
0177.05h1Organizational.12-05.h 05.01 Internal Organization |
Shared |
n/a |
An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. |
|
5 |
hipaa |
0601.06g1Organizational.124-06.g |
hipaa-0601.06g1Organizational.124-06.g |
0601.06g1Organizational.124-06.g |
06 Configuration Management |
0601.06g1Organizational.124-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Annual compliance reviews are conducted by security or audit individuals using manual or automated tools; if non-compliance is found, appropriate action is taken. |
|
6 |
hipaa |
0604.06g2Organizational.2-06.g |
hipaa-0604.06g2Organizational.2-06.g |
0604.06g2Organizational.2-06.g |
06 Configuration Management |
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization has developed a continuous monitoring strategy and implemented a continuous monitoring program. |
|
7 |
hipaa |
0614.06h2Organizational.12-06.h |
hipaa-0614.06h2Organizational.12-06.h |
0614.06h2Organizational.12-06.h |
06 Configuration Management |
0614.06h2Organizational.12-06.h 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
Technical compliance checks are performed by an experienced specialist with the assistance of industry standard automated tools, which generate a technical report for subsequent interpretation. These checks are performed annually, but more frequently where needed, based on risk as part of an official risk assessment process. |
|
6 |
hipaa |
068.06g2Organizational.34-06.g |
hipaa-068.06g2Organizational.34-06.g |
068.06g2Organizational.34-06.g |
06 Configuration Management |
068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization employs assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis. |
|
6 |
hipaa |
0709.10m1Organizational.1-10.m |
hipaa-0709.10m1Organizational.1-10.m |
0709.10m1Organizational.1-10.m |
07 Vulnerability Management |
0709.10m1Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
Technical vulnerabilities are identified, evaluated for risk, and corrected in a timely manner. |
|
11 |
hipaa |
0716.10m3Organizational.1-10.m |
hipaa-0716.10m3Organizational.1-10.m |
0716.10m3Organizational.1-10.m |
07 Vulnerability Management |
0716.10m3Organizational.1-10.m 10.06 Technical Vulnerability Management |
Shared |
n/a |
The organization conducts an enterprise security posture review as needed but no less than once within every 365 days, in accordance with organizational information security procedures. |
|
5 |
hipaa |
0914.09s1Organizational.6-09.s |
hipaa-0914.09s1Organizational.6-09.s |
0914.09s1Organizational.6-09.s |
09 Transmission Protection |
0914.09s1Organizational.6-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization ensures that communication protection requirements, including the security of exchanges of information, are the subject of policy development and compliance audits. |
|
6 |
hipaa |
1796.10a2Organizational.15-10.a |
hipaa-1796.10a2Organizational.15-10.a |
1796.10a2Organizational.15-10.a |
17 Risk Management |
1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Commercial products other than operating system software used to store and/or process covered information undergo a security assessment and/or security certification by a qualified assessor prior to implementation. |
|
6 |
ISO27001-2013 |
A.14.2.8 |
ISO27001-2013_A.14.2.8 |
ISO 27001:2013 A.14.2.8 |
System Acquisition, Development And Maintenance |
System security testing |
Shared |
n/a |
Testing of security functionality shall be carried out during development. |
link |
8 |
ISO27001-2013 |
A.18.2.2 |
ISO27001-2013_A.18.2.2 |
ISO 27001:2013 A.18.2.2 |
Compliance |
Compliance with security policies and standards |
Shared |
n/a |
Managers shall regularly review the compliance of information processing and procedures within their area of responsibility with the appropriate security policies, standards and any other security requirements. |
link |
36 |
ISO27001-2013 |
A.18.2.3 |
ISO27001-2013_A.18.2.3 |
ISO 27001:2013 A.18.2.3 |
Compliance |
Technical compliance review |
Shared |
n/a |
Information systems shall be regularly reviewed for compliance with the organization's information security policies and standards. |
link |
5 |
ISO27001-2013 |
C.9.2.a.1 |
ISO27001-2013_C.9.2.a.1 |
ISO 27001:2013 C.9.2.a.1 |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
a) conforms to
- 1) the organization’s own requirements for its information security management system; and |
link |
1 |
ISO27001-2013 |
C.9.2.a.2 |
ISO27001-2013_C.9.2.a.2 |
ISO 27001:2013 C.9.2.a.2 |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
a) conforms to
- 2) the requirements of this International Standard; |
link |
1 |
ISO27001-2013 |
C.9.2.b |
ISO27001-2013_C.9.2.b |
ISO 27001:2013 C.9.2.b |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
b) is effectively implemented and maintained. |
link |
1 |
ISO27001-2013 |
C.9.2.c |
ISO27001-2013_C.9.2.c |
ISO 27001:2013 C.9.2.c |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
The organization shall:
c) plan, establish, implement and maintain an audit programme(s), including the frequency, methods,
responsibilities, planning requirements and reporting. The audit programme(s) shall take into
consideration the importance of the processes concerned and the results of previous audits. |
link |
2 |
ISO27001-2013 |
C.9.2.d |
ISO27001-2013_C.9.2.d |
ISO 27001:2013 C.9.2.d |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
The organization shall:
d) define the audit criteria and scope for each audit. |
link |
1 |
|
mp.sw.2 Acceptance and commissioning |
mp.sw.2 Acceptance and commissioning |
404 not found |
|
|
|
n/a |
n/a |
|
59 |
NIST_SP_800-171_R2_3 |
.12.1 |
NIST_SP_800-171_R2_3.12.1 |
NIST SP 800-171 R2 3.12.1 |
Security Assessment |
Periodically assess the security controls in organizational systems to determine if the controls are effective in their application. |
Shared |
Microsoft and the customer share responsibilities for implementing this requirement. |
Organizations assess security controls in organizational systems and the environments in which those systems operate as part of the system development life cycle. Security controls are the safeguards or countermeasures organizations implement to satisfy security requirements. By assessing the implemented security controls, organizations determine if the security safeguards or countermeasures are in place and operating as intended. Security control assessments ensure that information security is built into organizational systems; identify weaknesses and deficiencies early in the development process; provide essential information needed to make risk-based decisions; and ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls as documented in system security plans. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Organizations can choose to use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of systems during the system life cycle. [SP 800-53] provides guidance on security and privacy controls for systems and organizations. [SP 800-53A] provides guidance on developing security assessment plans and conducting assessments. |
link |
4 |
NIST_SP_800-53_R4 |
CA-2 |
NIST_SP_800-53_R4_CA-2 |
NIST SP 800-53 Rev. 4 CA-2 |
Security Assessment And Authorization |
Security Assessments |
Shared |
n/a |
The organization:
a. Develops a security assessment plan that describes the scope of the assessment including:
1. Security controls and control enhancements under assessment;
2. Assessment procedures to be used to determine security control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
b. Assesses the security controls in the information system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements;
c. Produces a security assessment report that documents the results of the assessment; and
d. Provides the results of the security control assessment to [Assignment: organization-defined individuals or roles].
Supplemental Guidance: Organizations assess security controls in organizational information systems and the environments in which those systems operate as part of: (i) initial and ongoing security authorizations; (ii) FISMA annual assessments; (iii) continuous monitoring; and (iv) system development life cycle activities. Security assessments: (i) ensure that information security is built into organizational information systems; (ii) identify weaknesses and deficiencies early in the development process; (iii) provide essential information needed to make risk-based decisions as part of security authorization processes; and (iv) ensure compliance to vulnerability mitigation procedures. Assessments are conducted on the implemented security controls from Appendix F (main catalog) and Appendix G (Program Management controls) as documented in System Security Plans and Information Security Program Plans. Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle. Security assessment reports document assessment results in sufficient detail as deemed necessary by organizations, to determine the accuracy and completeness of the reports and whether the security controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting security requirements. The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place in organizational security authorization processes. Security assessment results are provided to the individuals or roles appropriate for the types of assessments being conducted. For example, assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives.
To satisfy annual assessment requirements, organizations can use assessment results from the following sources: (i) initial or ongoing information system authorizations; (ii) continuous monitoring; or (iii) system development life cycle activities. Organizations ensure that security assessment results are current, relevant to the determination of security control effectiveness, and obtained with the appropriate level of assessor independence. Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed. Subsequent to initial authorizations and in accordance with OMB policy, organizations assess security controls during continuous monitoring. Organizations establish the frequency for ongoing security control assessments in accordance with organizational continuous monitoring strategies. Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures. External audits (e.g., audits by external entities such as regulatory agencies) are outside the scope of this control. Related controls: CA-5, CA-6, CA-7, PM-9, RA-5, SA-11, SA-12, SI-4.
References: Executive Order 13587; FIPS Publication 199; NIST Special Publications 800-37, 800-39, 800-53A, 800-115, 800-137. |
link |
4 |
NIST_SP_800-53_R5 |
CA-2 |
NIST_SP_800-53_R5_CA-2 |
NIST SP 800-53 Rev. 5 CA-2 |
Assessment, Authorization, and Monitoring |
Control Assessments |
Shared |
n/a |
a. Select the appropriate assessor or assessment team for the type of assessment to be conducted;
b. Develop a control assessment plan that describes the scope of the assessment including:
1. Controls and control enhancements under assessment;
2. Assessment procedures to be used to determine control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
c. Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
d. Assess the controls in the system and its environment of operation [Assignment: organization-defined frequency] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
e. Produce a control assessment report that document the results of the assessment; and
f. Provide the results of the control assessment to [Assignment: organization-defined individuals or roles]. |
link |
4 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
PCI_DSS_v4.0 |
12.4.1 |
PCI_DSS_v4.0_12.4.1 |
PCI DSS v4.0 12.4.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Responsibility is established by executive management for the protection of cardholder data and a PCI DSS compliance program to include:
• Overall accountability for maintaining PCI DSS compliance.
• Defining a charter for a PCI DSS compliance program and communication to executive management. |
link |
5 |
PCI_DSS_v4.0 |
12.4.2 |
PCI_DSS_v4.0_12.4.2 |
PCI DSS v4.0 12.4.2 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
PCI DSS compliance is managed |
Shared |
n/a |
Reviews are performed at least once every three months, by personnel other than those responsible for performing the given task to confirm personnel are performing their tasks, in accordance with all security policies and all operational procedures, including but not limited to the following tasks:
• Daily log reviews.
• Configuration reviews for network security controls.
• Applying configuration standards to new systems.
• Responding to security alerts.
• Change-management processes. |
link |
6 |
SOC_2 |
CC4.1 |
SOC_2_CC4.1 |
SOC 2 Type 2 CC4.1 |
Monitoring Activities |
COSO Principle 16 |
Shared |
The customer is responsible for implementing this recommendation. |
• Considers a Mix of Ongoing and Separate Evaluations — Management includes a
balance of ongoing and separate evaluations.
• Considers Rate of Change — Management considers the rate of change in business
and business processes when selecting and developing ongoing and separate evaluations.
• Establishes Baseline Understanding — The design and current state of an internal
control system are used to establish a baseline for ongoing and separate evaluations.
• Uses Knowledgeable Personnel — Evaluators performing ongoing and separate
evaluations have sufficient knowledge to understand what is being evaluated.
• Integrates With Business Processes — Ongoing evaluations are built into the business processes and adjust to changing conditions.
• Adjusts Scope and Frequency — Management varies the scope and frequency of
separate evaluations depending on risk.
Page 26
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
• Objectively Evaluates — Separate evaluations are performed periodically to provide
objective feedback.
Additional point of focus specifically related to all engagements using the trust services criteria:
• Considers Different Types of Ongoing and Separate Evaluations — Management
uses a variety of different types of ongoing and separate evaluations, including penetration testing, independent certification made against established specifications
(for example, ISO certifications), and internal audit assessments |
|
3 |