compliance controls are associated with this Policy definition 'Enforce rules of behavior and access agreements' (509552f5-6528-3540-7959-fbeae4832533)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
PL-4 |
FedRAMP_High_R4_PL-4 |
FedRAMP High PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| FedRAMP_High_R4 |
PS-6 |
FedRAMP_High_R4_PS-6 |
FedRAMP High PS-6 |
Personnel Security |
Access Agreements |
Shared |
n/a |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.
References: None. |
link |
5 |
| FedRAMP_Moderate_R4 |
PL-4 |
FedRAMP_Moderate_R4_PL-4 |
FedRAMP Moderate PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| FedRAMP_Moderate_R4 |
PS-6 |
FedRAMP_Moderate_R4_PS-6 |
FedRAMP Moderate PS-6 |
Personnel Security |
Access Agreements |
Shared |
n/a |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.
References: None. |
link |
5 |
| hipaa |
0104.02a1Organizational.12-02.a |
hipaa-0104.02a1Organizational.12-02.a |
0104.02a1Organizational.12-02.a |
01 Information Protection Program |
0104.02a1Organizational.12-02.a 02.01 Prior to Employment |
Shared |
n/a |
User security roles and responsibilities are clearly defined and communicated. |
|
14 |
| hipaa |
0109.02d1Organizational.4-02.d |
hipaa-0109.02d1Organizational.4-02.d |
0109.02d1Organizational.4-02.d |
01 Information Protection Program |
0109.02d1Organizational.4-02.d 02.03 During Employment |
Shared |
n/a |
Management ensures users are (i) briefed on their security role(s)/responsibilities, conform with the terms and conditions of employment prior to obtaining access to the organization’s information systems; (ii) provided with guidelines regarding the security expectations of their roles; (iii) motivated to comply with security policies; and, (iv) continue to have the appropriate skills and qualifications for their role(s). |
|
20 |
| hipaa |
0112.02d2Organizational.3-02.d |
hipaa-0112.02d2Organizational.3-02.d |
0112.02d2Organizational.3-02.d |
01 Information Protection Program |
0112.02d2Organizational.3-02.d 02.03 During Employment |
Shared |
n/a |
Acceptable usage is defined and usage is explicitly authorized. |
|
7 |
| hipaa |
0901.09s1Organizational.1-09.s |
hipaa-0901.09s1Organizational.1-09.s |
0901.09s1Organizational.1-09.s |
09 Transmission Protection |
0901.09s1Organizational.1-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization formally addresses multiple safeguards before allowing the use of information systems for information exchange. |
|
31 |
| hipaa |
1008.01d2System.3-01.d |
hipaa-1008.01d2System.3-01.d |
1008.01d2System.3-01.d |
10 Password Management |
1008.01d2System.3-01.d 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users sign a statement acknowledging their responsibility to keep passwords confidential. |
|
15 |
| hipaa |
1109.01b1System.479-01.b |
hipaa-1109.01b1System.479-01.b |
1109.01b1System.479-01.b |
11 Access Control |
1109.01b1System.479-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
User registration and deregistration, at a minimum: (i) communicates relevant policies to users and require acknowledgement (e.g., signed or captured electronically); (ii) checks authorization and minimum level of access necessary prior to granting access; (iii) ensures access is appropriate to the business needs (consistent with sensitivity/risk and does not violate segregation of duties requirements); (iv) addresses termination and transfer; (v) ensures default accounts are removed and/or renamed; (vi) removes or blocks critical access rights of users who have changed roles or jobs; and, (vii) automatically removes or disables inactive accounts. |
|
24 |
| hipaa |
1110.01b1System.5-01.b |
hipaa-1110.01b1System.5-01.b |
1110.01b1System.5-01.b |
11 Access Control |
1110.01b1System.5-01.b 01.02 Authorized Access to Information Systems |
Shared |
n/a |
Users are given a written statement of their access rights, which they are required to sign stating they understand the conditions of access. Guest/anonymous, shared/group, emergency and temporary accounts are specifically authorized and use monitored. |
|
11 |
| hipaa |
1128.01q2System.5-01.q |
hipaa-1128.01q2System.5-01.q |
1128.01q2System.5-01.q |
11 Access Control |
1128.01q2System.5-01.q 01.05 Operating System Access Control |
Shared |
n/a |
Help desk support requires user identification for any transaction that has information security implications. |
|
3 |
| hipaa |
1137.06e1Organizational.1-06.e |
hipaa-1137.06e1Organizational.1-06.e |
1137.06e1Organizational.1-06.e |
11 Access Control |
1137.06e1Organizational.1-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Acceptable use agreements are signed by all employees before being allowed access to information assets. |
|
8 |
| hipaa |
1201.06e1Organizational.2-06.e |
hipaa-1201.06e1Organizational.2-06.e |
1201.06e1Organizational.2-06.e |
12 Audit Logging & Monitoring |
1201.06e1Organizational.2-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
The organization provides notice that the employee's actions may be monitored, and that the employee consents to such monitoring. |
|
12 |
| hipaa |
1301.02e1Organizational.12-02.e |
hipaa-1301.02e1Organizational.12-02.e |
1301.02e1Organizational.12-02.e |
13 Education, Training and Awareness |
1301.02e1Organizational.12-02.e 02.03 During Employment |
Shared |
n/a |
Employees and contractors receive documented initial (as part of their onboarding within 60 days of hire), annual, and ongoing training on their roles related to security and privacy. |
|
17 |
| hipaa |
1302.02e2Organizational.134-02.e |
hipaa-1302.02e2Organizational.134-02.e |
1302.02e2Organizational.134-02.e |
13 Education, Training and Awareness |
1302.02e2Organizational.134-02.e 02.03 During Employment |
Shared |
n/a |
Dedicated security and privacy awareness training is developed as part of the organization's onboarding program, is documented and tracked, and includes the recognition and reporting of potential indicators of an insider threat. |
|
19 |
| hipaa |
1303.02e2Organizational.2-02.e |
hipaa-1303.02e2Organizational.2-02.e |
1303.02e2Organizational.2-02.e |
13 Education, Training and Awareness |
1303.02e2Organizational.2-02.e 02.03 During Employment |
Shared |
n/a |
Employees sign acceptance/acknowledgement of their security and privacy responsibilities. |
|
8 |
| hipaa |
1306.06e1Organizational.5-06.e |
hipaa-1306.06e1Organizational.5-06.e |
1306.06e1Organizational.5-06.e |
13 Education, Training and Awareness |
1306.06e1Organizational.5-06.e 06.01 Compliance with Legal Requirements |
Shared |
n/a |
Employees and contractors are informed in writing that violations of the security policies will result in sanctions or disciplinary action. |
|
11 |
| hipaa |
1307.07c1Organizational.124-07.c |
hipaa-1307.07c1Organizational.124-07.c |
1307.07c1Organizational.124-07.c |
13 Education, Training and Awareness |
1307.07c1Organizational.124-07.c 07.01 Responsibility for Assets |
Shared |
n/a |
The organization defines rules to describe user responsibilities and acceptable behavior for information system usage, including at a minimum, rules for email, Internet, mobile devices, social media and facility usage. |
|
9 |
| hipaa |
1308.09j1Organizational.5-09.j |
hipaa-1308.09j1Organizational.5-09.j |
1308.09j1Organizational.5-09.j |
13 Education, Training and Awareness |
1308.09j1Organizational.5-09.j 09.04 Protection Against Malicious and Mobile Code |
Shared |
n/a |
The organization prohibits users from installing unauthorized software, including data and software from external networks, and ensures users are made aware and trained on these requirements. |
|
12 |
| ISO27001-2013 |
A.13.2.4 |
ISO27001-2013_A.13.2.4 |
ISO 27001:2013 A.13.2.4 |
Communications Security |
Confidentiality or non-disclosure agreements |
Shared |
n/a |
Requirements for confidentiality or non-disclosure agreements reflecting the organization's needs for the protection of information shall be identified, regularly reviewed and documented. |
link |
14 |
| ISO27001-2013 |
A.15.1.2 |
ISO27001-2013_A.15.1.2 |
ISO 27001:2013 A.15.1.2 |
Supplier Relationships |
Addressing security within supplier agreement |
Shared |
n/a |
All relevant information security requirements shall be established and agreed with each supplier that may access, process, store, communicate, or provide IT infrastructure components for, the organization's information. |
link |
24 |
| ISO27001-2013 |
A.7.1.2 |
ISO27001-2013_A.7.1.2 |
ISO 27001:2013 A.7.1.2 |
Human Resources Security |
Terms and conditions of employment |
Shared |
n/a |
The contractual agreements with employees and contractors shall state their and the organization's responsibilities for information security. |
link |
24 |
| ISO27001-2013 |
A.7.2.1 |
ISO27001-2013_A.7.2.1 |
ISO 27001:2013 A.7.2.1 |
Human Resources Security |
Management responsibilities |
Shared |
n/a |
Management shall require all employees and contractors to apply information security in accordance with the established policies and procedures of the organization. |
link |
26 |
| ISO27001-2013 |
A.8.1.3 |
ISO27001-2013_A.8.1.3 |
ISO 27001:2013 A.8.1.3 |
Asset Management |
Acceptable use of assets |
Shared |
n/a |
Rules for the acceptable use of information and of assets associated with information processing facilities shall be identified, documented and implemented |
link |
2 |
| ISO27001-2013 |
C.7.3.a |
ISO27001-2013_C.7.3.a |
ISO 27001:2013 C.7.3.a |
Support |
Awareness |
Shared |
n/a |
Persons doing work under the organization’s control shall be aware of:
a) the information security policy. |
link |
3 |
| ISO27001-2013 |
C.7.3.b |
ISO27001-2013_C.7.3.b |
ISO 27001:2013 C.7.3.b |
Support |
Awareness |
Shared |
n/a |
Persons doing work under the organization’s control shall be aware of:
b) their contribution to the effectiveness of the information security management system, including
the benefits of improved information security performance. |
link |
3 |
| ISO27001-2013 |
C.7.3.c |
ISO27001-2013_C.7.3.c |
ISO 27001:2013 C.7.3.c |
Support |
Awareness |
Shared |
n/a |
Persons doing work under the organization’s control shall be aware of:
c) the implications of not conforming with the information security management system requirements. |
link |
3 |
|
mp.eq.1 Clear desk |
mp.eq.1 Clear desk |
404 not found |
|
|
|
n/a |
n/a |
|
19 |
|
mp.info.2 Rating of information |
mp.info.2 Rating of information |
404 not found |
|
|
|
n/a |
n/a |
|
45 |
|
mp.per.1 Job characterization |
mp.per.1 Job characterization |
404 not found |
|
|
|
n/a |
n/a |
|
41 |
|
mp.per.2 Duties and obligations |
mp.per.2 Duties and obligations |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
mp.per.3 Awareness |
mp.per.3 Awareness |
404 not found |
|
|
|
n/a |
n/a |
|
15 |
|
mp.s.1 E-mail protection |
mp.s.1 E-mail protection |
404 not found |
|
|
|
n/a |
n/a |
|
48 |
|
mp.si.3 Custody |
mp.si.3 Custody |
404 not found |
|
|
|
n/a |
n/a |
|
27 |
| NIST_SP_800-53_R4 |
PL-4 |
NIST_SP_800-53_R4_PL-4 |
NIST SP 800-53 Rev. 4 PL-4 |
Planning |
Rules Of Behavior |
Shared |
n/a |
The organization:
a. Establishes and makes readily available to individuals requiring access to the information system, the rules that describe their responsibilities and expected behavior with regard to information and information system usage;
b. Receives a signed acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;
c. Reviews and updates the rules of behavior [Assignment: organization-defined frequency]; and d. Requires individuals who have signed a previous version of the rules of behavior to read and
resign when the rules of behavior are revised/updated.
Supplemental Guidance: This control enhancement applies to organizational users. Organizations consider rules of behavior based on individual user roles and responsibilities, differentiating, for example, between rules that apply to privileged users and rules that apply to general users. Establishing rules of behavior for some types of non-organizational users including, for example, individuals who simply receive data/information from federal information systems, is often not feasible given the large number of such users and the limited nature of their interactions with the systems. Rules of behavior for both organizational and non-organizational users can also be established in AC-8, System Use Notification. PL-4 b. (the signed acknowledgment portion of this control) may be satisfied by the security awareness training and role-based security training programs conducted by organizations if such training includes rules of behavior. Organizations can use electronic signatures for acknowledging rules of behavior. Related controls: AC-2, AC-6, AC-8, AC-9, AC-17, AC-18, AC-19, AC-20, AT-2, AT-3, CM-11, IA-2, IA-4, IA-5, MP-7, PS-6, PS-8, SA-5.
References: NIST Special Publication 800-18. |
link |
9 |
| NIST_SP_800-53_R4 |
PS-6 |
NIST_SP_800-53_R4_PS-6 |
NIST SP 800-53 Rev. 4 PS-6 |
Personnel Security |
Access Agreements |
Shared |
n/a |
The organization:
a. Develops and documents access agreements for organizational information systems;
b. Reviews and updates the access agreements [Assignment: organization-defined frequency]; and
c. Ensures that individuals requiring access to organizational information and information systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or [Assignment: organization-defined frequency].
Supplemental Guidance: Access agreements include, for example, nondisclosure agreements, acceptable use agreements, rules of behavior, and conflict-of-interest agreements. Signed access agreements include an acknowledgement that individuals have read, understand, and agree to abide by the constraints associated with organizational information systems to which access is authorized. Organizations can use electronic signatures to acknowledge access agreements unless specifically prohibited by organizational policy. Related control: PL-4, PS-2, PS-3, PS-4, PS-8.
References: None. |
link |
5 |
| NIST_SP_800-53_R5 |
PL-4 |
NIST_SP_800-53_R5_PL-4 |
NIST SP 800-53 Rev. 5 PL-4 |
Planning |
Rules of Behavior |
Shared |
n/a |
a. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;
b. Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system;
c. Review and update the rules of behavior [Assignment: organization-defined frequency]; and
d. Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge [Selection (OneOrMore): [Assignment: organization-defined frequency] ;when the rules are revised or updated] . |
link |
9 |
| NIST_SP_800-53_R5 |
PS-6 |
NIST_SP_800-53_R5_PS-6 |
NIST SP 800-53 Rev. 5 PS-6 |
Personnel Security |
Access Agreements |
Shared |
n/a |
a. Develop and document access agreements for organizational systems;
b. Review and update the access agreements [Assignment: organization-defined frequency]; and
c. Verify that individuals requiring access to organizational information and systems:
1. Sign appropriate access agreements prior to being granted access; and
2. Re-sign access agreements to maintain access to organizational systems when access agreements have been updated or [Assignment: organization-defined frequency]. |
link |
5 |
|
op.exp.1 Asset inventory |
op.exp.1 Asset inventory |
404 not found |
|
|
|
n/a |
n/a |
|
40 |
|
op.ext.1 Contracting and service level agreements |
op.ext.1 Contracting and service level agreements |
404 not found |
|
|
|
n/a |
n/a |
|
35 |
|
op.nub.1 Cloud service protection |
op.nub.1 Cloud service protection |
404 not found |
|
|
|
n/a |
n/a |
|
33 |
|
op.pl.2 Security Architecture |
op.pl.2 Security Architecture |
404 not found |
|
|
|
n/a |
n/a |
|
65 |
|
op.pl.5 Certified components |
op.pl.5 Certified components |
404 not found |
|
|
|
n/a |
n/a |
|
26 |
|
org.2 Security regulations |
org.2 Security regulations |
404 not found |
|
|
|
n/a |
n/a |
|
100 |
|
org.3 Security procedures |
org.3 Security procedures |
404 not found |
|
|
|
n/a |
n/a |
|
83 |
|
org.4 Authorization process |
org.4 Authorization process |
404 not found |
|
|
|
n/a |
n/a |
|
126 |
| PCI_DSS_v4.0 |
12.2.1 |
PCI_DSS_v4.0_12.2.1 |
PCI DSS v4.0 12.2.1 |
Requirement 12: Support Information Security with Organizational Policies and Programs |
Acceptable use policies for end-user technologies are defined and implemented |
Shared |
n/a |
Acceptable use policies for end-user technologies are documented and implemented, including:
• Explicit approval by authorized parties.
• Acceptable uses of the technology.
• List of products approved by the company for employee use, including hardware and software. |
link |
4 |
| SOC_2 |
CC1.1 |
SOC_2_CC1.1 |
SOC 2 Type 2 CC1.1 |
Control Environment |
COSO Principle 1 |
Shared |
The customer is responsible for implementing this recommendation. |
Sets the Tone at the Top — The board of directors and management, at all levels,
demonstrate through their directives, actions, and behavior the importance of integrity and ethical values to support the functioning of the system of internal control.
• Establishes Standards of Conduct — The expectations of the board of directors and
senior management concerning integrity and ethical values are defined in the entity’s standards of conduct and understood at all levels of the entity and by outsourced service providers and business partners.
• Evaluates Adherence to Standards of Conduct — Processes are in place to evaluate
the performance of individuals and teams against the entity’s expected standards of
conduct.
• Addresses Deviations in a Timely Manner — Deviations from the entity’s expected
standards of conduct are identified and remedied in a timely and consistent manner |
|
8 |
| SOC_2 |
CC1.5 |
SOC_2_CC1.5 |
SOC 2 Type 2 CC1.5 |
Control Environment |
COSO Principle 5 |
Shared |
The customer is responsible for implementing this recommendation. |
• Enforces Accountability Through Structures, Authorities, and Responsibilities —
Management and the board of directors establish the mechanisms to communicate
and hold individuals accountable for performance of internal control responsibilities
across the entity and implement corrective action as necessary.
• Establishes Performance Measures, Incentives, and Rewards — Management and
the board of directors establish performance measures, incentives, and other rewards
appropriate for responsibilities at all levels of the entity, reflecting appropriate dimensions of performance and expected standards of conduct, and considering the
achievement of both short-term and longer-term objectives.
• Evaluates Performance Measures, Incentives, and Rewards for Ongoing Relevance
— Management and the board of directors align incentives and rewards with the
fulfillment of internal control responsibilities in the achievement of objectives.
• Considers Excessive Pressures — Management and the board of directors evaluate
and adjust pressures associated with the achievement of objectives as they assign responsibilities, develop performance measures, and evaluate performance.
• Evaluates Performance and Rewards or Disciplines Individuals — Management and
the board of directors evaluate performance of internal control responsibilities, including adherence to standards of conduct and expected levels of competence, and Page 17
TSP
Ref. #
TRUST SERVICES CRITERIA AND POINTS OF FOCUS
provide rewards or exercise disciplinary action, as appropriate |
|
4 |
| SOC_2 |
CC2.2 |
SOC_2_CC2.2 |
SOC 2 Type 2 CC2.2 |
Communication and Information |
COSO Principle 14 |
Shared |
The customer is responsible for implementing this recommendation. |
• Communicates Internal Control Information — A process is in place to communicate required information to enable all personnel to understand and carry out their
internal control responsibilities.
• Communicates With the Board of Directors — Communication exists between
management and the board of directors so that both have information needed to fulfill their roles with respect to the entity’s objectives.
• Provides Separate Communication Lines — Separate communication channels,
such as whistle-blower hotlines, are in place and serve as fail-safe mechanisms to
enable anonymous or confidential communication when normal channels are inoperative or ineffective.
• Selects Relevant Method of Communication — The method of communication considers the timing, audience, and nature of • Communicates Responsibilities — Entity personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their
responsibilities, and have the information necessary to carry out those responsibilities.
• Communicates Information on Reporting Failures, Incidents, Concerns, and Other
Matters — Entity personnel are provided with information on how to report systems
failures, incidents, concerns, and other complaints to personnel.
• Communicates Objectives and Changes to Objectives — The entity communicates
its objectives and changes to those objectives to personnel in a timely manner.
• Communicates Information to Improve Security Knowledge and Awareness — The
entity communicates information to improve security knowledge and awareness and
to model appropriate security behaviors to personnel through a security awareness
training program |
|
9 |