compliance controls are associated with this Policy definition 'Employ independent assessors to conduct security control assessments' (b65c5d8e-9043-9612-2c17-65f231d763bb)
| Control Domain |
Control |
Name |
MetadataId |
Category |
Title |
Owner |
Requirements |
Description |
Info |
Policy# |
| FedRAMP_High_R4 |
CA-2(1) |
FedRAMP_High_R4_CA-2(1) |
FedRAMP High CA-2 (1) |
Security Assessment And Authorization |
Independent Assessors |
Shared |
n/a |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations,
for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to
repeat assessments. |
link |
1 |
| FedRAMP_Moderate_R4 |
CA-2(1) |
FedRAMP_Moderate_R4_CA-2(1) |
FedRAMP Moderate CA-2 (1) |
Security Assessment And Authorization |
Independent Assessors |
Shared |
n/a |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations,
for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to
repeat assessments. |
link |
1 |
| hipaa |
0125.05a3Organizational.2-05.a |
hipaa-0125.05a3Organizational.2-05.a |
0125.05a3Organizational.2-05.a |
01 Information Protection Program |
0125.05a3Organizational.2-05.a 05.01 Internal Organization |
Shared |
n/a |
Annual risk assessments are performed by an independent organization. |
|
8 |
| hipaa |
0177.05h1Organizational.12-05.h |
hipaa-0177.05h1Organizational.12-05.h |
0177.05h1Organizational.12-05.h |
01 Information Protection Program |
0177.05h1Organizational.12-05.h 05.01 Internal Organization |
Shared |
n/a |
An independent review of the organization's information security management program is initiated by management to ensure the continuing suitability, adequacy, and effectiveness of the organization's approach to managing information security. |
|
5 |
| hipaa |
0604.06g2Organizational.2-06.g |
hipaa-0604.06g2Organizational.2-06.g |
0604.06g2Organizational.2-06.g |
06 Configuration Management |
0604.06g2Organizational.2-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization has developed a continuous monitoring strategy and implemented a continuous monitoring program. |
|
7 |
| hipaa |
0662.09sCSPOrganizational.2-09.s |
hipaa-0662.09sCSPOrganizational.2-09.s |
0662.09sCSPOrganizational.2-09.s |
06 Configuration Management |
0662.09sCSPOrganizational.2-09.s 09.08 Exchange of Information |
Shared |
n/a |
Cloud service providers use an industry-recognized virtualization platform and standard virtualization formats (e.g., Open Virtualization Format, OVF) to help ensure interoperability, and has documented custom changes made to any hypervisor in use and all solution-specific virtualization hooks available for customer review. |
|
3 |
| hipaa |
068.06g2Organizational.34-06.g |
hipaa-068.06g2Organizational.34-06.g |
068.06g2Organizational.34-06.g |
06 Configuration Management |
068.06g2Organizational.34-06.g 06.02 Compliance with Security Policies and Standards, and Technical Compliance |
Shared |
n/a |
The organization employs assessors or assessment teams with a level of independence appropriate to its continuous monitoring strategy to monitor the security controls in the information system on an ongoing basis. |
|
6 |
| hipaa |
0914.09s1Organizational.6-09.s |
hipaa-0914.09s1Organizational.6-09.s |
0914.09s1Organizational.6-09.s |
09 Transmission Protection |
0914.09s1Organizational.6-09.s 09.08 Exchange of Information |
Shared |
n/a |
The organization ensures that communication protection requirements, including the security of exchanges of information, are the subject of policy development and compliance audits. |
|
6 |
| hipaa |
1796.10a2Organizational.15-10.a |
hipaa-1796.10a2Organizational.15-10.a |
1796.10a2Organizational.15-10.a |
17 Risk Management |
1796.10a2Organizational.15-10.a 10.01 Security Requirements of Information Systems |
Shared |
n/a |
Commercial products other than operating system software used to store and/or process covered information undergo a security assessment and/or security certification by a qualified assessor prior to implementation. |
|
6 |
| ISO27001-2013 |
C.9.2.e |
ISO27001-2013_C.9.2.e |
ISO 27001:2013 C.9.2.e |
Performance Evaluation |
Internal audit |
Shared |
n/a |
The organization shall conduct internal audits at planned intervals to provide information on whether
the information security management system:
e) select auditors and conduct audits that ensure objectivity and the impartiality of the audit process. |
link |
5 |
| NIST_SP_800-53_R4 |
CA-2(1) |
NIST_SP_800-53_R4_CA-2(1) |
NIST SP 800-53 Rev. 4 CA-2 (1) |
Security Assessment And Authorization |
Independent Assessors |
Shared |
n/a |
The organization employs assessors or assessment teams with [Assignment: organization-defined level of independence] to conduct security control assessments.
Supplemental Guidance: Independent assessors or assessment teams are individuals or groups who conduct impartial assessments of organizational information systems. Impartiality implies that assessors are free from any perceived or actual conflicts of interest with regard to the development, operation, or management of the organizational information systems under assessment or to the determination of security control effectiveness. To achieve impartiality, assessors should not: (i) create a mutual or conflicting interest with the organizations where the assessments are being conducted; (ii) assess their own work; (iii) act as management or employees of the organizations they are serving; or (iv) place themselves in positions of advocacy for the organizations acquiring their services. Independent assessments can be obtained from elements within organizations or can be contracted to public or private sector entities outside of organizations. Authorizing officials determine the required level of independence based on the security categories of information systems and/or the ultimate risk to organizational operations, organizational assets, or individuals. Authorizing officials also determine if the level of assessor independence provides sufficient assurance that the results are sound and can be used to make credible, risk-based decisions. This includes determining whether contracted security assessment services have sufficient independence, for example, when information system owners are not directly involved in contracting processes or cannot unduly influence the impartiality of assessors conducting assessments. In special situations,
for example, when organizations that own the information systems are small or organizational structures require that assessments are conducted by individuals that are in the developmental, operational, or management chain of system owners, independence in assessment processes can be achieved by ensuring that assessment results are carefully reviewed and analyzed by independent teams of experts to validate the completeness, accuracy, integrity, and reliability of the results. Organizations recognize that assessments performed for purposes other than direct support to authorization decisions are, when performed by assessors with sufficient independence, more likely to be useable for such decisions, thereby reducing the need to
repeat assessments. |
link |
1 |
| NIST_SP_800-53_R5 |
CA-2(1) |
NIST_SP_800-53_R5_CA-2(1) |
NIST SP 800-53 Rev. 5 CA-2 (1) |
Assessment, Authorization, and Monitoring |
Independent Assessors |
Shared |
n/a |
Employ independent assessors or assessment teams to conduct control assessments. |
link |
1 |