Back

Establish, implement, and maintain a baseline of internal controls.


CONTROL ID
12415
CONTROL TYPE
Business Processes
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS




This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an internal control framework., CC ID: 00820

This Control has the following implementation support Control(s):
  • Include the business need justification for excluding controls in the baseline of internal controls., CC ID: 16129
  • Include the implementation status of controls in the baseline of internal controls., CC ID: 16128


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH




  • Development/maintenance of a security and control framework that consists of standards, measures, practices and procedures (Information Security Governance ¶ 4 Bullet 3, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Effective risk management practices and internal controls should be instituted to achieve data confidentiality, system security, reliability, resiliency and recoverability in the organisation. (§ 4.0.2, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • More attacks may be targeted at FIs’ internet systems as financial services are increasingly being provided via the internet and more customers transact on this platform. As a counter-measure, the FI should devise a security strategy and put in place measures to ensure the confidentiality, integri… (§ 12.1.1, Monetary Authority of Singapore: Technology Risk Management Guidelines)
  • Effective risk management practices and internal controls should be instituted to achieve data confidentiality and integrity, system security and reliability, as well as stability and resilience in its IT operating environment. (§ 4.1.2, Technology Risk Management Guidelines, January 2021)
  • Safeguards must be implemented that allow information processing errors (which may compromise confidentiality, availability, or integrity), mistakes that are critical to security, and security incidents to be avoided as far as possible, to be limited in their impact, or at least noticed prematurely.… (§ 8.3 Subsection 2 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • One important item involves improving the practical feasibility of technical safeguards and organisational procedures so as to increase the acceptance of the security safeguards. Likewise, the formulation of suitable security safeguards should time and again be considered as to whether it is easily … (§ 8.4 ¶ 2, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Implementation: Suitable security safeguards must be specified and implemented for the basic requirements not met so far. (§ 6 ¶ 3 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The corresponding modules of the IT-Grundschutz Compendium must be selected and implemented to model a generally complex information domain according to IT-Grundschutz. In the IT-Grundschutz Compendium the modules are separated into process-oriented and system-oriented modules to facilitate selectio… (§ 6.2.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • This label only shows the reasonable temporal order for implementation of the respective requirements of the modules and does not represent an weighting of the modules with regard to each other. Basically, all modules of the IT-Grundschutz Compendium relevant for the corresponding information domain… (§ 6.2.2 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • As Core Protection focuses on the assets requiring particular protection, an increased protection need is to be assumed here basically. Thus, the basic and standard requirements specified in the relevant modules of the IT-Grundschutz Compendium must be implemented completely. Based on this, in case … (§ 7.1 ¶ 3, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Detailed documents on the structure of the information domain and the protection needs of its included target objects are a prerequisite for application of the IT-Grundschutz Compendium. Such information should be determined by using the work steps described above. Then, the modules of the IT-Grunds… (§ 8 Subsection 4 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • To enable the maintenance and continuous improvement of the information security process, you not only need to implement appropriate security safeguards and update documents continuously, but also need to test the IS process itself regularly in terms of its effectiveness and efficiency. In this case… (§ 10 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • These supplemental security safeguards must be documented and earmarked. The risks are monitored, and as soon as they are no longer acceptable, the earmarked supplemental security safeguards are checked, updated if necessary and included in the security concept. The risk classification is correspond… (§ 6.2 ¶ 2, The Federal Office for Information Security, BSI-Standard 200-3, Risk Analysis based on IT-Grundschutz, Version 1.0)
  • Encourage desirable conditions, events, and conduct and prevent those that are undesirable. (OCEG GRC Capability Model, v 3.0, P1.1 Establish Proactive Actions and Controls, OCEG GRC Capability Model, v 3.0)
  • The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. (§ 3 Principle 16 Points of Focus: Establishes Baseline Understanding, COSO Internal Control - Integrated Framework (2013))
  • is appropriate to the purpose of the organization; (§ 5.2.1 ¶ 1 Bullet 1, ISO 19600:2014, Compliance Management Systems - Guidelines, 2014-12-15, Reviewed and confirmed in 2018)
  • set expectations for internal controls, compliance, risk management and risk taking; (§ 6.3.3.1.2 ¶ 1 e), ISO 37000:2021, Governance of organizations — Guidance, First Edition)
  • is appropriate to the purpose of the organization; (§ 5.2 ¶ 1 a), ISO 37301:2021 Compliance management systems — Requirements with guidance for use, First Edition, Edition 1)
  • The organization shall take into account the hierarchy of controls (see 8.1.2) and outputs from the OH&S management system when planning to take action. (§ 6.1.4 ¶ 2, ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • use engineering controls and reorganization of work; (§ 8.1.2 ¶ 1 c), ISO 45001:2018, Occupational health and safety management systems — Requirements with guidance for use, First Edition)
  • is appropriate to the purpose of the organization; (§ 5.2 ¶ 1 a), ISO/DIS 37301, Compliance management systems — Requirements with guidance for use, DRAFT)
  • The organization should identify controls relevant to either the development or use of AI, or both. Controls should be identified during the risk management activities and documented (in internal systems, procedures, audit reports, etc.). (§ 6.4.2.5 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • the necessary controls (see 6.1.3 b) and c)); (§ 6.1.3 ¶ 1 d) Bullet 1, ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • produce a Statement of Applicability that contains: (§ 6.1.3 ¶ 1 d), ISO/IEC 27001:2022, Information security, cybersecurity and privacy protection — Information security management systems — Requirements)
  • the necessary controls [see ISO/IEC 27001:2013, 6.1.3 b) and c)]: (§ 5.4.1.3 ¶ 6 Bullet 1, ISO/IEC 27701:2019, Security techniques - Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management - Requirements and guidelines)
  • Establish, document, and publish organizationally-tailored control baselines and/or Cybersecurity Framework Profiles. (TASK P-4, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • Identify, document, and publish organization-wide common controls that are available for inheritance by organizational systems. (TASK P-5, Risk Management Framework for Information Systems and Organizations, A System Life Cycle Approach for Security and Privacy, NIST SP 800-37, Revision 2)
  • The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. (CC4.1 ¶ 3 Bullet 3 Establishes Baseline Understanding, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • As discussed beginning in paragraph 2.56, service organization management may document controls in a variety of ways. The nature and extent of documentation usually varies, depending on the size and complexity of the service organization and its monitoring activities. In some cases, the service audi… (¶ 3.97, Reporting on Controls at a Service Organization: Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (SOC2), current as of January 1, 2018)
  • The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. (CC4.1 Establishes Baseline Understanding, Trust Services Criteria)
  • The design and current state of an internal control system are used to establish a baseline for ongoing and separate evaluations. (CC4.1 ¶ 3 Bullet 3 Establishes Baseline Understanding, Trust Services Criteria, (includes March 2020 updates))
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Select a control baseline for the system. (PL-10 Control, FedRAMP Security Controls High Baseline, Version 5)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Select a control baseline for the system. (PL-10 Control, FedRAMP Security Controls Low Baseline, Version 5)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Select a control baseline for the system. (PL-10 Control, FedRAMP Security Controls Moderate Baseline, Version 5)
  • Because of the diverse purposes that authorized disclosures may be made to an agency and the division of responsibilities among different components of an agency, FTI may be received and used by several quasi-independent units within the agency’s organizational structure. Where there is such a dis… (1.5 ¶ 1, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • As a condition of receiving FTI, the receiving agency must show, to the satisfaction of the IRS, the ability to protect the confidentiality of that information. Certain safeguards must be implemented to prevent unauthorized access and use. Besides written requests, the IRS may require formal agreeme… (1.1 ¶ 2, Internal Revenue Service, Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies, Rev. 11-2021)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Select a control baseline for the system. (PL-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, High Impact Baseline, October 2020)
  • Select a control baseline for the system. (PL-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Low Impact Baseline, October 2020)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Select a control baseline for the system. (PL-10 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Moderate Impact Baseline, October 2020)
  • Centrally manage [Assignment: organization-defined controls and related processes]. (PL-9 Control, Control Baselines for Information Systems and Organizations, NIST SP 800-53B, Privacy Control Baseline, October 2020)
  • Develop policies and procedures, guidance, and constraints. (Level 2 Mission and Business Process Activities Bullet 2, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Cybersecurity supply chain risk management builds on existing standardized practices in multiple disciplines and an ever-evolving set of C-SCRM capabilities. C-SCRM Key Practices are meant to specifically emphasize and draw attention to a subset of the C-SCRM practices described throughout this publ… (3.4 ¶ 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • Select a control baseline for the system. (PL-10 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Baseline Controls)
  • Centrally manage [Assignment: organization-defined controls and related processes]. (PL-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 1 Controls)
  • Centrally manage [Assignment: organization-defined controls and related processes]. (PL-9 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Select a control baseline for the system. (PL-10 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 2 Controls)
  • Select a control baseline for the system. (PL-10 Control, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1, Appendix A, C-SCRM Level 3 Controls)
  • Maintain baseline system security according to organizational policies. (T0136, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • In order to determine whether cyber resiliency improvement is needed, the baseline for the system (as it is understood at the stage in the life cycle when the cyber resiliency analysis is performed) must be established. (3.2.2 ¶ 1, NIST SP 800-160, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Volume 2, Revision 1)
  • Maintain baseline system security according to organizational policies. (T0136, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • The organization centrally manages [Assignment: organization-defined security controls and related processes]. (PL-9 Control, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Centrally manage [Assignment: organization-defined controls and related processes]. (PL-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Select a control baseline for the system. (PL-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Centrally manage [Assignment: organization-defined controls and related processes]. (PL-9 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Tailor the selected control baseline by applying specified tailoring actions. (PL-11 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Select a control baseline for the system. (PL-10 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)
  • Develops methods to document, monitor, and maintain valid provenance baselines for systems and components of the information system or component and the ICT supply chain infrastructure; (PV-2b., Supply Chain Risk Management Practices for Federal Information Systems and Organizations, NIST Special Publication 800-161, April 2015)
  • Management develops and maintains documentation of its internal control system. (Section IV (A) ¶ 1 Bullet 2, OMB Circular No. A-123, Management’s Responsibility for Enterprise Risk Management and Internal Control)
  • PREVENT ABUSE OF U.S.-BASED INFRASTRUCTURE (STRATEGIC OBJECTIVE 2.4, National Cybersecurity Strategy)
  • PREVENT ABUSE OF U.S.-BASED INFRASTRUCTURE (STRATEGIC OBJECTIVE 2.4, National Cybersecurity Strategy (Condensed))
  • Identify applicable security controls and connection requirements in State Standards and/or Procedures. (REQUIREMENTS: Information Services Division: ¶ 1, Policy 641: External Connections, 641-00)