Objective #
To continuously monitor the effectiveness of controls implemented in support of Nested Knowledge policies.
Procedure #
- Policy Inventory: The organization maintains an inventory of security-related policies, and controls under said policies, that are critical for achieving its objectives.
- Policy Owner Assignment: Each identified policy is assigned an owner, typically someone responsible for the process or activity associated with controls under the policy.
- Control Assessment: Policy owners assess the design and operating effectiveness of their controls on an annual basis. Control assessment coincides with employee policy training.
- Testing and Evidence: Policy owners provide evidence to support their assessments. This may include screenshots, documented procedures, transaction records, and test results. These findings will be stored for a period of 1 year.
- Reporting: Policy owners summarize their findings, including successful compliance and deficiencies, to the combined CEO/CTO/COO committee.
- Deficiency Resolution: If deficiencies or weaknesses are identified, the control owners are responsible for developing and implementing action plans to address these issues.
Revision History #
| Author | Date of Revision/Review | Comments |
|---|---|---|
| K. Cowie | 10/14/2024 | Reviewed |
| K. Holub | 02/24/2023 | Drafted |
