Objective #
To continuously monitor the effectiveness of controls implemented in support of Nested Knowledge policies.
Procedure #
- Policy Inventory: The organization maintains an inventory of security-related policies, and controls under said policies, that are critical for achieving its objectives.
- Policy Owner Assignment: Each identified policy is assigned an owner, typically someone responsible for the process or activity associated with controls under the policy.
- Annual Control Assessment: Policy owners review the design and operating effectiveness of their controls on an annual basis. Control assessment coincides with employee policy training.
- Continuous Testing and Evidence: For Secure Development, Backup, Penetration Testing ,and Cloud Security policies, policy owners store evidence of control effectiveness. This may include screenshots, documented procedures, transaction records, and test results. These findings will be stored for a period of one year.
- Reporting: As needed, policy owners will summarize their findings, including successful compliance and deficiencies, to the combined CEO/CTO/COO committee.
- Deficiency Resolution: If deficiencies or weaknesses are identified, the control owners are responsible for developing and implementing action plans to address these issues.
Revision History #
| Author | Date of Revision/Review | Comments |
|---|---|---|
| K. Cowie | 12/16/2025 | Reviewed |
| K. Cowie | 10/14/2024 | Reviewed |
| K. Holub | 02/24/2023 | Drafted |
