Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls
11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 A B FedRAMP Security Assessment Plan (SAP) Template Policy Control Extract Page 1 Table of Contents 2 ............Access Control (AC) 3 ............Awareness and Training (AT) 4 ............Audit and Accountability (AU) 4 ............Security Assessment and Authorization (CA) 5 ............Configuration Management (CM) 5 ............Contingency Planning (CP) 6 ............Identification and Authentication (IA) 6 ............Incident Response (IR) 7 ............Maintenance (MA) 7 ............Media Protection (MP) 8 ............Physical and Environmental Protection (PE) 8 ............Planning (PL) 9 ............Personnel Security (PS) 9 ............Risk Assessment (RA) 10 ............System and Services Acquisition (SA) 10 ............System and Communications Protection (SC) 11 ............System and Information Integrity (SI) Page 1 of 11
-
Upload
james-w-de-rienzo -
Category
Technology
-
view
363 -
download
5
description
FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls
Transcript of Policy. FedRAMP Security Assessment Plan (SAP) Template, Policy and Procedures Security Controls
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
2
3
4
5678910111213141516171819202122
A B
FedRAMP Security Assessment Plan (SAP) TemplatePolicy Control Extract
Page
1 Table of Contents2 ............Access Control (AC)
3 ............Awareness and Training (AT)
4 ............Audit and Accountability (AU)
4 ............Security Assessment and Authorization (CA)
5 ............Configuration Management (CM)
5 ............Contingency Planning (CP)
6 ............Identification and Authentication (IA)
6 ............Incident Response (IR)
7 ............Maintenance (MA)
7 ............Media Protection (MP)
8 ............Physical and Environmental Protection (PE)
8 ............Planning (PL)
9 ............Personnel Security (PS)
9 ............Risk Assessment (RA)
10 ............System and Services Acquisition (SA)
10 ............System and Communications Protection (SC)
11 ............System and Information Integrity (SI)
Page 1 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
23
24
25
26
27
28
2930
31
32
33
A B
1. Access Control (AC)1.1. AC-1
Examine information security program documentation for the organization access control policy is reviewed and updated at least every three years. Examine organization access control policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the access control policy and associated access controls and that the , procedures are reviewed and updated at least annually.Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy was disseminated to the organizational elements. Examine information security program documentation for the organization access control procedures. Examine organization access control procedures for evidence that the procedures facilitate implementation of the access control policy and associated access control controls. Examine organization access control policy and procedures, or other relevant documents for the organization elements having associated access control roles and responsibilities and to which the access control procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the access control policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 2 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
34
35
36
37
38
39
4041
42
43
44
A B
2. Awareness and Training (AT)2.1. AT-1
Examine information security program documentation for the organization security awareness and training policy and that the security awareness and training policy is reviewed and updated at least every three years.Examine organization security awareness and training policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security awareness and training policy and associated security awareness and trainings and that the procedures are reviewed and updated at least annually.Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy was disseminated to the organizational elements. Examine information security program documentation for the organization security awareness and training procedures. Examine organization security awareness and training procedures for evidence that the procedures facilitate implementation of the security awareness and training policy and associated security awareness and training controls. Examine organization security awareness and training policy and procedures, or other relevant documents for the organization elements having associated security awareness and training roles and responsibilities and to which the security awareness and training procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security awareness and training policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 3 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
45
46
47
48
49
50
5152
53
54
55
56
57
58
59
60
61
62
63
64
65
66
A B
3. Audit and Accountability (AU)3.1. AU-1
Examine information security program documentation for the organization audit and accountability policy and that the audit and accountability policy is reviewed and updated at least every three years.Examine organization audit and accountability policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the audit and accountability policy and procedures are reviewed and updated at least annually.Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy was disseminated to the organizational elements. Examine information security program documentation for the organization audit and accountability procedures. Examine organization audit and accountability procedures for evidence that the procedures facilitate implementation of the audit and accountability policy and associated audit and accountability controls. Examine organization audit and accountability policy and procedures, or other relevant documents for the organization elements having associated audit and accountability roles and responsibilities and to which the audit and accountability procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the audit and accountability policy is reviewed and updated at least every three years, and the procedures at least annually.
4. Security Assessment and Authorization (CA)4.1. CA-1
Examine information security program documentation for the organization security assessment and authorization policy and that the security assessment and authorization policy is reviewed and updated at least every three years.Examine organization security assessment and authorization policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the security assessment and authorization policy and procedures are reviewed and updated at least annually.Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy was disseminated to the organizational elements. Examine information security program documentation for the organization security assessment and authorization procedures. Examine organization security assessment and authorization procedures for evidence that the procedures facilitate implementation of the security assessment and authorization policy and associated security assessment and authorization controls. Examine organization security assessment and authorization policy and procedures, or other relevant documents for the organization elements having associated security assessment and authorization roles and responsibilities and to which the security assessment and authorization procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security assessment and authorization policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 4 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
67
68
69
70
71
72
7374
75
76
77
78
79
80
81
82
83
8485
86
87
88
A B
5. Configuration Management (CM)5.1. CM-1
Examine configuration management documentation for the organization configuration management policy is reviewed and updated at least every three years.Examine organization configuration management policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the configuration management policy and associated configuration management controls and that the procedures are reviewed and updated at least annually.Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy was disseminated to the organizational elements. Examine configuration management documentation for the organization configuration management procedures. Examine organization configuration management procedures for evidence that the procedures facilitate implementation of the configuration management policy and associated configuration management controls. Examine organization configuration management policy and procedures, or other relevant documents for the organization elements having associated configuration management roles and responsibilities and to which the configuration management procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the configuration management policy is reviewed and updated at least every three years, and the procedures at least annually.
6. Contingency Planning (CP)6.1. CP-1
Examine information security program documentation for the organization contingency planning policy and that the contingency planning policy is reviewed and updated at least every three years.Examine organization contingency planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the contingency planning policy and procedures are reviewed and updated at least annually.Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization contingency planning procedures. Examine organization contingency planning procedures for evidence that the procedures facilitate implementation of the contingency planning policy and associated contingency planning controls. Examine organization contingency planning policy and procedures, or other relevant documents for the organization elements having associated contingency planning roles and responsibilities and to which the contingency planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the contingency planning policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 5 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
89
90
91
92
93
94
9596
97
98
99
100
101
102
103
104
105
106107
108
109
110
A B
7. Identification and Authentication (IA)7.1. IA-1
Examine information security program documentation for the organization identification and authentication policy and that the identification and authentication policy is reviewed and updated at least every three years.Examine organization identification and authentication policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the identification and authentication policy and procedures are reviewed and updated at least annually.Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy was disseminated to the organizational elements. Examine information security program documentation for the organization identification and authentication procedures. Examine organization identification and authentication procedures for evidence that the procedures facilitate implementation of the identification and authentication policy and associated identification and authentication controls. Examine organization identification and authentication policy and procedures, or other relevant documents for the organization elements having associated identification and authentication roles and responsibilities and to which the identification and authentication procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the identification and authentication policy is reviewed and updated at least every three years, and the procedures at least annually.
8. Incident Response (IR)8.1. IR-1
Examine information security program documentation for the organization incident response policy and that the incident response policy is reviewed and updated at least every three years.Examine organization incident response policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the incident response policy and procedures are reviewed and updated at least annually.Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy was disseminated to the organizational elements. Examine information security program documentation for the organization incident response procedures. Examine organization incident response procedures for evidence that the procedures facilitate implementation of the incident response policy and associated incident response controls. Examine organization incident response policy and procedures, or other relevant documents for the organization elements having associated incident response roles and responsibilities and to which the incident response procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the incident response policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 6 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
111
112
113
114
115
116
117118
119
120
121
122
123
124
125
126
127
128129
130
131
132
A B
9. Maintenance (MA)9.1. MA-1
Examine information security program documentation for the organization system maintenance policy and that the system maintenance policy is reviewed and updated at least every three years.Examine organization system maintenance policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system maintenance policy and procedures are reviewed and updated at least annually.Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy was disseminated to the organizational elements. Examine information security program documentation for the organization system maintenance procedures. Examine organization system maintenance procedures for evidence that the procedures facilitate implementation of the system maintenance policy and associated system maintenance controls. Examine organization system maintenance policy and procedures, or other relevant documents for the organization elements having associated system maintenance roles and responsibilities and to which the system maintenance procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system maintenance policy is reviewed and updated at least every three years, and the procedures at least annually.
10. Media Protection (MP)10.1. MP-1
Examine information security program documentation for the organization media protection policy and that the media protection policy is reviewed and updated at least every three years.Examine organization media protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the media protection policy and procedures are reviewed and updated at least annually.Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization media protection procedures. Examine organization media protection procedures for evidence that the procedures facilitate implementation of the media protection policy and associated media protection controls. Examine organization media protection policy and procedures, or other relevant documents for the organization elements having associated media protection roles and responsibilities and to which the media protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the media protection policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 7 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150151
152
153
154
A B
11. Physical and Environmental Protection (PE)11.1. PE-1
Examine information security program documentation for the organization physical and environmental protection policy and that the physical and environmental protection policy is reviewed and updated at least every three years.Examine organization physical and environmental protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the physical and environmental protection policy and procedures are reviewed and updated at least annually.Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy was disseminated to the organizational elements. Examine information security program documentation for the organization physical and environmental protection procedures. Examine organization physical and environmental protection procedures for evidence that the procedures facilitate implementation of the physical and environmental protection policy and associated physical and environmental protection controls. Examine organization physical and environmental protection policy and procedures, or other relevant documents for the organization elements having associated physical and environmental protection roles and responsibilities and to which the physical and environmental protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the physical and environmental protection policy is reviewed and updated at least every three years, and the procedures at least annually.
12. Planning (PL)12.1. PL-1
Examine information security program documentation for the organization security planning policy and that the security planning policy is reviewed and updated at least every three years.Examine organization security planning policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the security planning policy and procedures are reviewed and updated at least annually.Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy was disseminated to the organizational elements. Examine information security program documentation for the organization security planning procedures. Examine organization security planning procedures for evidence that the procedures facilitate implementation of the security planning policy and associated security planning controls. Examine organization security planning policy and procedures, or other relevant documents for the organization elements having associated security planning roles and responsibilities and to which the security planning procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the security planning policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 8 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
155
156
157
158
159
160
161162
163
164
165
166
167
168
169
170
171
172173
174
175
176
A B
13. Personnel Security (PS)13.1. PS-1
Examine information security program documentation for the organization personnel security policy and that the personnel security policy is reviewed and updated at least every three years.Examine organization personnel security policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for evidence that procedures that facilitate the implementation of the personnel security policy and procedures are reviewed and updated at least annually.Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy was disseminated to the organizational elements. Examine information security program documentation for the organization personnel security procedures. Examine organization personnel security procedures for evidence that the procedures facilitate implementation of the personnel security policy and associated personnel security controls. Examine organization personnel security policy and procedures, or other relevant documents for the organization elements having associated personnel security roles and responsibilities and to which the personnel security procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the personnel security policy is reviewed and updated at least every three years, and the procedures at least annually.
14. Risk Assessment (RA)14.1. RA-1
Examine information security program documentation for the organization risk assessment policy and that the risk assessment policy is reviewed and updated at least every three years.Examine organization risk assessment policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the risk assessment policy and procedures are reviewed and updated at least annually.Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy was disseminated to the organizational elements. Examine information security program documentation for the organization risk assessment procedures. Examine organization risk assessment procedures for evidence that the procedures facilitate implementation of the risk assessment policy and associated risk assessment controls. Examine organization risk assessment policy and procedures, or other relevant documents for the organization elements having associated risk assessment roles and responsibilities and to which the risk assessment procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the risk assessment policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 9 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
177
178
179
180
181
182
183184
185
186
187
188
189
190
191
192
193
194
195
196
197
A B
15. System and Services Acquisition (SA)15.1. SA-1
Examine information security program documentation for the organization system and services acquisition policy and that the system and services acquisition policy is reviewed and updated at least every three years.Examine organization system and services acquisition policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and services acquisition policy and procedures are reviewed and updated at least annually.Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and services acquisition procedures. Examine organization system and services acquisition procedures for evidence that the procedures facilitate implementation of the system and services acquisition policy and associated system and services acquisition controls. Examine organization system and services acquisition policy and procedures, or other relevant documents for the organization elements having associated system and services acquisition roles and responsibilities and to which the system and services acquisition procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and services acquisition policy is reviewed and updated at least every three years, and the procedures at least annually.
16. System and Communications Protection (SC)16.1. SC-1
Examine information security program documentation for the organization system and communication protection policy and that the system and communication protection policy is reviewed and updated at least every three years.Examine organization system and communication protection policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance.
Examine information system program documentation for procedures that facilitate the implementation of the system and communication protection policy and procedures are reviewed and updated at least annually.Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy was disseminated to the organizational elements. Examine organization system and communication protection procedures for evidence that the procedures facilitate implementation of the system and communication protection policy and associated system and communication protection controls. Examine organization system and communication protection policy and procedures, or other relevant documents for the organization elements having associated system and communication protection roles and responsibilities and to which the system and communication protection procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and communication protection policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 10 of 11
POLICY. FedRAMP Security Assessment Plan (SAP) Template, Policy Control Overview.xlsx
198
199
200
201
202
203
204205
206
207
208
A B
17. System and Information Integrity (SI)17.1. SI-1
Examine information security program documentation for the organization system and information integrity policy and that the system and information integrity policy is reviewed and updated at least every three years.Examine organization system and information integrity policy for evidence that the policy addresses, purpose, scope, roles and responsibilities, management commitment, coordination among organizational entities, and compliance. Examine information system program documentation for procedures that facilitate the implementation of the system and information integrity policy and procedures are reviewed and updated at least annually.Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity policy is to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy was disseminated to the organizational elements. Examine information security program documentation for the organization system and information integrity procedures. Examine organization system and information integrity procedures for evidence that the procedures facilitate implementation of the system and information integrity policy and associated system and information integrity controls. Examine organization system and information integrity policy and procedures, or other relevant documents for the organization elements having associated system and information integrity roles and responsibilities and to which the system and information integrity procedures are to be disseminated or otherwise made available. Interview a sample of key organizational personnel within the organization elements for evidence that the system and information integrity policy is reviewed and updated at least every three years, and the procedures at least annually.
Page 11 of 11
