Policy, Procedure, and Audit Status
This site consolidates all documents related to the Sample Organization Compliance Program
Control Tracking
Satisfied Controls
38
Total Controls
38
Narratives provide an overview of the organization and the compliance environment.
| Name | Acronym | TSC Satisfied | |
|---|---|---|---|
| Control Environment Narrative | CEN |
CC2.1
CC2.2
CC2.3
CC4.1
CC4.2
CC5.1
CC5.2
CC5.3
|
Sample-CEN.pdf |
| Organizational Narrative | ON |
CC1.2
CC1.3
CC1.4
CC1.5
CC3.1
CC3.2
CC3.3
|
Sample-ON.pdf |
| Products and Services Narrative | PSN | Sample-PSN.pdf | |
| Security Architecture Narrative | SEN |
CC6.6
CC6.7
CC7.1
CC7.2
|
Sample-SEN.pdf |
| System Architecture Narrative | SAN | Sample-SAN.pdf |
Policies govern the behavior of Sample Organization employees and contractors.
| Name | Acronym | TSC Satisfied | |
|---|---|---|---|
| Access Onboarding and Termination Policy | AOTP |
CC6.1
CC6.2
CC6.3
|
Sample-AOTP.pdf |
| Application Security Policy | ASP |
CC6.2
|
Sample-ASP.pdf |
| Availability Policy | AP |
A1.1
CC9.1
|
Sample-AP.pdf |
| System Change Policy | SCP |
CC8.1
CC3.4
|
Sample-SCP.pdf |
| Data Classification Policy | DCP |
CC9.9
|
Sample-DCP.pdf |
| Code of Conduct Policy | COCP |
CC1.1
|
Sample-COCP.pdf |
| Confidentiality Policy | CP |
C1.1
C1.2
|
Sample-CP.pdf |
| Business Continuity Policy | BCP |
CC9.1
|
Sample-BCP.pdf |
| Cyber Risk Assessment Policy | CRP |
CC9.1
|
Sample-CRP.pdf |
| Datacenter Policy | DP |
CC6.4
|
Sample-DP.pdf |
| Software Development Lifecycle Policy | SDLCP |
CC8.1
|
Sample-SDLCP.pdf |
| Disaster Recovery Policy | DRP |
A1.2
A1.3
|
Sample-DRP.pdf |
| Encryption Policy | EP |
CC9.9
|
Sample-EP.pdf |
| Security Incident Response Policy | SIRP |
CC7.3
CC7.4
CC7.5
|
Sample-SIRP.pdf |
| Information Security Policy | ISP |
CC9.9
|
Sample-ISP.pdf |
| Log Management Policy | LMP |
CC7.2
|
Sample-LMP.pdf |
| Removable Media and Cloud Storage Policy | MCP |
CC6.7
|
Sample-MCP.pdf |
| Office Security Policy | OSP |
CC6.4
|
Sample-OSP.pdf |
| Password Policy | PWP |
CC9.9
|
Sample-PWP.pdf |
| Policy Training Policy | PTP |
CC9.9
|
Sample-PTP.pdf |
| Privacy Management Policy | PMP |
P1.1
P2.1
P3.1
P3.2
P4.1
P4.2
P4.3
P5.1
P5.2
P6.1
P6.2
P6.3
P6.4
P6.5
P6.6
P6.7
P7.1
P8.1
|
Sample-PMP.pdf |
| Processing Integrity Policy | PIP |
PI1.1
PI1.2
PI1.3
PI1.4
PI1.5
|
Sample-PIP.pdf |
| Remote Access Policy | REAP |
CC6.1
CC6.2
CC6.7
|
Sample-REAP.pdf |
| Data Retention Policy | RP |
CC1.2
CC6.5
P4.2
|
Sample-RP.pdf |
| Risk Assessment Policy | RIAP |
CC9.1
|
Sample-RIAP.pdf |
| Vendor Management Policy | VMP |
CC9.2
|
Sample-VMP.pdf |
| Workstation Policy | WP |
CC6.8
|
Sample-WP.pdf |
Procedures prescribe specific steps that are taken in response to key events.
| Name | ID | Schedule (cron format) |
|---|---|---|
| Offboard User | offboard | On demand |
| Onboard New User | onboard | On demand |
| Apply OS patches | patch | 0 0 0 15 * * |
| Collect Workstation Details | workstation | 0 0 0 15 4 * |
Standards specify the controls satisfied by the compliance program.
| Control Key | Name | Satisfied? | Satisfied By |
|---|---|---|---|
| A1.1 |
Capacity Planning
The entity maintains, monitors, and evaluates current processing capacity and use of system components (infrastructure, data, and software) to manage capacity demand and to enable the implementation of additional capacity to help meet its objectives
|
Yes | Sample-AP.pdf |
| A1.2 |
Backup and Recovery
The entity authorizes, designs, develops or acquires, implements, operates, approves, maintains, and monitors environmental protections, software, data back-up processes, and recovery infrastructure to meet its objectives
|
Yes | Sample-DRP.pdf |
| A1.3 |
Recovery Testing
The entity tests recovery plan procedures supporting system recovery to meet its objectives
|
Yes | Sample-DRP.pdf |
| C1.1 |
Confidential Information Identification
The entity identifies and maintains confidential information to meet the entity’s objectives related to confidentiality
|
Yes | Sample-CP.pdf |
| C1.2 |
Confidential Information Disposal
The entity disposes of confidential information to meet the entity’s objectives related to confidentiality.
|
Yes | Sample-CP.pdf |
| CC1.1 |
Integrity and Ethics
The entity demonstrates a commitment to integrity and ethical values
|
Yes | Sample-COCP.pdf |
| CC1.2 |
Board Independence
The board of directors demonstrates independence from management and exercises oversight of the development and performance of internal control
|
Yes | Sample-ON.pdf Sample-RP.pdf |
| CC1.3 |
Organizational Structure
Management establishes, with board oversight, structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives
|
Yes | Sample-ON.pdf |
| CC1.4 |
Hiring, Training and Retention
The entity demonstrates a commitment to attract, develop, and retain competent individuals in alignment with objectives
|
Yes | Sample-ON.pdf |
| CC1.5 |
Individual Accountability
The entity holds individuals accountable for their internal control responsibilities in the pursuit of objectives.
|
Yes | Sample-ON.pdf |
| CC2.1 |
Use of Information Systems
The entity obtains or generates and uses relevant, quality information to support the functioning of internal control
|
Yes | Sample-CEN.pdf |
| CC2.2 |
Use of Communication Systems, Internal
The entity internally communicates information, including objectives and responsibilities for internal control, necessary to support the functioning of internal control
|
Yes | Sample-CEN.pdf |
| CC2.3 |
Use of Communication Systems, External
The entity communicates with external parties regarding matters affecting the functioning of internal control
|
Yes | Sample-CEN.pdf |
| CC3.1 |
Objectives
The entity specifies objectives with sufficient clarity to enable the identification and assessment of risks relating to objectives
|
Yes | Sample-ON.pdf |
| CC3.2 |
Risk to Objectives
The entity identifies risks to the achievement of its objectives across the entity and analyzes risks as a basis for determining how the risks should be managed
|
Yes | Sample-ON.pdf |
| CC3.3 |
Fraud Risk to Objectives
The entity considers the potential for fraud in assessing risks to the achievement of objectives
|
Yes | Sample-ON.pdf |
| CC3.4 |
Impact of Changes
The entity identifies and assesses changes that could significantly impact the system of internal control
|
Yes | Sample-SCP.pdf |
| CC4.1 |
Monitoring
The entity selects, develops, and performs ongoing and/or separate evaluations to ascertain whether the components of internal control are present and functioning
|
Yes | Sample-CEN.pdf |
| CC4.2 |
Remediation
The entity evaluates and communicates internal control deficiencies in a timely manner to those parties responsible for taking corrective action, including senior management and the board of directors, as appropriate
|
Yes | Sample-CEN.pdf |
| CC5.1 |
Objective Risk Mitigation
The entity selects and develops control activities that contribute to the mitigation of risks to the achievement of objectives to acceptable levels
|
Yes | Sample-CEN.pdf |
| CC5.2 |
Technology Controls
The entity also selects and develops general control activities over technology to support the achievement of objectives
|
Yes | Sample-CEN.pdf |
| CC5.3 |
Established Policies
The entity deploys control activities through policies that establish what is expected and in procedures that put policies into action
|
Yes | Sample-CEN.pdf |
| CC6.1 |
Logical Access
The entity implements logical access security software, infrastructure, and architectures over protected information assets to protect them from security events to meet the entity’s objectives
|
Yes | Sample-AOTP.pdf Sample-REAP.pdf |
| CC6.2 |
User Access
Prior to issuing system credentials and granting system access, the entity registers and authorizes new internal and external users whose access is administered by the entity. For those users whose access is administered by the entity, user system credentials are removed when user access is no longer authorized
|
Yes | Sample-AOTP.pdf Sample-ASP.pdf Sample-REAP.pdf |
| CC6.3 |
Role-Based Access
The entity authorizes, modifies, or removes access to data, software, functions, and other protected information assets based on roles, responsibilities, or the system design and changes, giving consideration to the concepts of least privilege and segregation of duties, to meet the entity’s objectives
|
Yes | Sample-AOTP.pdf |
| CC6.4 |
Physical Access
The entity restricts physical access to facilities and protected information assets (for example, data center facilities, back-up media storage, and other sensitive locations) to authorized personnel to meet the entity’s objectives
|
Yes | Sample-DP.pdf Sample-OSP.pdf |
| CC6.5 |
Data Disposal
The entity discontinues logical and physical protections over physical assets only after the ability to read or recover data and software from those assets has been diminished and is no longer required to meet the entity’s objectives
|
Yes | Sample-RP.pdf |
| CC6.6 |
External Threats
The entity implements logical access security measures to protect against threats from sources outside its system boundaries
|
Yes | Sample-SEN.pdf |
| CC6.7 |
Data Custody and Transmission
The entity restricts the transmission, movement, and removal of information to authorized internal and external users and processes, and protects it during transmission, movement, or removal to meet the entity’s objectives
|
Yes | Sample-SEN.pdf Sample-MCP.pdf Sample-REAP.pdf |
| CC6.8 |
Malware Detection
The entity implements controls to prevent or detect and act upon the introduction of unauthorized or malicious software to meet the entity’s objectives
|
Yes | Sample-WP.pdf |
| CC7.1 |
Vulnerability Detection
To meet its objectives, the entity uses detection and monitoring procedures to identify (1) changes to configurations that result in the introduction of new vulnerabilities, and (2) susceptibilities to newly discovered vulnerabilities
|
Yes | Sample-SEN.pdf |
| CC7.2 |
Anomaly Detection
The entity monitors system components and the operation of those components for anomalies that are indicative of malicious acts, natural disasters, and errors affecting the entity’s ability to meet its objectives; anomalies are analyzed to determine whether they represent security events
|
Yes | Sample-SEN.pdf Sample-LMP.pdf |
| CC7.3 |
Security Incident Evaluation
The entity evaluates security events to determine whether they could or have resulted in a failure of the entity to meet its objectives (security incidents) and, if so, takes actions to prevent or address such failures
|
Yes | Sample-SIRP.pdf |
| CC7.4 |
Security Incident Response Plan
The entity responds to identified security incidents by executing a defined incident response program to understand, contain, remediate, and communicate security incidents, as appropriate
|
Yes | Sample-SIRP.pdf |
| CC7.5 |
Security Incident Response Execution
The entity identifies, develops, and implements activities to recover from identified security incidents
|
Yes | Sample-SIRP.pdf |
| CC8.1 |
Change Control
The entity authorizes, designs, develops or acquires, configures, documents, tests, approves, and implements changes to infrastructure, data, software, and procedures to meet its objectives
|
Yes | Sample-SCP.pdf Sample-SDLCP.pdf |
| CC9.1 |
Disruption Risk Mitigation
The entity identifies, selects, and develops risk mitigation activities for risks arising from potential business disruptions
|
Yes | Sample-AP.pdf Sample-BCP.pdf Sample-CRP.pdf Sample-RIAP.pdf |
| CC9.2 |
Vendor Risk Management
The entity assesses and manages risks associated with vendors and business partners
|
Yes | Sample-VMP.pdf |