← Controls / PM

PM-14 Testing, Training, and Monitoring

Program Management

Description

a. Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems are developed and maintained; and b. Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.

Supplemental Guidance

A process for organization-wide security and privacy testing, training, and monitoring helps ensure that organizations provide oversight for the testing, training, and monitoring activities conducted organization-wide and that those activities are coordinated. With the importance of continuous monitoring programs, the implementation of information security and privacy across the three levels of the risk management hierarchy and the widespread use of common controls, organizations coordinate and consolidate the testing and monitoring activities that are routinely conducted as part of ongoing organizational assessments supporting a variety of controls.

Changes from Rev 4

Privacy added. Review of plans for consistency with risk management strategy added.

Compliance Mappings

ISO 27001:2022

9.1

ISO 27002:2022

6.3

CIS Controls v8

CIS 14CIS 17.7

NIST CSF 2.0

GV.OV-03ID.IM-02

PRA Operational Resilience

SS1/21-6.1SS1/21-7.1SS2/21-7.1

MAS TRM

13

BSI IT-Grundschutz

ORP.3

BIO2

6.3

RBI CSF

Annex1.18ITGRCA.26

FISC Security Guidelines

FISC.O7

LGPD + BCB 4893

BCB.Art.10BCB.Art.19BCB.Art.4LGPD.Art.50

HKMA TM-E-1

TME1.2.6TME1.6.3TME1.7.4

DNB Good Practice

DNB.11.2DNB.16.2DNB.16.5DNB.5.2DNB.8.2DNB.9.2DNB.9.3

SAMA CSF

1.31.92.24.2

NCA ECC

1-8

UAE IA

T1T11

CBB TM

TM-16TM-3

Qatar NIA

GVIM

CBUAE

CR-10

CBE CSF

CD-1OVM-3

SA JS2

JS2-7.4JS2-7.7

CBN CSF

Part2.3Part3.8Part6.1Part7.2

BoG CISD

CISD-IICISD-IVCISD-X

BoM CTRM

1.54.35.35.4

IOSCO Cyber Resilience

GOV-2

BCBS 239

Principle 1Principle 10

CPMI-IOSCO PFMI

CG.DECG.GOVCG.LECG.TEPFMI.P2

FFIEC IS

I.AII.C.4II.C.7(e)II.DIII.DIV.AIV.A.1IV.A.2IV.A.3

NYDFS 500

500.14500.16500.2

HIPAA Security Rule

§164.308(a)(5)(i)§164.308(a)(8)

ECB CROE

CROE.2.1.2CROE.2.4CROE.2.6.1CROE.2.8.1

EBA ICT Guidelines

3.4.7

SEBI CSCRF

AUDITCCIDE.CMDE.VAGV.OVRC.IMSOCVAPT

BOT Cyber Resilience

Ch1.3Ch3.2Ch6.1

CMMC 2.0

ATCA

10 CFR 73.54

RG5.71-C-CARG5.71-C-AT73.54(d)

FERC CIP Orders

Order 893

DOE C2M2 v2.1

PROGRAM

API 1164

Sec 15

IAEA NSS 17-T

Sec 11

CBEST

CBEST.1CBEST.10CBEST.5CBEST.7

TIBER-EU

TIBER.BTTIBER.CLOSETIBER.PREPTIBER.RT

ISAE 3402

Clause 5

Solvency II

Art.46Art.47

Lloyd's Minimum Standards

MS8.13MS9.2

NAIC Insurance Data Security

44-monitoring4-training4E4F-a5

PRA SS1/23

P2.3P4.1P5.2P5.3

FCA SYSC 13

SYSC 13.5.1SYSC 13.5.3SYSC 13.7.5SYSC 13.G.3

HITRUST CSF v11

00.c02.b04.b06.c12.c

ISO 27799

18.3

NHS DSPT

NDG-2.2NDG-3.2NDG-5.1NDG-9.8

Basel SCO60

SCO60.72SCO60.74