← Frameworks / PRA SS1/23 / Control Mappings

PRA Supervisory Statement SS1/23 — Model Risk Management

UK Prudential Regulation Authority supervisory statement setting expectations for model risk management at banks, building societies, and PRA-designated investment firms. 5 principles covering model identification and classification, governance (board accountability, model risk committee, independent validation), model development and implementation (documentation, testing, performance monitoring), model use and ongoing monitoring, and risk mitigation and reporting. Effective 17 May 2024 with proportionate application.

Controls: 102
Total Mappings: 194
Publisher: Prudential Regulation Authority (PRA) Version: 2023 (effective 2024)
PRA SS1/23 → SP 800-53 SP 800-53 → PRA SS1/23 Coverage Analysis
AC (7) AT (3) AU (12) CA (6) CM (10) CP (5) IA (3) IR (3) MP (1) PE (3) PL (6) PM (12) PS (6) RA (4) SA (9) SC (3) SI (9)

AC Access Control

Control Name PRA SS1/23 References
AC-01 Access Control Policies and Procedures
P-IT.1
AC-02 Account Management
P-IT.1P2.4
AC-03 Access Enforcement
P-IT.1P3.3P3.6
AC-05 Separation Of Duties
P-IT.1P2.2P2.4P4.1
AC-06 Least Privilege
P-IT.1P2.4P3.3P3.6P4.4
AC-17 Remote Access
P-IT.1
AC-24 Access Control Decisions
P-IT.1

AT Awareness and Training

Control Name PRA SS1/23 References
AT-01 Security Awareness And Training Policy And Procedures
P2.3
AT-02 Security Awareness
P2.3P3.6
AT-03 Security Training
P2.3P3.6

AU Audit and Accountability

Control Name PRA SS1/23 References
AU-01 Audit And Accountability Policy And Procedures
P-IT.2
AU-02 Auditable Events
P-IT.2P3.2P3.4P4.3P4.4
AU-03 Content Of Audit Records
P-IT.2P3.2P4.3P4.4
AU-05 Response To Audit Processing Failures
P5.3
AU-06 Audit Monitoring, Analysis, And Reporting
P-IT.2P3.4P3.6P4.5P5.2
AU-07 Audit Reduction And Report Generation
P-IT.2
AU-08 Time Stamps
P-IT.2
AU-09 Protection Of Audit Information
P-IT.2
AU-10 Non-Repudiation
P-IT.2P3.2P4.4
AU-11 Audit Record Retention
P-IT.2P5.5
AU-12 Audit Record Generation
P-IT.2P3.3P3.4
AU-14 Session Audit
P-IT.2

CA Security Assessment and Authorization

Control Name PRA SS1/23 References
CA-01 Certification, Accreditation, And Security Assessment Policies And Procedures
P2.2P4.1
CA-02 Security Assessments
P2.2P4.1P4.2
CA-05 Plan Of Action And Milestones
P4.5P5.1
CA-06 Security Accreditation
P2.2P3.4
CA-07 Continuous Monitoring
P4.1P5.2
CA-08 Penetration Testing
P4.2P5.4

CM Configuration Management

Control Name PRA SS1/23 References
CM-01 Configuration Management Policy And Procedures
P3.1
CM-02 Baseline Configuration
P-IT.3P3.3
CM-03 Configuration Change Control
P3.3P3.4P4.4P5.5
CM-04 Monitoring Configuration Changes
P3.3P3.4
CM-05 Access Restrictions For Change
P3.3P3.4
CM-06 Configuration Settings
P-IT.3P3.3
CM-08 Information System Component Inventory
P-IT.3P1.1P1.3P5.5
CM-09 Configuration Management Plan
P3.3P3.4
CM-12 Information Location
P1.1P3.2
CM-13 Data Action Mapping
P1.1P3.2

CP Contingency Planning

Control Name PRA SS1/23 References
CP-02 Contingency Plan
P-IT.3
CP-04 Contingency Plan Testing And Exercises
P5.4
CP-07 Alternate Processing Site
P-IT.3
CP-09 Information System Backup
P-IT.3
CP-10 Information System Recovery And Reconstitution
P-IT.3

IA Identification and Authentication

Control Name PRA SS1/23 References
IA-02 User Identification And Authentication
P-IT.1
IA-04 Identifier Management
P-IT.1
IA-05 Authenticator Management
P-IT.1

IR Incident Response

Control Name PRA SS1/23 References
IR-01 Incident Response Policy And Procedures
P5.3
IR-04 Incident Handling
P5.3
IR-06 Incident Reporting
P5.3

MP Media Protection

Control Name PRA SS1/23 References
MP-06 Media Sanitization And Disposal
P5.5

PE Physical and Environmental Protection

Control Name PRA SS1/23 References
PE-01 Physical And Environmental Protection Policy And Procedures
P-IT.3
PE-02 Physical Access Authorizations
P-IT.3
PE-03 Physical Access Control
P-IT.3

PL Planning

Control Name PRA SS1/23 References
PL-01 Security Planning Policy And Procedures
P2.1P2.3
PL-02 System Security Plan
P1.1P1.3P2.3P3.5P5.1
PL-04 Rules Of Behavior
P2.3P3.6
PL-08 Security and Privacy Architectures
P1.3P3.1
PL-10 Baseline Selection
P5.1
PL-11 Baseline Tailoring
P5.1

PM Program Management

Control Name PRA SS1/23 References
PM-01 Information Security Program Plan
P2.1P2.2P2.3
PM-02 Information Security Program Leadership Role
P2.1P2.2
PM-03 Information Security and Privacy Resources
P2.1
PM-04 Plan of Action and Milestones Process
P4.5
PM-05 System Inventory
P1.1
PM-06 Measures of Performance
P4.5P5.2
PM-09 Risk Management Strategy
P1.2P2.1P3.5P5.1P5.4
PM-10 Authorization Process
P2.2P2.3
PM-11 Mission and Business Process Definition
P1.2P1.3P3.6
PM-13 Security and Privacy Workforce
P2.1
PM-14 Testing, Training, and Monitoring
P2.3P4.1P5.2P5.3
PM-29 Risk Management Program Leadership Roles
P2.1

PS Personnel Security

Control Name PRA SS1/23 References
PS-01 Personnel Security Policy And Procedures
P2.1P2.4
PS-02 Position Categorization
P2.2P2.4
PS-03 Personnel Screening
P2.4
PS-06 Access Agreements
P2.4
PS-07 Third-Party Personnel Security
P2.2P2.4
PS-09 Position Descriptions
P2.4

RA Risk Assessment

Control Name PRA SS1/23 References
RA-02 Security Categorization
P1.1P1.2
RA-03 Risk Assessment
P1.2P3.5P5.1P5.4
RA-07 Risk Response
P4.5P5.1
RA-09 Criticality Analysis
P1.1P1.2

SA System and Services Acquisition

Control Name PRA SS1/23 References
SA-03 Life Cycle Support
P3.1P5.5
SA-04 Acquisitions
P1.3
SA-05 Information System Documentation
P3.1P3.5
SA-08 Security Engineering Principles
P3.1
SA-10 Developer Configuration Management
P3.1P3.3P3.4
SA-11 Developer Security Testing
P3.3P4.2P4.3
SA-15 Development Process, Standards, and Tools
P3.1P3.3
SA-16 Developer-Provided Training
P3.3
SA-17 Developer Security and Privacy Architecture and Design
P3.1P3.5

SC System and Communications Protection

Control Name PRA SS1/23 References
SC-02 Application Partitioning
P-IT.3
SC-07 Boundary Protection
P-IT.3
SC-28 Protection of Information at Rest
P-IT.3

SI System and Information Integrity

Control Name PRA SS1/23 References
SI-01 System And Information Integrity Policy And Procedures
P3.2
SI-04 Information System Monitoring Tools And Techniques
P5.2P5.3
SI-05 Security Alerts And Advisories
P5.3
SI-06 Security Functionality Verification
P3.2P4.3P5.2
SI-07 Software And Information Integrity
P3.2P4.3
SI-10 Information Accuracy, Completeness, Validity, And Authenticity
P3.2P4.3
SI-11 Error Handling
P3.2
SI-12 Information Output Handling And Retention
P3.2P5.5
SI-15 Information Output Filtering
P3.2