Internal Controls Matrix
| Controls Specified by the Service Organization | Responsible Party or Parties | Who is performing the control? | What is the control mitigating? | When is the control being performed? (Frequency) | How is the control being performed? |
|---|---|---|---|---|---|
| An employee handbook and code of conduct are documented and reviewed on an annual basis to outline workforce conduct standards and enforcement procedures. | HR Department | HR Manager | Review and update employee handbook | Yearly | Manual Review |
| Personnel are required to acknowledge the employee handbook and code of conduct upon hire and annually thereafter. | HR Department | HR Manager | Acknowledge the handbook when each employees join | Upon hiring | Manual Review |
| Prior to employment, personnel are required to complete a background check. | HR Department | HR Manager | Manual Review | Prior to each employment | Manually |
| Performance and conduct evaluations are performed for personnel on an annual basis. | HR Department | HR Manager | Manual Review | Performance appraisal in Half yearly. | Manually |
| Employees, third-parties, and customers are directed on how to report unethical behavior in a confidential manner. | HR Department | HR Manager | Through email communication | ||
| Entity policies include probation, suspension, and termination as potential sanctions for employee misconduct. | HR Department | HR Manager | Manual Review | Manual Review | |
| The entity's third-party agreement requires that third-parties have a code of conduct and employee handbook in place. | HR Department | HR Manager | Review and update employee handbook | Yearly | Manual Review |
| The entity's third-party agreement requires that third-parties - consider the background, competencies and experience of its personnel; and - provide regular training to its personnel as it relates to their job role and responsibilities. |
HR Department | HR Manager | Review and update employee handbook | Frequently | Manual Review |
| Operational management assigns responsibility for and monitors the effectiveness and performance of controls implemented in the environment. | Management | Management | Manual Review | annually | Manual Review |
| A third-party performs an independent assessment of the controls environment annually to assess the effectiveness of controls within the environment. | Management | Management | Manual Review | annually | Manual Review |
| A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. | Management | Management | Manual Review | annually | Manual Review |
| Executive management reviews the organization chart annually and makes updates to the organizational structure and lines of reporting, if necessary. | Management | Management | Manual Review | annually | Manual Review |
| Reporting relationships and organizational structures are reviewed annually by management. | Management | Management | Manual Review | annually | Manual Review |
| Roles and responsibilities are defined in written job descriptions and communicated to personnel through the company's [sharepoint site, website, newsletters, email, etc.] | Management | Management | Manual Review | annually | Website/ Email |
| Roles and responsibilities defined in written job descriptions consider and address specific requirements relevant to [security, availability, processing integrity, confidentiality, and privacy]. | Management | Management | Manual Review | annually | Website/ Email |
| A vendor risk assessment is performed for third-party providers on an annual basis which includes reviewing the activities performed by third-parties. | Management | Management | Manual Review | annually | Manual Review |
| Executive management considers the roles and responsibilties performed by third parties as well as monitoring the activities performed by third parties in documenting the organizational chart and defining job descriptions. | Management | Management | Manual Review | annually | Manual Review |
| Policies and procedures are in place that outline the performance evaluation process as well as the competency and training requirements for personnel. | Management | Management | Manual Review | annually | Manual Review |
| The entity evalutes the competencies and experience of candidates prior to hiring and of personnel transferring job roles or responsibilities. | Management | Management | Manual Review | annually | Manual Review |
| Job requirements are documented in the job descriptions and candidates' abilities to meet these requirements are evaluated as part of the hiring or transfer evaluation process. | HR Department | HR Manager | Manual Review | Manual Review | |
| Executive management has created a training program for its employees. OR Executive management uses an outside vendor to assist with its continued training of employees. | HR Department | HR Manager | Manual Review | Manual | |
| Executive management tracks and monitors compliance with training requirements. | HR Department | HR Manager | Manual Review | Manual | |
| As part of the performance evaluation process, the entity rewards its personnel for exceeding expectations as it relates to their job role and responsibilities. | HR Department | HR Manager | Manual Review | Performance appraisal in Half yearly. | Manually |
| Upon hire, personnel are required to acknowledge the employee handbook which requires adherence to the personnel's job role and responsibilities. | HR Department | HR Manager | Review and update employee handbook | Yearly | Manual Review |
| Organizational and information security policies and procedures are documented for supporting the functioning of controls and processes and made available to its personnel through the company's [sharepoint site, website, newsletters, email, etc.] | Management | Management | Manual Review | annually | Website/ Email |
| Data flow diagrams, process flowcharts, narratives, and procedures manuals are documented and maintained by the management to identify the relevant internal and external information sources of the system. | Management | Management | Manual Review | annually | Website/ Email |
| The entity's risk assessment process includes: - identifying the relevant information assets that are critical to business operations; - prioritizing the criticality of those relevant information assets; - identifying and assessing the impact of the threats to those information assets; - identifying and assessing the impact of the vulnerabilities associated with the identified threats; - assessing the likelihood of identified threats and vulnerabilities; - determining the risks associated with the information assets; - addressing the associated risks identified for each identified vulnerability. |
Management | Management | Manual Review | Frequently | Spreadsheet |
| Risks identified as a part of the risk assessment process are addressed using one of the following strategies: - avoid the risk; - mitigate the risk; - transfer the risk; or - accept the risk. |
Management | Management | Manual Review | Frequently | Spreadsheet |
| For gaps and vulnerabilities identified from the risk assessment, remediation efforts, including the implementation of controls, are assigned to process owners based on roles and responsibilities. | Management | Management | Manual Review | Frequently | Spreadsheet |
| The annual comprehensive risk assessment results are reviewed and approved by appropriate levels of management. | Management | Management | Manual Review | Frequently | Spreadsheet |
| As part of the annual risk assessment, management reviews the potential threats and vulnerabilities arising from its customers, vendors and third-parties. | Management | Management | Manual Review | Frequently | Spreadsheet |
| On an annual basis, management identifies and assesses the types of fraud (e.g. fraudulent reporting, loss of assets, unauthorized system access, overriding controls) that could impact their business and operations. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Identified fraud risks are reviewed and addressed using one of the following strategies: - avoid the risk; - mitigate the risk; - transfer the risk; or - accept the risk." |
Management | Management | Manual Review | Frequently | Spreadsheet |
| As part of management's assessment of fraud risks, management considers how personnel could engage in or justify unethical or inappropriate actions. | Management | Management | Manual Review | Frequently | Spreadsheet |
| As part of management's assessment of fraud risks, management considers threats and vulnerabilities that arise from the use of IT (e.g. unauthorized access, inadequate segregation of duties, default accounts, inadequate password management, unauthorized changes) | Management | Management | Manual Review | Frequently | Spreadsheet |
| Changes to the business structure and operations are considered and evaluated as part of the annual comprehensive risk assessment. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Changes to the regulatory, economic, and physical environment in which the entity operates are considered and evaluated as part of the annual comprehensive risk assessment. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Changes to the entity's systems, applications, technologies, and tools are considered and evaluated as part of the annual comprehensive risk assessment. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Changes in vendor and third-party relationships are considered and evaluated as part of the annual comprehensive risk assessment. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Changes in key management and personnel are considered and evaluated as part of the annual comprehensive risk assessment. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Reporting relationships and organizational structures are reviewed on an annual basis by management. | Management | Management | Manual Review | Frequently | Spreadsheet |
| Monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. | Management | Management | Manual Review | Frequently | Spreadsheet |
|
The monitoring software is configured to alert [ |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Notification Alert |
| Management reviews policies, procedures and other control documents for accuracy and applicability on an annual basis. | Management | Management | Manual Review | Frequently | Website |
| Vulnerability scans are performed annually on the environment to identify control gaps and vulnerabilitiles. | Security Team | Security Team | Manual Review | Frequently | Usiing Open source tools |
| Business continuity and disaster recovery plans are developed and updated on a annual basis. | Management | Management | Manual Review | Frequently | Website |
| Business continuity and disaster recovery plans are tested on a annual basis. | Management | Management | Manual Review | Frequently | Website |
| Access Control | |||||
| Logical and physical access to systems is granted to an employee as a component of the hiring process. | HR Department | HR Manager | Manual Review | Frequently | Manual Review |
| Logical and physical access to systems is revoked as a component of the termination process. | HR Department | HR Manager | Manual Review | Frequently | Manual Review |
| Privileged access to sensitive resources is restricted to defined user roles. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Network administrative access is restricted to user accounts accessible by authorized IT personnel. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| "Network users are authenticated via individually-assigned user accounts and passwords. Networks are configured to enforce password requirements that include: - Password history - Password age (minimum & maximum) - Password length - Complexity |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Network access reviews are completed by management on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Operating system administrative access is restricted to user accounts accessible authorized IT personnel. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| "Operating system users are authenticated via individually-assigned user accounts and passwords. Operating System are configured to enforce password requirements that include: - Password history - Password age (minimum & maximum) - Password length - Complexity |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Operating system access reviews are completed by management on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Database administrative access is restricted to user accounts accessible by authorized IT personnel. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| "Database users are authenticated via individually-assigned user accounts and passwords. Databases are configured to enforce password requirements that include: - Password history - Password age (minimum & maximum) - Password length - Complexity |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Database access reviews are completed by management on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Application administrative access is restricted to user accounts accessible by authorized IT personnel. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| "Application users are authenticated via individually-assigned user accounts and passwords. Applications are configured to enforce password requirements that include: - Password history - Password age (minimum & maximum) - Password length - Complexity |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Application access reviews are completed by management on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| The ability to administer VPN access is restricted to user accounts accessible by the following personnel: -Title |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| VPN users are authenticated via multi-factor authentication (username, password, and PIN/OTP/Token) prior to being granted remote access to the system. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| VPN access reviews are completed by management on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Network | |||||
| Network account lockout policies are in place that include: - Account lockout duration - Account lockout threshold - Account lockout counter reset | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| Network audit policy configurations are in place that include: - Account logon events - Account management - Directory Service Access - Logon events - Object access - Policy changes - Privilege use - Process tracking - System events |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Alerts are generated to notify network administrators of suspicious activity. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Notification Alert |
| Network log reviews are completed by management on a quarterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Operating System | |||||
| Operating system account lockout policies are in place that include: - Account lockout duration< - Account lockout threshold - Account lockout counter reset |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| Operating system audit policy configurations are in place that include: - Account logon events - Account management - Directory Service Access - Logon events - Object access - Policy changes - Privilege use - Process tracking - System events |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Alerts are generated to notify operating system administrators of suspicious activity. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Notification Alert |
| Operating system log reviews are completed by management on a quarterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Database | |||||
| Database account lockout policies are in place that include: - Account lockout duration - Account lockout threshold - Account lockout counter reset |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| Database audit policy configurations are in place that include: | |||||
| -Account logon events - Account management - Directory Service Access - Logon events - Object access - Policy changes - Privilege use - Process tracking - System events |
Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Alerts are generated to notify database administrators of suspicious activity. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Notification Alert |
| Database log reviews are completed by management on a quarterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Application | |||||
| Application account lockout policies are in place that include: - Account lockout duration - Account lockout threshold - Account lockout counter reset |
Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Website |
| Application audit policy configurations are in place that include: - Account logon events - Account management - Directory Service Access - Logon events - Object access - Policy changes - Privilege use - Process tracking - System events |
Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Manual Review |
| Alerts are generated to notify application administrators of suspicious activity. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Notification Alert |
| Application log reviews are completed by management on a quarterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Documented incident response policies and procedures are in place to guide personnel in the event of an incident. | Management | Management | Manual Review | Quaterly | Website |
| Data backup and restore procedures are in place to guide personnel in performing backup activities. | Infrastructure Team | Infrastructure Team | Manual Review | Quaterly | Website |
| An automated backup system is utilized to perform scheduled system backups. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| Full backups of certain application and database components are performed on a Quaterly basis and incremental backups are performed on a Quaterly basis. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| IT personnel monitor the success or failure of backups, and are notified of backup job status via email notifications. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Manual Review |
| Documented incident response and escalation procedures for reporting security incidents are in place to guide users in identifying, reporting and mitigating failures, incidents, concerns, and other complaints. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| The incident response and escalation procedures are reviewed at least annually for effectiveness. | Infrastructure Team | Infrastructure Team | Manual Review | annually | Website |
| The incident response and escalation procedures define the classification of incidents based on its severity. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | Website |
| A GIT Tracking is utilized to track and respond to incidents. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Resolution of incidents is communicated to users within the corresponding ticket. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Incidents are documented and tracked in a standardized ticketing system and updated to reflect the planned incident and problem resolution. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Identified incidents are reviewed, monitored and investigated by an incident response team. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Incidents resulting in the unauthorized use or disclosure of personal information are communicated to the affected users. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Identified incidents are analyzed, classified and prioritized based on system impact to determine the appropriate containment strategy, including a determination of the appropriate response time frame and the determination and execution of the containment approach. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are defined and documented. | Management | Management | Manual Review | annually | GIT Tracking |
| Documented incident response and escalation procedures for reporting security incidents are in place to guide users in identifying, reporting and mitigating failures, incidents, concerns, and other complaints. | Infrastructure Team | Infrastructure Team | Manual Review | annually | GIT Tracking |
| Incidents are documented and tracked in a standardized ticketing system and updated to reflect the planned incident and problem resolution. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| The actions taken to address identified vulnerabilities are documented and communicated to affected parties. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Documented incident response and escalation procedures are in place to guide personnel in addressing the threats posed by security incidents. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Incidents are communicated to those affected through [emails, newsletters, creation of an incident ticket, etc]. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Resolution of incidents are documented within the ticket and communicated to affected users. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Remediation actions taken for security incidents are documented within the ticket and communicated to affected users. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Identified incidents are analyzed, classified and prioritized based on system impact to determine the appropriate containment strategy, including a determination of the appropriate response time frame and the determination and execution of the containment approach. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Identified vulnerabilities are addressed using one of the following strategies: - remediate the identified vulnerability; - avoid the risk posed by the identified vulnerability; - mitigate the risk posed by the identified vulnerability; - transfer the risk posed by the identified vulnerability; or - accept the risk posed by the identified vulnerability. |
Infrastructure Team/Devopment Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| The incident response and escalation procedures are reviewed at least annually for effectiveness. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Change management requests are opened for incidents that require permanent fixes. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Data backup and restore procedures are in place to guide personnel in performing backup activities. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Backup restoration tests are performed on at least an annual basis. | Infrastructure Team | Infrastructure Team | Manual Review | annually | GIT Tracking |
| A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. | Security Team | Security Team | Manual Review | Frequently | GIT Tracking |
| On an annual basis, preventative and detective controls are evaluated and changed as part of the incident management process. | Infrastructure Team | Infrastructure Team | Manual Review | annually | GIT Tracking |
| After critical incidents are investigated and addressed, lessons learned are documented and analyzed. Incident response plans and recovery procedures are updated based on the lessons learned. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| A business continuity and disaster recovery plan is documented to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| The disaster recovery plan is tested on an annual basis. | Infrastructure Team | Infrastructure Team | Manual Review | annually | GIT Tracking |
| The business continuity and disaster recovery plan and procedures are updated based on disaster recovery plan test results. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Documented change control policies and procedures are in place to guide personnel in the handling system changes. | Management | Management | Manual Review | Frequently | GIT Tracking |
| The change management process has defined the following roles and assignments: - Authorization of change requests-owner or business unit manager - Development-application design and support department - Testing-quality assurance department - Implementation software change management group |
Management | Management | Manual Review | Quaterly | GIT Tracking |
| System changes are communicated to both internal and external users. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| Access to implement changes in the production environment is restricted to authorized IT personnel. | Infrastructure Team | Infrastructure Team | Manual Review | Frequently | GIT Tracking |
| System change requests are documented and tracked in a ticketing system. | Management | Management | Manual Review | Frequently | GIT Tracking |
| System changes are tested prior to implementation. Types of testing performed depend on the nature of the change. | Development team | Development team | Manual Review | Frequently | GIT Tracking |
| Back out procedures are documented within each change implementation to allow for rollback of changes when changes impair system operation. | Development team | Development team | Manual Review | Frequently | GIT Tracking |
| System changes implemented to the production environment are evaluated for impact to the entity's objectives. | Development team | Development team | Manual Review | Frequently | GIT Tracking |
| System changes implemented for remediating incidents follow the standard change management process. | Development team | Development team | Manual Review | Frequently | GIT Tracking |
| Information security policies and procedures document the baseline requirements for configuration of IT systems and tools. | Management | Management | Manual Review | Quaterly | Website |
| Documented change control policies and procedures are in place to guide personnel in implementing changes in an emergency situation. | Management | Management | Manual Review | Quaterly | Website |
| Management develops third party risk mitigation strategies to address risks identified during the risk assessment process. | Management | Management | Manual Review | Frequently | GIT Tracking |
| The entity has documented procedures for addressing issues identified with third-parties. | Management | Management | Manual Review | Quaterly | Website |
| The entity has documented procedures for terminating third party relationships. | Management | Management | Manual Review | Quaterly | Website |