Internal Controls Matrix

Internal Controls Matrix

Internal Controls Matrix

Controls Specified by the Service Organization Responsible Party or Parties Who is performing the control? What is the control mitigating? When is the control being performed? (Frequency) How is the control being performed?
An employee handbook and code of conduct are documented and reviewed on an annual basis to outline workforce conduct standards and enforcement procedures. HR Department HR Manager Review and update employee handbook Yearly Manual Review
Personnel are required to acknowledge the employee handbook and code of conduct upon hire and annually thereafter. HR Department HR Manager Acknowledge the handbook when each employees join Upon hiring Manual Review
Prior to employment, personnel are required to complete a background check. HR Department HR Manager Manual Review Prior to each employment Manually
Performance and conduct evaluations are performed for personnel on an annual basis. HR Department HR Manager Manual Review Performance appraisal in Half yearly. Manually
Employees, third-parties, and customers are directed on how to report unethical behavior in a confidential manner. HR Department HR Manager Through email communication
Entity policies include probation, suspension, and termination as potential sanctions for employee misconduct. HR Department HR Manager Manual Review Manual Review
The entity's third-party agreement requires that third-parties have a code of conduct and employee handbook in place. HR Department HR Manager Review and update employee handbook Yearly Manual Review
The entity's third-party agreement requires that third-parties
- consider the background, competencies and experience of its personnel; and
- provide regular training to its personnel as it relates to their job role and responsibilities.
HR Department HR Manager Review and update employee handbook Frequently Manual Review
Operational management assigns responsibility for and monitors the effectiveness and performance of controls implemented in the environment. Management Management Manual Review annually Manual Review
A third-party performs an independent assessment of the controls environment annually to assess the effectiveness of controls within the environment. Management Management Manual Review annually Manual Review
A documented organizational chart is in place to communicate organizational structures, lines of reporting, and areas of authority. Management Management Manual Review annually Manual Review
Executive management reviews the organization chart annually and makes updates to the organizational structure and lines of reporting, if necessary. Management Management Manual Review annually Manual Review
Reporting relationships and organizational structures are reviewed annually by management. Management Management Manual Review annually Manual Review
Roles and responsibilities are defined in written job descriptions and communicated to personnel through the company's [sharepoint site, website, newsletters, email, etc.] Management Management Manual Review annually Website/ Email
Roles and responsibilities defined in written job descriptions consider and address specific requirements relevant to [security, availability, processing integrity, confidentiality, and privacy]. Management Management Manual Review annually Website/ Email
A vendor risk assessment is performed for third-party providers on an annual basis which includes reviewing the activities performed by third-parties. Management Management Manual Review annually Manual Review
Executive management considers the roles and responsibilties performed by third parties as well as monitoring the activities performed by third parties in documenting the organizational chart and defining job descriptions. Management Management Manual Review annually Manual Review
Policies and procedures are in place that outline the performance evaluation process as well as the competency and training requirements for personnel. Management Management Manual Review annually Manual Review
The entity evalutes the competencies and experience of candidates prior to hiring and of personnel transferring job roles or responsibilities. Management Management Manual Review annually Manual Review
Job requirements are documented in the job descriptions and candidates' abilities to meet these requirements are evaluated as part of the hiring or transfer evaluation process. HR Department HR Manager Manual Review Manual Review
Executive management has created a training program for its employees. OR Executive management uses an outside vendor to assist with its continued training of employees. HR Department HR Manager Manual Review Manual
Executive management tracks and monitors compliance with training requirements. HR Department HR Manager Manual Review Manual
As part of the performance evaluation process, the entity rewards its personnel for exceeding expectations as it relates to their job role and responsibilities. HR Department HR Manager Manual Review Performance appraisal in Half yearly. Manually
Upon hire, personnel are required to acknowledge the employee handbook which requires adherence to the personnel's job role and responsibilities. HR Department HR Manager Review and update employee handbook Yearly Manual Review
Organizational and information security policies and procedures are documented for supporting the functioning of controls and processes and made available to its personnel through the company's [sharepoint site, website, newsletters, email, etc.] Management Management Manual Review annually Website/ Email
Data flow diagrams, process flowcharts, narratives, and procedures manuals are documented and maintained by the management to identify the relevant internal and external information sources of the system. Management Management Manual Review annually Website/ Email
The entity's risk assessment process includes:
- identifying the relevant information assets that are critical to business operations;
- prioritizing the criticality of those relevant information assets;
- identifying and assessing the impact of the threats to those information assets;
- identifying and assessing the impact of the vulnerabilities associated with the identified threats;
- assessing the likelihood of identified threats and vulnerabilities;
- determining the risks associated with the information assets;
- addressing the associated risks identified for each identified vulnerability.
Management Management Manual Review Frequently Spreadsheet
Risks identified as a part of the risk assessment process are addressed using one of the following strategies:
- avoid the risk;
- mitigate the risk;
- transfer the risk; or
- accept the risk.
Management Management Manual Review Frequently Spreadsheet
For gaps and vulnerabilities identified from the risk assessment, remediation efforts, including the implementation of controls, are assigned to process owners based on roles and responsibilities. Management Management Manual Review Frequently Spreadsheet
The annual comprehensive risk assessment results are reviewed and approved by appropriate levels of management. Management Management Manual Review Frequently Spreadsheet
As part of the annual risk assessment, management reviews the potential threats and vulnerabilities arising from its customers, vendors and third-parties. Management Management Manual Review Frequently Spreadsheet
On an annual basis, management identifies and assesses the types of fraud (e.g. fraudulent reporting, loss of assets, unauthorized system access, overriding controls) that could impact their business and operations. Management Management Manual Review Frequently Spreadsheet
Identified fraud risks are reviewed and addressed using one of the following strategies:
- avoid the risk;
- mitigate the risk;
- transfer the risk; or
- accept the risk."
Management Management Manual Review Frequently Spreadsheet
As part of management's assessment of fraud risks, management considers how personnel could engage in or justify unethical or inappropriate actions. Management Management Manual Review Frequently Spreadsheet
As part of management's assessment of fraud risks, management considers threats and vulnerabilities that arise from the use of IT (e.g. unauthorized access, inadequate segregation of duties, default accounts, inadequate password management, unauthorized changes) Management Management Manual Review Frequently Spreadsheet
Changes to the business structure and operations are considered and evaluated as part of the annual comprehensive risk assessment. Management Management Manual Review Frequently Spreadsheet
Changes to the regulatory, economic, and physical environment in which the entity operates are considered and evaluated as part of the annual comprehensive risk assessment. Management Management Manual Review Frequently Spreadsheet
Changes to the entity's systems, applications, technologies, and tools are considered and evaluated as part of the annual comprehensive risk assessment. Management Management Manual Review Frequently Spreadsheet
Changes in vendor and third-party relationships are considered and evaluated as part of the annual comprehensive risk assessment. Management Management Manual Review Frequently Spreadsheet
Changes in key management and personnel are considered and evaluated as part of the annual comprehensive risk assessment. Management Management Manual Review Frequently Spreadsheet
Reporting relationships and organizational structures are reviewed on an annual basis by management. Management Management Manual Review Frequently Spreadsheet
Monitoring software is used to identify and evaluate ongoing system performance, security threats, changing resource utilization needs, and unusual system activity. Management Management Manual Review Frequently Spreadsheet
The monitoring software is configured to alert [ - Critical/Warning - ] when thresholds have been exceeded. Infrastructure Team Infrastructure Team Manual Review Frequently Notification Alert
Management reviews policies, procedures and other control documents for accuracy and applicability on an annual basis. Management Management Manual Review Frequently Website
Vulnerability scans are performed annually on the environment to identify control gaps and vulnerabilitiles. Security Team Security Team Manual Review Frequently Usiing Open source tools
Business continuity and disaster recovery plans are developed and updated on a annual basis. Management Management Manual Review Frequently Website
Business continuity and disaster recovery plans are tested on a annual basis. Management Management Manual Review Frequently Website
Access Control
Logical and physical access to systems is granted to an employee as a component of the hiring process. HR Department HR Manager Manual Review Frequently Manual Review
Logical and physical access to systems is revoked as a component of the termination process. HR Department HR Manager Manual Review Frequently Manual Review
Privileged access to sensitive resources is restricted to defined user roles. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Network administrative access is restricted to user accounts accessible by authorized IT personnel. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
"Network users are authenticated via individually-assigned user accounts and passwords. Networks are configured to enforce password requirements that include:
- Password history
- Password age (minimum & maximum)
- Password length
- Complexity
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Network access reviews are completed by management on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Operating system administrative access is restricted to user accounts accessible authorized IT personnel. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
"Operating system users are authenticated via individually-assigned user accounts and passwords. Operating System are configured to enforce password requirements that include:
- Password history
- Password age (minimum & maximum)
- Password length
- Complexity
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Operating system access reviews are completed by management on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Database administrative access is restricted to user accounts accessible by authorized IT personnel. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
"Database users are authenticated via individually-assigned user accounts and passwords. Databases are configured to enforce password requirements that include:
- Password history
- Password age (minimum & maximum)
- Password length
- Complexity
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Database access reviews are completed by management on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Application administrative access is restricted to user accounts accessible by authorized IT personnel. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
"Application users are authenticated via individually-assigned user accounts and passwords. Applications are configured to enforce password requirements that include:
- Password history
- Password age (minimum & maximum)
- Password length
- Complexity
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Application access reviews are completed by management on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
The ability to administer VPN access is restricted to user accounts accessible by the following personnel:
-Title
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
VPN users are authenticated via multi-factor authentication (username, password, and PIN/OTP/Token) prior to being granted remote access to the system. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
VPN access reviews are completed by management on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Network
Network account lockout policies are in place that include:
- Account lockout duration
- Account lockout threshold
- Account lockout counter reset
Infrastructure Team Infrastructure Team Manual Review Frequently Website
Network audit policy configurations are in place that include:
- Account logon events
- Account management
- Directory Service Access
- Logon events
- Object access
- Policy changes
- Privilege use
- Process tracking
- System events
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Alerts are generated to notify network administrators of suspicious activity. Infrastructure Team Infrastructure Team Manual Review Frequently Notification Alert
Network log reviews are completed by management on a quarterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Operating System
Operating system account lockout policies are in place that include:
- Account lockout duration<
- Account lockout threshold
- Account lockout counter reset
Infrastructure Team Infrastructure Team Manual Review Frequently Website
Operating system audit policy configurations are in place that include:
- Account logon events
- Account management
- Directory Service Access
- Logon events
- Object access
- Policy changes
- Privilege use
- Process tracking
- System events
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Alerts are generated to notify operating system administrators of suspicious activity. Infrastructure Team Infrastructure Team Manual Review Frequently Notification Alert
Operating system log reviews are completed by management on a quarterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Database
Database account lockout policies are in place that include:
- Account lockout duration
- Account lockout threshold
- Account lockout counter reset
Infrastructure Team Infrastructure Team Manual Review Frequently Website
Database audit policy configurations are in place that include:
-Account logon events
- Account management
- Directory Service Access
- Logon events
- Object access
- Policy changes
- Privilege use
- Process tracking
- System events
Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Alerts are generated to notify database administrators of suspicious activity. Infrastructure Team Infrastructure Team Manual Review Frequently Notification Alert
Database log reviews are completed by management on a quarterly basis. Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Application
Application account lockout policies are in place that include:
- Account lockout duration
- Account lockout threshold
- Account lockout counter reset
Infrastructure Team Infrastructure Team Manual Review Quaterly Website
Application audit policy configurations are in place that include:
- Account logon events
- Account management
- Directory Service Access
- Logon events
- Object access
- Policy changes
- Privilege use
- Process tracking
- System events
Infrastructure Team Infrastructure Team Manual Review Quaterly Manual Review
Alerts are generated to notify application administrators of suspicious activity. Infrastructure Team Infrastructure Team Manual Review Frequently Notification Alert
Application log reviews are completed by management on a quarterly basis. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Documented incident response policies and procedures are in place to guide personnel in the event of an incident. Management Management Manual Review Quaterly Website
Data backup and restore procedures are in place to guide personnel in performing backup activities. Infrastructure Team Infrastructure Team Manual Review Quaterly Website
An automated backup system is utilized to perform scheduled system backups. Infrastructure Team Infrastructure Team Manual Review Frequently Website
Full backups of certain application and database components are performed on a Quaterly basis and incremental backups are performed on a Quaterly basis. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
IT personnel monitor the success or failure of backups, and are notified of backup job status via email notifications. Infrastructure Team Infrastructure Team Manual Review Frequently Manual Review
Documented incident response and escalation procedures for reporting security incidents are in place to guide users in identifying, reporting and mitigating failures, incidents, concerns, and other complaints. Infrastructure Team Infrastructure Team Manual Review Frequently Website
The incident response and escalation procedures are reviewed at least annually for effectiveness. Infrastructure Team Infrastructure Team Manual Review annually Website
The incident response and escalation procedures define the classification of incidents based on its severity. Infrastructure Team Infrastructure Team Manual Review Frequently Website
A GIT Tracking is utilized to track and respond to incidents. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Resolution of incidents is communicated to users within the corresponding ticket. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Incidents are documented and tracked in a standardized ticketing system and updated to reflect the planned incident and problem resolution. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Identified incidents are reviewed, monitored and investigated by an incident response team. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Incidents resulting in the unauthorized use or disclosure of personal information are communicated to the affected users. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Identified incidents are analyzed, classified and prioritized based on system impact to determine the appropriate containment strategy, including a determination of the appropriate response time frame and the determination and execution of the containment approach. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Roles and responsibilities for the design, implementation, maintenance, and execution of the incident response program are defined and documented. Management Management Manual Review annually GIT Tracking
Documented incident response and escalation procedures for reporting security incidents are in place to guide users in identifying, reporting and mitigating failures, incidents, concerns, and other complaints. Infrastructure Team Infrastructure Team Manual Review annually GIT Tracking
Incidents are documented and tracked in a standardized ticketing system and updated to reflect the planned incident and problem resolution. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
The actions taken to address identified vulnerabilities are documented and communicated to affected parties. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Documented incident response and escalation procedures are in place to guide personnel in addressing the threats posed by security incidents. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Incidents are communicated to those affected through [emails, newsletters, creation of an incident ticket, etc]. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Resolution of incidents are documented within the ticket and communicated to affected users. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Remediation actions taken for security incidents are documented within the ticket and communicated to affected users. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Identified incidents are analyzed, classified and prioritized based on system impact to determine the appropriate containment strategy, including a determination of the appropriate response time frame and the determination and execution of the containment approach. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Identified vulnerabilities are addressed using one of the following strategies:
- remediate the identified vulnerability;
- avoid the risk posed by the identified vulnerability;
- mitigate the risk posed by the identified vulnerability;
- transfer the risk posed by the identified vulnerability; or
- accept the risk posed by the identified vulnerability.
Infrastructure Team/Devopment Team Infrastructure Team Manual Review Frequently GIT Tracking
The incident response and escalation procedures are reviewed at least annually for effectiveness. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Change management requests are opened for incidents that require permanent fixes. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Data backup and restore procedures are in place to guide personnel in performing backup activities. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Backup restoration tests are performed on at least an annual basis. Infrastructure Team Infrastructure Team Manual Review annually GIT Tracking
A security incident analysis is performed for critical incidents to determine the root cause, system impact, and to determine the resolution. Security Team Security Team Manual Review Frequently GIT Tracking
On an annual basis, preventative and detective controls are evaluated and changed as part of the incident management process. Infrastructure Team Infrastructure Team Manual Review annually GIT Tracking
After critical incidents are investigated and addressed, lessons learned are documented and analyzed. Incident response plans and recovery procedures are updated based on the lessons learned. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
A business continuity and disaster recovery plan is documented to identify and reduce risks, limit the consequences of damaging incidents, and ensure the timely resumption of essential operations. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
The disaster recovery plan is tested on an annual basis. Infrastructure Team Infrastructure Team Manual Review annually GIT Tracking
The business continuity and disaster recovery plan and procedures are updated based on disaster recovery plan test results. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Documented change control policies and procedures are in place to guide personnel in the handling system changes. Management Management Manual Review Frequently GIT Tracking
The change management process has defined the following roles and assignments:
- Authorization of change requests-owner or business unit manager
- Development-application design and support department
- Testing-quality assurance department
- Implementation software change management group
Management Management Manual Review Quaterly GIT Tracking
System changes are communicated to both internal and external users. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
Access to implement changes in the production environment is restricted to authorized IT personnel. Infrastructure Team Infrastructure Team Manual Review Frequently GIT Tracking
System change requests are documented and tracked in a ticketing system. Management Management Manual Review Frequently GIT Tracking
System changes are tested prior to implementation. Types of testing performed depend on the nature of the change. Development team Development team Manual Review Frequently GIT Tracking
Back out procedures are documented within each change implementation to allow for rollback of changes when changes impair system operation. Development team Development team Manual Review Frequently GIT Tracking
System changes implemented to the production environment are evaluated for impact to the entity's objectives. Development team Development team Manual Review Frequently GIT Tracking
System changes implemented for remediating incidents follow the standard change management process. Development team Development team Manual Review Frequently GIT Tracking
Information security policies and procedures document the baseline requirements for configuration of IT systems and tools. Management Management Manual Review Quaterly Website
Documented change control policies and procedures are in place to guide personnel in implementing changes in an emergency situation. Management Management Manual Review Quaterly Website
Management develops third party risk mitigation strategies to address risks identified during the risk assessment process. Management Management Manual Review Frequently GIT Tracking
The entity has documented procedures for addressing issues identified with third-parties. Management Management Manual Review Quaterly Website
The entity has documented procedures for terminating third party relationships. Management Management Manual Review Quaterly Website