-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathss584_nn.xml
109 lines (106 loc) · 6.39 KB
/
ss584_nn.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<?xml version="1.0" encoding="UTF-8"?>
<standard-document xmlns="http://riboseinc.com/isoxml">
<bibdata type="standard">
<title language="en" format="text/plain">Management oversight of information security</title>
<language>en</language>
<script>Latn</script>
<status>
<stage>published</stage>
</status>
<copyright>
<from>2019</from>
</copyright>
<ext>
<doctype>article</doctype>
</ext>
</bibdata>
<sections>
<clause id="_management_oversight_of_information_security" inline-header="false" obligation="normative"><title>Management oversight of information security</title><clause id="_general" inline-header="false" obligation="normative">
<title>General</title>
<requirement id="_ec2f6222-1170-4df6-a0c7-d8d672ef8cdd"><label>/ss/584/2015/general/632</label><subject>The Cloud Service Provider’s management and board of directors</subject><classification><tag>type</tag><value>text</value></classification><description><p id="_3a2d7333-1afe-4eef-b863-4fb21b2997f6">The Cloud Service Provider’s management and board of directors shall be responsible for the following requirements and audit procedures.</p>
</description><specification exclude="true">
<p id="_56bb2c7c-d7d7-404d-b896-d7d693261f66">be responsible for the following requirements and audit procedures</p>
</specification></requirement>
</clause>
<clause id="_level_1_requirements_and_audit_procedures" inline-header="false" obligation="normative">
<title>Level 1 requirements and audit procedures</title>
<requirement id="_d94772dc-000a-4c2d-b2d5-cd5f1db45464"><label>/ss/584/2015/level/1</label><subject>The Cloud Service Provider’s management and board of directors</subject><classification><tag>type</tag><value>text</value></classification><specification exclude="false">
<ol id="_c174eaa5-0734-44fb-9fa1-9064fc9c86a8" type="arabic">
<li>
<p id="_396bb662-8e1d-4b37-a768-520c4a716cec">Managing information security risks related to people, process, technology and governance.</p>
</li>
<li>
<p id="_029829eb-b003-4324-886a-5f54fbce5199">Oversight of the effective implementation of the technology controls.</p>
</li>
<li>
<p id="_a3941a43-2825-4f50-9f68-86422734715e">Oversight of risk management practices.</p>
</li>
</ol>
</specification>
<verification exclude="false">
<ol id="_3c5b2c51-8d79-4ea1-ba5f-fc764afcc3b0" type="arabic">
<li>
<p id="_f8fd20bc-7119-4d5f-a28e-1538747b9030">Determine that the responsibilities of management and board of directors in managing and overseeing information security risks are documented and communicated.</p>
</li>
<li>
<p id="_c76c0dcd-e2c7-4ff5-9c92-81f51bf16702">Inspect documents such as meeting minutes and committee charter to identify the participants involved in the meeting or committee, their respective job functions and the reporting relationship.</p>
</li>
<li>
<p id="_26af4792-5822-4a7c-ac99-cfba67c98293">Determine whether the management and board of directors meet regularly, at an appropriate and monitored frequency.</p>
</li>
<li>
<p id="_4fb9b966-9996-422e-b528-38c05de3a175">Determine whether the information security function is headed by a Chief Information Security Officer (CISO) or similar function.</p>
</li>
</ol>
</verification></requirement>
</clause>
<clause id="_level_2_requirements_and_audit_procedures" inline-header="false" obligation="normative">
<title>Level 2 requirements and audit procedures</title>
<requirement id="_76b680ed-8a6c-41d4-84d7-db7fb9cc9794"><label>/ss/584/2015/level/2</label><inherit>/ss/584/2015/level/1</inherit><classification><tag>type</tag><value>text</value></classification><description><p id="_60324b1b-a523-499e-9af6-1b75564c8f0f">The requirements and audit procedures are the same as those in Level 1.</p>
</description><verification exclude="false"/></requirement>
</clause>
<clause id="_level_3_requirements_and_audit_procedures" inline-header="false" obligation="normative"><title>Level 3 requirements and audit procedures</title><requirement id="_8263a648-8f5b-4f3e-8cd6-985436eb5bc4"><label>/ss/584/2015/level/3</label><inherit>/ss/584/2015/level/2</inherit><classification><tag>type</tag><value>text</value></classification><description><p id="_ce035697-046f-45b3-b30a-2f3ffa600b17">The requirements are the same as those in Level 2.</p>
</description><verification exclude="false"><p id="_b4f5aa22-406f-4b5a-9dca-b88689de3989">The audit procedures are those in Level 1 and the following:</p>
<ol id="_ccef6c43-d2b1-44de-93f9-36fa09f86d31" type="arabic">
<li>
<p id="_7c402f8d-cd6e-4b77-aa39-f0b4a2821293">Verify risks have been reviewed, understood, and addressed (i.e. including a cost benefit analysis) by management and the board.</p>
</li>
</ol></verification></requirement>
<recommendation id="_0e0966a5-fa4b-4092-8998-a5eb53290527"><label>/ogc/recommendation/wfs/2</label><subject>user</subject><description><p id="_fc73ecef-1a9c-4ebc-a989-5d81e8164086">I recommend <em>this</em>.</p>
</description><specification exclude="false"><p id="_4140573f-f699-4491-98f1-cbfbd9d12e6d">This is the object of the recommendation:</p>
<table id="_d4b657be-fa15-4e70-8c81-f68d99f53f02">
<thead>
<tr>
<th align="left">Object</th>
<th align="left">Value</th>
</tr>
</thead>
<tbody>
<tr>
<td align="left">Mission</td>
<td align="left">Accomplished</td>
</tr>
</tbody>
</table></specification><description>
<p id="_9aac04cd-1631-4966-8a6b-4ea496535a4a">As for the measurement targets,</p>
</description><measurement-target exclude="false"><p id="_bcea84b1-9b32-4b3f-8771-51aab478be49">The measurement target shall be measured as:</p>
<formula id="_684b41e3-f92b-4e29-8a0c-5b9e2e5037fb">
<stem type="MathML"><math xmlns="http://www.w3.org/1998/Math/MathML"><mfrac><mi>r</mi><mn>1</mn></mfrac><mo>=</mo><mn>0</mn></math></stem>
</formula></measurement-target>
<verification exclude="false">
<ol id="_63e5b7c9-6dd4-4b52-b81f-5fb85ee9e772" type="arabic">
<li>
<p id="_8b2962fd-e4e8-4844-a33f-32d416c8ac02">We take a measurement</p>
</li>
<li>
<p id="_c4d2ffa9-5aeb-445a-8de7-50be2e2451da">The measurement is consistent with the formula above</p>
<ol id="_86fe7f91-7177-4b39-be2a-4f1cd17b211d" type="alphabet">
<li>
<p id="_6bc31b6d-4f05-4684-a2f5-dbad0642d76b">If the measurement is not consistent with the formula above, then the verification has failed</p>
</li>
</ol>
</li>
</ol>
</verification></recommendation></clause></clause>
</sections>
</standard-document>