Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Control Frameworks

    This message was posted by a user wishing to remain anonymous
    Posted 05-10-2021 03:52 PM
    This message was posted by a user wishing to remain anonymous

    What control frameworks are you utilizing for Third Party Due Diligence Control Assessments? Not just security focused frameworks. Are there more to consider than:

    NIST CSF
    NIST 800-35
    CIS 
    Cobit


  • 2.  RE: Control Frameworks

    Posted 05-14-2021 01:14 PM

    Hope this helps...

    [x] NIST CSF --  There is the CSF and the RMF frameworks

    [  ]NIST 800-35 -- see page iii  --- which gives other NIST special publication
       [x]  I focus on 800-53 rev 5
       [x]  used 800-30, 800-53 for audits related control checks
       [x] have reviewed all the others mentioned on policy basis
    [x] CIS - definitely. I check for overlaps on other governance models
    [x] Cobit -- have taken Cobit 4/5 training 

    ------  What else?
    In New York, NY Dept of Financial Services' 23 NYCRR 500, 

       - PART 500. CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
       - FAQs: Cybersecurity Filing | Department of Financial Services (ny.gov)       See Westlaw Link in 1st paragraph for breakdown 
       - Cybersecurity Resource Center | Department of Financial Services (ny.gov)
    NIST 800-53 rev 5
    NIST 800-60 (and others) on mapping data types, etc into our third party prioritization and data protecting ratings
    NIST RMF (SP-800-37 latest, updates aligned with NIST CSF, added organization wide governance and RMF tasks)
        [x] look at appendix A for all the laws, regs, policies, directives, guides, standards, etc. - maintained across releases
    NIST SP 800-64 (SDLC)
    SP 800-161 Supply Chain risk mgmt
    SP 800-61 (and others, SANS, MITRE, LIFARS, CIS, etc) Incident Handling 
    27002 and 27001 Appendix A (14 controls) - cybersecurity
    COSO -- most commonly used by SOC 2 Type II audits of service descriptions and operating controls for effectiveness during a specific perio d
    AICPA TSC -- governs how CPA firms must contact a SOC report (SOC 1, SOC 2 (multiple) and SOC 3)


    ​​