BIZOPS-24 Security and Compliance Updates

What is this control about?

The security space is ever-changing, as such it is important for the organization to assign a dedicated personnel responsible for keeping up with security, privacy and compliance updates. Updates can include but are not limited to known vulnerabilities, attacks, regulation updates, etc.

Available tools in the marketplace

Available templates

TrustCloud has a curated list of templates internally or externally sourced to help you get started. Click on the link for a downloadable version:

• SANS institute newsletter to subscribe to
• US-CERT newsletter to subscribe to

Control implementation

Assign a dedicated team or personnel responsible for subscribing to various security, privacy or regulatory news.

Subscribe to various security, privacy or regulatory news.

Share any critical news to the organization or applicable departments.

For NIST 800 – 171:

• All the above steps, including the tracking of the news/updates in a tracking tool
• Review of each update in the tracking tool
• Action item taken based on the review results

What evidence do auditors look for?

Most auditors, at a minimum are looking for the below suggested action:

• Provide a recent example of a security, privacy or regulatory newsletter email received that displays the sender and receiver information

Evidence example

From the suggested action above, an example is provided below.

Example of email forwarded to the entire organization regarding phishing attacks.