Question

11. Describe two controls that could help mitigate the findings in the PCI DSS audit. One control should be in the information system tier and one control should be in the Organization or Mission/Business Process level. PREPARE TASKS—ORGANIZATION LEVEL Table 1 provides a summary of tasks and expected outcomes for the RMF Prepare step at the organization level. Applicable Cybersecurity Framework constructs are also provided. TABLE 1: PREPARE TASKS AND OUTCOMES—ORGANIZATION LEVEL Tasks Outcomes TASK P-1 RISK MANAGEMENT ROLES Individuals are identified and assigned key roles for executing the Risk Management Framework. [Cybersecurity Framework: ID.AM-6; ID.GV-2] TASK P-2 RISK MANAGEMENT STRATEGY A risk management strategy for the organization that includes a determination and expression of organizational risk tolerance is established. [Cybersecurity Framework: ID.RM; ID.SC] TASK P-3 RISK ASSESSMENT—ORGANIZATION An organization-wide risk assessment is completed or an existing risk assessment is updated. [Cybersecurity Framework: ID.RA; ID.SC-2] TASK P-4 ORGANIZATIONALLY-TAILORED CONTROL BASELINES AND CYBERSECURITY FRAMEWORK PROFILES (OPTIONAL) Organizationally-tailored control baselines and/or Cybersecurity Framework Profiles are established and made available. [Cybersecurity Framework: Profile] TASK P-5 COMMON CONTROL IDENTIFICATION Common controls that are available for inheritance by organizational systems are identified, documented, and published. TASK P-6 IMPACT-LEVEL PRIORITIZATION (OPTIONAL) A prioritization of organizational systems with the same impact level is conducted. [Cybersecurity Framework: ID.AM-5] TASK P-7 CONTINUOUS MONITORING STRATEGY—ORGANIZATION An organization-wide strategy for monitoring control effectiveness is developed and implemented. [Cybersecurity Framework: DE.CM; ID.SC-4]

11. Describe two controls that could help mitigate the findings in the PCI DSS audit. One control should be in the information system tier and one control should be in the Organization or Mission/Business Process level.

PREPARE TASKS—ORGANIZATION LEVEL
Table 1 provides a summary of tasks and expected outcomes for the RMF Prepare step at the organization level. Applicable Cybersecurity Framework constructs are also provided.

TABLE 1: PREPARE TASKS AND OUTCOMES—ORGANIZATION LEVEL

Tasks
Outcomes

TASK P-1
RISK MANAGEMENT ROLES
Individuals are identified and assigned key roles for executing the Risk Management Framework. [Cybersecurity Framework: ID.AM-6; ID.GV-2]

TASK P-2
RISK MANAGEMENT STRATEGY
A risk management strategy for the organization that includes a determination and expression of organizational risk tolerance is established. [Cybersecurity Framework: ID.RM; ID.SC]

TASK P-3
RISK ASSESSMENT—ORGANIZATION
An organization-wide risk assessment is completed or an existing risk assessment is updated. [Cybersecurity Framework: ID.RA; ID.SC-2]

TASK P-4
ORGANIZATIONALLY-TAILORED CONTROL BASELINES AND CYBERSECURITY FRAMEWORK PROFILES (OPTIONAL)
Organizationally-tailored control baselines and/or Cybersecurity Framework Profiles are established and made available. [Cybersecurity Framework: Profile]

TASK P-5
COMMON CONTROL IDENTIFICATION
Common controls that are available for inheritance by organizational systems are identified, documented, and published.

TASK P-6
IMPACT-LEVEL PRIORITIZATION (OPTIONAL)
A prioritization of organizational systems with the same impact level is conducted. [Cybersecurity Framework: ID.AM-5]

TASK P-7
CONTINUOUS MONITORING STRATEGY—ORGANIZATION
An organization-wide strategy for monitoring control effectiveness is developed and implemented. [Cybersecurity Framework: DE.CM; ID.SC-4]

Added by Brian C.

Question

Please give Ace some feedback