GRC-05: Information Security Program

Info icon.

Control is new to this version of the control set and incorporates the following item from the previous version: GRM-04: Management Program.

Control Statement

Develop and implement an Information Security Program, which includes programs for all the relevant domains of the CCM.

Implementation Guidance

The program should identify and assign roles, responsibilities, and management commitment. The CCM domains to address within the information security governance program include, but are not limited to:

  1. Audit and assurance
  2. Application and interface security
  3. Business continuity management and operational resilience
  4. Change control and configuration management
  5. Cryptography, encryption, and key management
  6. Datacenter security
  7. Data security and privacy lifecycle management
  8. Governance, risk management, and compliance
  9. Human resources
  10. Identity and access management
  11. Interoperability and portability
  12. Infrastructure and virtualization security
  13. Logging and monitoring
  14. Security incident management, e-discovery, and cloud forensics
  15. Supply chain management, transparency, and accountability
  16. Threat and vulnerability management
  17. Universal endpoint management

Management should promote coordination among organizational entities responsible for the different aspects of cloud security and privacy risks. Review the program as required to address threat landscape changes and substantial organization changes.

Auditing Guidance

  1. Examine the policy and/or procedures related to the Information Security Program to determine whether the organization has developed and implemented a comprehensive strategy to manage Information Security across the organization.
  2. Review the details of the information security program and establish if this covers the CCMv4 relevant domains.
  3. Confirm that identified gaps/issues are being tracked, monitored, and remediated with appropriate escalation where required.

[ Note: For more information on the Cloud Controls Matrix, visit the CSA Cloud Controls Matrix Homepage.]

Cloud Control Matrix is Copyright 2023 Cloud Security Alliance.