Compliance Controls

Purpose

Bramble oversees the execution of cybersecurity and privacy controls to create appropriate evidence of due care and due diligence, demonstrating compliance by ensuring controls are in place to be aware of and comply with all applicable statutory, regulatory and contractual compliance obligations, as well as internal company standards.

Scope

This applies to all Bramble policies and standards having a direct impact to how Bramble carries out it’s IT/Security practices.

The specific policies and standards described in the Policy Reference section below are subject to this control.

Ownership

This control is owned by Security Compliance.

Controls

Control Number	Control Title	Control Statement	Goal	TOD	TOE
CPL-01	Statutory, Regulatory & Contractual Compliance	Bramble Group Corp. has implemented mechanisms to facilitate the identification and implementation of relevant legislative statutory, regulatory and contractual security controls.	Does the organization facilitate the implementation of relevant legislative statutory, regulatory and contractual controls?	1. Identify policies and procedures responsible for identification and implementation of relevant legislative statutory, regulatory and contractual security controls. 2. Examine policies and procedures for: purpose; scope; roles and responsibilities; management commitment; coordination among organizational entities; compliance; and implementation requirements.	1. Identify applicable federal laws, Executive Orders, directives, regulations, policies, standards, contractual requirements, and guidance. 2. Examine security controls to ensure coverage of applicable federal laws, Executive Orders, directives, regulations, policies, standards, contractual requirements, and guidance.
CPL-02	Security Controls Oversight	Bramble Group Corp. has implemented mechanisms responsible for security controls oversight.	Does the organization provide a security controls oversight function?	1. Inspect security collateral for evidence of assignment of security controls oversight. 2. Interview security leadership to ensure the responsible party has the correct level of authority and autonomy to achieve program objectives.	1. Examine change control records, or other relevant records, for a sample of security control reviews, updates and management approvals.
CPL-03	Security Assessments	Bramble Group Corp. has established mechanisms to ensure team members regularly review controlled documents within their area of responsibility for accuracy and adherence to appropriate security policies, standards and other applicable requirements.	Does the organization ensure managers regularly review the processes and documented procedures within their area of responsibility to adhere to appropriate security policies, standards and other applicable requirements?	1. Examine organizational policies and procedures for the requirements and frequency of controlled document review.	1. Pull a population of all controlled documents. 2. Inspect a sample of controlled document to for evidence they are reviewed and approved in accordance to TOD.
CPL-04	Audit Activities	Bramble Group Corp. has implemented mechanisms to plan and execute compliance audits that minimize the impact of audit activities on business operations.	Does the organization plan audits that minimize the impact of audit activities on business operations?	1. Examine security documentation for a security assessment plan for the information systems. 2. Examine the security assessment plan for a description of the scope of the assessment including: security controls and sub-controls under assessment; assessment procedures to be used to determine security control effectiveness; and assessment environment, assessment team, and assessment roles and responsibilities.	1. Obtain a population of audit activities performed during the period. 2. Examine the audit activities for evidence they are executed in accordance to TOD.

• Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
• Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference

• Engineering Department Policies and Standards
  • Development Department
  • Infrastructure Department
    • Backup Policies and Backup Recovery Testing
    • Change Management
    • Disaster Recovery and Disaster Recovery - Databases
    • Incident Management
    • Production Architecture Page
  • Quality Department
  • Security Department
    • Data Classification Policy
    • Data Protection Impact Assessment (DPIA) Policy
    • Incident Response Guide
    • Bramble Password Policy Guidelines
    • Risk Management
    • Security Incident Communications Plan
    • Security Operations On-Call Guide for Major Incidents
    • Third Party Risk Management Procedure
    • Vulnerability Management
  • Support Team
  • Bramble Security Practices
    • Business Continuity Plan
    • Data Team Policies and Standards
    • Team Member Enablement Policies and Standards
      • Inventory Management
    • IT Help Team Policies and Standards
• General Policies and Standards
  • Offboarding Procedures