Information Assurance Controls

Purpose

Bramble utilizes an impartial assessment process to validate the existence and functionality of appropriate security and privacy controls, prior to a system, application or service being used in a production environment.

Scope

This control applies to the Brmbl.io and customers.gitlab.com environments. For each, lesser environments in which development and testing occur must be logically segregated from the production environments.

Ownership

This control is owned by Infrastructure.

Controls

Control Number Control Title Control Statement Goal TOD TOE
IAO-01 Information Assurance (IA) Operations Bramble Group Corp. has established mechanisms to facilitate the implementation of cybersecurity and privacy assessment and authorization security controls. Does the organization facilitate the implementation of cybersecurity and privacy assessment and authorization controls? 1. Examine policies, procedures or other relevant documents responsible for facilitating the implementation of separate and continuous evaluations of the cybersecurity, privacy and authorization security controls.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support the separate and continuous evaluations of the cybersecurity, privacy and authorization security controls.

3. Examine policies and procedures for: Purpose; Scope; Roles and responsibilities; Management commitment; Coordination among organizational entities; Compliance; and Implementation requirements.
1. Examine documents outlined in ToD for evidence that the procedures facilitate the implementation of the separate and continuous evaluation of the cybersecurity, privacy and authorization security controls.

2. Examine the evaluation of the cybersecurity, privacy and authorization security controls for evidence that the control development, execution and testing was continuous in accordance to the defined test plan.
IAO-02 Assessments Bramble Group Corp. has established mechanisms to formally assess and ensure assessors or assessment teams have the appropriate independence to conduct cybersecurity and privacy security control assessments in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the security controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements for: ▪ Statutory, regulatory and contractual compliance obligations; ▪ Monitoring capabilities; ▪ Mobile devices; ▪ Databases; ▪ Application security; ▪ Embedded technologies (e.g., IoT, OT, etc.); ▪ Vulnerability management; ▪ Malicious code; ▪ Insider threats and ▪ Performance/load testing. Does the organization formally assess the cybersecurity and privacy controls in systems, applications and services through Information Assurance Program (IAP) activities to determine the extent to which the controls are implemented correctly, operating as intended and producing the desired outcome with respect to meeting expected requirements? 1. Examine policies, procedures or other relevant documents outlining the mechanisms that exist to formally assess and ensure assessors or assessment teams have appropriate independence to conduct cybersecurity and privacy security control assessments in systems, applications and services to validate security controls are implemented correctly, operating as intended and producing the desired outcome. This includes specialized assessments for: Statutory Regulatory and contractual obligations, Monitoring capabilities, Mobile devices, Databases Application security, Embedded technology, Vulnerability management, Malicious code, Insider threats, performance/load testing. 1. Examine documents outlined in ToD for evidence that independant assessments of the cybersecurity, privacy and authorization security controls were conducted as outlined in the ToD.

2. Examine the assessors background, team, reporting structure for evidence that the assessors or assessment teams conducting the assessments have the appropriate independence as outlined in the ToD.
IAO-04 Threat Analysis & Flaw Remediation During Development Bramble Group Corp. has established mechanisms to require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development. Does the organization require system developers and integrators to create and execute a Security Test and Evaluation (ST&E) plan to identify and remediate flaws during development? 1. Examine policies, procedures or other relevant documents responsible for facilitating and executing Security Test and Evaluation (ST&E) plans to identify and remediate flaws during development.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support, facilitate and execute Security Test and Evaluation (ST&E) plans to identify and remediate flaws during development.
1. Examine the configuration management process for the incorporation of ST&E creation and execution.

2. Examine configuration mechanisms responsible for assisting and executing ST&E plans for evidence that flaws were identified and remediated during the development process.

3. Examine a sample set of ST&E plans for evidence that flaws were identified and remediated during the development process.
IAO-05 Plan of Action & Milestones (POA&M) Bramble Group Corp. has established mechanisms to generate a Plan of Action and Milestones (POA&M), or similar risk register, to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities. A re Plan of Action and Milestones (POA&M), or similar mechanisms, used to document planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities? 1. Examine policies, procedures or other relevant documents responsible for facilitating and generating Plan of Action and Milestones (POA&M) or similar, to document planned remediation activities to correct weaknesses or deficiencies noted during the assessment of security controls to reduce or eliminate known vulnerabilities.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support, facilitate and generate Plan of Action and Milestones (POA&M) or similar, to document planned remediation activities to correct weaknesses or deficiencies noted during the assessment of security controls to reduce or eliminate known vulnerabilities.
1. Pull a population of all security control assessments with noted deficiencies during the examination period.

2. Examine security control assessments against POA&M or similar risk assessment for evidence of documented and planned remedial activities as outlined in the ToD.

3. Examine a sample set of POA&M or similar for evidence of documented and planned remedial activities as outlined in the ToD.
IAO-06 Technical Verification Bramble Group Corp. has established mechanisms to perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls. Does the organization perform Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls? 1. Examine policies, procedures or other relevant documents outlining the mechanisms that exist to perform ongoing Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls.

2. Interview key organizational personnel within Bramble to discuss high level workflows that support and/or perform ongoing Information Assurance Program (IAP) activities to evaluate the design, implementation and effectiveness of technical security and privacy controls.
1. Examine IAP activities conducted during the examination period.

2. Examine evidence that IAP activities were ongoing and included the evaluation design, implementation and effectiveness of technical security and privacy controls.
  • Test of Design - (TOD) – verifies that a control is designed appropriately and that it will prevent or detect a particular risk.
  • Test of Operating Effectiveness - (TOE) - used for verifying that the control is in place and it operates as it was designed.

Policy Reference