CCI-004644

Implementation Guidance

Determine if: - findings from security assessments are responded to in accordance with organizational risk tolerance. - findings from privacy assessments are responded to in accordance with organizational risk tolerance. - findings from monitoring are responded to in accordance with organizational risk tolerance. - findings from audits are responded to in accordance with organizational risk tolerance.

Validation Procedures

Examine: [SELECT FROM: Risk assessment policy; assessment reports; audit records/event logs; system security plan; privacy plan; other relevant documents or records]. Interview: [SELECT FROM: Organizational personnel with assessment and auditing responsibilities; system/network administrators; organizational personnel with security and privacy responsibilities]. Test: [SELECT FROM: Organizational processes for assessments and audits; mechanisms/tools supporting and/or implementing assessments and auditing].