Back to governance document pack

Governance document

Control Register

Baseline controls, owners, frequency, evidence, status, and governance expectations.

Download PDF

CIC Control Register

Last updated: 06/01/2023

Purpose

This register defines baseline controls CIC should maintain to support security, risk, privacy, operational, and audit readiness.

Control Format

Each control should include:

  • Control ID
  • Control name
  • Control objective
  • Control owner
  • Frequency
  • Evidence
  • Related policy
  • Related risk
  • Status

Baseline Controls

Control IDControlOwnerFrequencyEvidence
CIC-AC-001Privileged access is approved before provisioning.System ownerPer requestAccess request and approval
CIC-AC-002Privileged access is reviewed quarterly.Governance adminQuarterlyAccess review record
CIC-AC-003Terminated or transferred user access is removed promptly.Operations ownerPer eventDeprovisioning record
CIC-AC-004Service accounts have named owners and limited permissions.Engineering ownerAnnualService account inventory
CIC-AC-005Organization context switching does not expose unauthorized data.Product ownerPer release sampleBrowser test evidence
CIC-AC-006Break-glass access is approved, time-bound, and reviewed.Governance adminPer eventBreak-glass record
CIC-SEC-001Security risks are tracked in a risk register.Security ownerQuarterlyRisk register
CIC-SEC-002Critical and high security risks have treatment plans.Security ownerMonthly for open itemsTreatment plan
CIC-SEC-003Security incidents are recorded and reviewed.Security ownerPer incidentIncident register
CIC-SEC-004Incident response tabletop exercise is performed.Security ownerAnnualTabletop record
CIC-SEC-005Critical assets have owners and classifications.Security ownerAnnualAsset inventory
CIC-SEC-006Security monitoring signals are reviewed for critical workflows.Security ownerMonthlyAlert or monitoring review
CIC-ENG-001Material code changes are reviewed before merge.Engineering ownerPer changePull request review
CIC-ENG-002Security-sensitive changes receive heightened review.Engineering ownerPer changePR notes or approval record
CIC-ENG-003Material changes include relevant tests.Engineering ownerPer changeTest results
CIC-ENG-004Secrets are not committed to source code.Engineering ownerContinuousSecret scan or review evidence
CIC-ENG-005Database migrations and repair scripts are reviewed and tested.Engineering ownerPer changeMigration review and test evidence
CIC-ENG-006User-facing changes receive browser validation when practical.Engineering ownerPer changeScreenshot or browser evidence
CIC-VUL-001Vulnerabilities are triaged and tracked.Security ownerContinuousVulnerability tracker
CIC-VEN-001Critical vendors are reviewed before onboarding.Vendor ownerPer onboardingVendor review
CIC-VEN-002Critical vendors are reviewed annually.Vendor ownerAnnualAnnual vendor review
CIC-VEN-003Subprocessors are documented for customer and privacy reference.Vendor ownerAnnualSubprocessor register
CIC-VEN-004Vendor incidents are tracked and assessed for CIC impact.Vendor ownerPer incidentVendor incident record
CIC-DATA-001Sensitive data access is restricted by business need.Data ownerContinuousRole matrix and access review
CIC-DATA-002Support access is limited to legitimate support purposes.Support ownerContinuousSupport access logs or tickets
CIC-DATA-003Data inventory and retention schedule are maintained.Data ownerAnnualData inventory and retention schedule
CIC-DATA-004New public data fields receive privacy and display review.Privacy ownerPer changePrivacy review record
CIC-BCP-001Critical systems have recovery expectations.Operations ownerAnnualCritical system inventory
CIC-BCP-002Recovery capability is tested for critical systems.Operations ownerAnnualRecovery test evidence
CIC-BCP-003Business impact analysis is reviewed for critical workflows.Operations ownerAnnualBIA record
CIC-GOV-001Policies are reviewed at least annually.Governance adminAnnualPolicy review records
CIC-GOV-002Exceptions are documented, approved, and time-bound.Governance adminPer exceptionException register
CIC-GOV-003Evidence calendar is reviewed monthly.Governance adminMonthlyEvidence calendar review
CIC-GOV-004Control evidence is indexed and tied to control IDs.Governance adminMonthlyEvidence repository index
CIC-GOV-005Policy changes are approved before publication.Governance adminPer policy changePolicy approval record
CIC-FIN-001Wallet and transaction-impacting changes are reviewed carefully.Finance ownerPer changeChange review and test evidence
CIC-FIN-002Financial workflow exceptions are tracked to resolution.Finance ownerPer exceptionException or remediation record
CIC-FIN-003Wallet and ledger balances are reconciled.Finance ownerMonthlyReconciliation evidence
CIC-FIN-004Financial repair and backfill scripts are approved and idempotent.Finance and engineering ownersPer repairRepair approval and before-after evidence
CIC-FIN-005Equity and ownership calculations are tested for payment accuracy.Finance and engineering ownersPer material changeTest evidence
CIC-FIN-006Financial reports and PFS outputs use current dynamic data.Finance ownerPer release sampleReport validation evidence
CIC-PRV-001Privacy requests are logged, verified, and dispositioned.Privacy ownerPer requestData rights request record
CIC-PRV-002Public profile visibility is enforced as configured.Product ownerContinuousTest evidence and profile setting records
CIC-PRV-003Public policies are reviewed and updated for material product changes.Privacy or legal ownerAnnual and per material changePolicy review record
CIC-SUP-001Sensitive support actions require user verification.Support ownerPer eventSupport verification record
CIC-SUP-002Support file requests include purpose and retention handling.Support ownerPer requestSupport ticket and file request record
CIC-SUP-003Screen sharing requires user consent and sensitive data safeguards.Support ownerPer eventScreen share consent record
CIC-SUP-004Support quality and satisfaction are reviewed.Support ownerMonthlySupport quality review
CIC-LOG-001Security-relevant logs are retained for critical workflows.Security ownerContinuousLog retention configuration or evidence
CIC-CFG-001High-risk production configuration changes are reviewed.Engineering ownerPer changeChange record
CIC-DR-001Critical system recovery expectations are documented.Operations ownerAnnualBIA and recovery target record
CIC-DPA-001Critical subprocessors are documented and reviewed.Vendor ownerAnnualSubprocessor register

Control Status

Suggested statuses:

  • Designed
  • Implemented
  • Operating
  • Needs remediation
  • Retired

Review

This register should be reviewed at least quarterly during program build-out and at least annually once mature.

Control Testing Guidance

Each control should be tested using at least one method: inquiry, inspection, observation, reperformance, configuration review, log review, or workflow testing. High-risk controls should have evidence beyond inquiry.