CTR Announcements

These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive departments who have not adopted a comparable framework for information cybersecurity and privacy controls (e.g. NIST, ISO, FISMA).

Internal controls must also include additional written procedures and protocols that outline how these policies standards are integrated into daily operations, and personnel comply with these requirements to safeguard information and systems.

That means it is not enough to “adopt” the policies and standards as part of your written system of internal controls.  Your department also needs to have internal procedures on “how” you are implementing the policies and standards for your specific environment, users and systems. IT audits will sample certain policies and standards and ask for details about your department documentation, day-to-day management, and monitoring.

Your Internal Control Officer (ICO) and IT staff can review and assist with verifying your written system of internal controls are up-to-date to support compliance goals and ensure your department is accurately completing the annual Internal Control Certification (ICC). You can find links to the policies and standards on our CTR Cyber Department Responsibilities page.

Action Steps:

• Ensure that your department is using the most current policies and standards as part of internal controls and daily operations: (EOTSS Enterprise Information Security Policies (ISP.001 – ISP.010) and EOTSS Enterprise Information Security Standards and Guidelines (IS.011 – ISP.027)
• Work with your Internal Control Officer (ICO) and your IT staff to verify that your department has detailed documentation, day-to-day management, and monitoring of these requirements.

Bookmark our new CTR Compliance Corner as your one-stop shop for alerts and success factors that you can integrate into your daily operations to keep you safe on your mission.