| Access Control |
AC-1 |
Access Control Policy and Procedures |
Policies exist and are reviewed annually but not accepted by all departments. |
Ensure all departments acknowledge and adopt the latest access control policies. |
Compliance Officer |
2025-08-15 |
Planned |
| Access Control |
AC-2 |
Account Management |
Automated provisioning in place but some terminated accounts remain active. |
Implement automated deactivation checks and audit terminated accounts monthly. |
IT Administrator |
2025-08-20 |
In Progress |
| Awareness and Training |
AT-1 |
Security Awareness Training Policy |
Training occurs every ten years; policy requires annual training. |
Update training schedule to ensure annual cybersecurity awareness sessions. |
HR Manager |
2025-08-10 |
Planned |
| Awareness and Training |
AT-2 |
Role-Based Training |
Admins and developers lack specialized training despite policy requirements. |
Develop and deliver role-specific training modules for technical staff. |
Training Coordinator |
2025-08-18 |
Planned |
| Audit and Accountability |
AU-1 |
Audit Policy and Procedures |
Policies reviewed quarterly but mobile system allowed from audit scope. |
Expand audit scope to include mobile systems and update procedures accordingly. |
Audit Lead |
2025-08-22 |
Planned |
| Audit and Accountability |
AU-2 |
Event Logging |
Logs retained in Splunk but mobile device logs are inconsistent. |
Configure mobile device logging and integrate with Splunk for consistency. |
Security Engineer |
2025-08-25 |
Planned |
| Configuration Management |
CM-1 |
Configuration Management Policy |
Baseline configurations exist but enforcement is inconsistent. |
Automate baseline enforcement and conduct periodic compliance checks. |
Configuration Manager |
2025-08-28 |
Planned |
| Configuration Management |
CM-2 |
Configuration Change Control |
Changes tracked in Jira but emergency changes lack documentation. |
Establish emergency change documentation protocol and train staff. |
Change Control Officer |
2025-08-30 |
Planned |