myctrl.tools
Compare

PM-15Security And Privacy Groups And Associations

>Control Description

Establish and institutionalize contact with selected groups and associations within the security and privacy communities: a. To facilitate ongoing security and privacy education and training for organizational personnel; b. To maintain currency with recommended security and privacy practices, techniques, and technologies; and c. To share current security and privacy information, including threats, vulnerabilities, and incidents.

>Cross-Framework Mappings

NIST CSF 2.0

via NIST CSF 2.0 Concept Crosswalk
DE.AE-06
Compare
ID.RA-02
Compare

SOC 2 TSC

CC2.1
Compare
CC2.2
Compare
CC2.3
Compare

SCF

GOV-07
Compare
THR-01
Compare

>Supplemental Guidance

Ongoing contact with security and privacy groups and associations is important in an environment of rapidly changing technologies and threats. Groups and associations include special interest groups, professional associations, forums, news groups, users' groups, and peer groups of security and privacy professionals in similar organizations. Organizations select security and privacy groups and associations based on mission and business functions.

Organizations share threat, vulnerability, and incident information as well as contextual insights, compliance techniques, and privacy problems consistent with applicable laws, executive orders, directives, policies, regulations, standards, and guidelines.

>Related Controls

SA-11
SI-5

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern security and privacy contacts with external groups and associations?
  • How does the organization determine which external security and privacy groups to engage with?
  • Who is responsible for maintaining relationships with external security groups?
  • How is information from external groups incorporated into organizational security and privacy programs?
  • What governance exists for managing and coordinating external security and privacy relationships?

Technical Implementation:

  • What collaboration platforms or information sharing systems connect with external groups?
  • How is threat intelligence from external sources integrated into organizational tools?
  • What secure communication methods are used for external security coordination?

Evidence & Documentation:

  • Provide documentation of external security and privacy groups engaged with.
  • Provide evidence of information sharing with external groups.
  • Provide records of threat intelligence or best practices received from external sources.
  • Provide meeting minutes or reports from external security collaborations.

Ask AI

Configure your API key to use AI features.