====== Control Self-Assessment ======

===== Objective =====

To continuously monitor the effectiveness of controls implemented in support of Nested Knowledge policies.

===== Procedure =====

  - **Policy Inventory:**  The organization maintains an inventory of security-related policies, and controls under said policies, that are critical for achieving its objectives.
  - **Policy Owner Assignment:**  Each identified policy is assigned an owner, typically someone responsible for the process or activity associated with controls under the policy.
  - **Control Assessment:**  Policy owners assess the design and operating effectiveness of their controls on an annual basis. Control assessment coincides with employee policy training.
  - **Testing and Evidence:**  Policy owners provide evidence to support their assessments. This may include screenshots, documented procedures, transaction records, and test results. These findings will be stored for a period of 1 year.
  - **Reporting: **Policy owners summarize their findings, including successful compliance and deficiencies, to the combined CEO/CTO/COO committee.
  - **Deficiency Resolution:**  If deficiencies or weaknesses are identified, the control owners are responsible for developing and implementing action plans to address these issues.
===== Revision History =====

^Author^Date of Revision/Review^Comments|
|K. Holub|02/24/2023|Drafted|