Nested Knowledge

Bringing Systematic Review to Life

User Tools

Site Tools


Control Self-Assessment


To continuously monitor the effectiveness of controls implemented in support of Nested Knowledge policies.


  1. Policy Inventory: The organization maintains an inventory of security-related policies, and controls under said policies, that are critical for achieving its objectives.
  2. Policy Owner Assignment: Each identified policy is assigned an owner, typically someone responsible for the process or activity associated with controls under the policy.
  3. Control Assessment: Policy owners assess the design and operating effectiveness of their controls on an annual basis. Control assessment coincides with employee policy training.
  4. Testing and Evidence: Policy owners provide evidence to support their assessments. This may include screenshots, documented procedures, transaction records, and test results. These findings will be stored for a period of 1 year.
  5. Reporting: Policy owners summarize their findings, including successful compliance and deficiencies, to the combined CEO/CTO/COO committee.
  6. Deficiency Resolution: If deficiencies or weaknesses are identified, the control owners are responsible for developing and implementing action plans to address these issues.

Revision History

AuthorDate of Revision/ReviewComments
K. Holub02/24/2023Drafted
wiki/policies/csa.txt · Last modified: 2023/09/28 21:01 by kholub