To continuously monitor the effectiveness of controls implemented in support of Nested Knowledge policies.

1. Policy Inventory: The organization maintains an inventory of security-related policies, and controls under said policies, that are critical for achieving its objectives.
2. Policy Owner Assignment: Each identified policy is assigned an owner, typically someone responsible for the process or activity associated with controls under the policy.
3. Control Assessment: Policy owners assess the design and operating effectiveness of their controls on an annual basis. Control assessment coincides with employee policy training.
4. Testing and Evidence: Policy owners provide evidence to support their assessments. This may include screenshots, documented procedures, transaction records, and test results. These findings will be stored for a period of 1 year.
5. Reporting: Policy owners summarize their findings, including successful compliance and deficiencies, to the combined CEO/CTO/COO committee.
6. Deficiency Resolution: If deficiencies or weaknesses are identified, the control owners are responsible for developing and implementing action plans to address these issues.