NOTE: The authority document "" has been copied to your account.
NOTE: The authority document is already in your account and can not be copied again.
Close
Portable Compliance Profile™
- 9070 - NFA Compliance Rules 2-9, 2-36 and 2-49: Information Systems Security Programs
- Cloud Computing Compliance Controls Catalogue (C5)
- CobiT
- FFIEC Business Continuity Planning (BCP) IT Examination Handbook
- Hong Kong Monetary Authority Supervisory Policy Manual TM-G-2 Business Continuity Planning
- IM Guidance Update: Cybersecurity Guidance
- ISO 22301: Societal Security - Business Continuity Management Systems - Requirements
- ISO 24762 Information technology - Security techniques - Guidelines for information and communications technology disaster recovery services
- ISO/IEC 27018:2014, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
- National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181
- Pandemic Response Planning Policy
- Payment Card Industry (PCI) Data Security Standard, Self-Assessment Questionnaire D and Attestation of Compliance for Service Providers
- Shared Assessments Standardized Information Gathering Questionnaire - K. Business Continuity and Disaster Recovery
-
Control NameID #
•Leadership and high level objectives00597- •Establish, implement, and maintain a reporting methodology program.02072
- •Establish, implement, and maintain communication protocols.12245
- •Align the information being disseminated and communicated with the communication requirements according to the organization's communication protocol.12419
- •Assess the effectiveness of the communication methods used in the communication protocol.12691
- •Include external requirements in the organization's communication protocol.12418
- •Report to management and stakeholders on the findings and information gathered from all types of inquiries.12797
- •Establish, implement, and maintain warning procedures that follow the organization's communication protocol.12407
- •Establish, implement, and maintain alert procedures that follow the organization's communication protocol.12406
- •Include the capturing and alerting of performance variances in the notification system.12929
- •Establish, implement, and maintain an internal reporting program.12409
- •Analyze organizational objectives, functions, and activities.00598
- •Develop instructions for setting organizational objectives and strategies.12931
- •Analyze the business environment in which the organization operates.12798
- •Identify the internal factors that may affect organizational objectives.12957
- •Include key processes in the analysis of the internal business environment.12947
- •Align assets with business functions and the business environment.13681
- •Monitor for changes which affect organizational strategies in the internal business environment.12863
- •Monitor for changes which affect organizational objectives in the internal business environment.12862
- •Analyze the external environment in which the organization operates.12799
- •Identify the external forces that may affect organizational objectives.12960
- •Monitor for changes which affect organizational strategies in the external environment.12880
- •Monitor for changes which affect organizational objectives in the external environment.12879
- •Include regulatory requirements in the analysis of the external environment.12964
- •Include legal requirements in the analysis of the external environment.12896
- •Include technology in the analysis of the external environment.12837
- •Conduct a context analysis to define objectives and strategies.12864
- •Establish, implement, and maintain organizational objectives.09959
- •Evaluate organizational objectives to determine impact on other organizational objectives.12814
- •Identify conditions that may affect organizational objectives.12958
- •Identify opportunities that could affect achieving organizational objectives.12826
- •Establish and maintain a Mission, Vision, and Values Statement.12783
- •Disseminate and communicate organizational objectives, functions, and activities to all interested personnel and affected parties.13191
- •Document and communicate the linkage between organizational objectives, functions, activities, and general controls.12398
- •Identify threats that could affect achieving organizational objectives.12827
- •Identify how opportunities, threats, and external requirements are trending.12829
- •Review the organization's approach to managing information security, as necessary.12005
- •Identify all interested personnel and affected parties.12845
- •Analyze and prioritize the requirements of interested personnel and affected parties.12796
- •Establish, implement, and maintain an information classification standard.00601
- •Take into account the organization's obligation to protect data or information when establishing information impact levels.04786
- •Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard.11997
- •Classify the criticality to unauthorized disclosure or modification of information in the information classification standard.11996
- •Classify the value of information in the information classification standard.11995
- •Establish, implement, and maintain a data classification scheme.11628
- •Establish and maintain an organizational data dictionary, including data syntax rules.00600
- •Refrain from allowing incompatible data elements in the data dictionary.13624
- •Disseminate and communicate the data dictionary to interested personnel and affected parties.13516
- •Establish, implement, and maintain an Information and Infrastructure Architecture model.00599
- •Establish, implement, and maintain sustainable infrastructure planning.00603
- •Take into account the need for protecting information confidentiality during infrastructure planning.06486
- •Monitor regulatory trends to maintain compliance.00604
- •Monitor for new Information Security solutions.07078
- •Subscribe to a threat intelligence service to receive notification of emerging threats.12135
- •Disseminate and communicate emerging threats to all interested personnel and affected parties.12185
- •Establish, implement, and maintain a Quality Management framework.07196
- •Establish, implement, and maintain a Quality Management policy.13694
- •Include critical Information Technology processes in the Quality Management framework.13645
- •Establish, implement, and maintain a Quality Management standard.01006
- •Document the measurements used by Quality Assurance and Quality Control testing.07200
- •Enforce a continuous Quality Control system.01005
- •Conduct Quality Control to ensure adherence to Information Technology policies, standards, and procedures.01008
- •Establish, implement, and maintain a Quality Management program.07201
- •Correct errors and deficiencies in a timely manner.13501
- •Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement.07203
- •Include program documentation standards in the Quality Management program.01016
- •Include program testing standards in the Quality Management program.01017
- •Review and analyze any quality improvement goals that were missed.07204
- •Include system testing standards in the Quality Management program.01018
- •Establish and maintain the scope of the organizational compliance framework and Information Assurance controls.01241
- •Define the scope of the security policy.07145
- •Correlate Information Systems with applicable controls.01621
- •Establish, implement, and maintain a policy and procedure management program.06285
- •Include requirements in the organization’s policies, standards, and procedures.12956
- •Analyze organizational policies, as necessary.14037
- •Establish and maintain an Authority Document list.07113
- •Map in scope assets and in scope records to external requirements.12189
- •Document organizational procedures that harmonize external requirements, including all legal requirements.00623
- •Establish, implement, and maintain full documentation of all policies, standards, and procedures that support the organization's compliance framework.01636
- •Disseminate and communicate the organization’s policies, standards, and procedures to all interested personnel and affected parties.12901
- •Disseminate and communicate the list of Authority Documents that support the organization's compliance framework to interested personnel and affected parties.01312
- •Approve all compliance documents.06286
- •Align the Authority Document list with external requirements.06288
- •Assign the appropriate roles to all applicable compliance documents.06284
- •Establish, implement, and maintain a compliance exception standard.01628
- •Include all compliance exceptions in the compliance exception standard.01630
- •Include explanations, compensating controls, or risk acceptance in the compliance exceptions Exceptions document.01631
- •Review the compliance exceptions in the exceptions document, as necessary.01632
- •Disseminate and communicate compliance documents to all interested personnel and affected parties.06282
- •Disseminate and communicate any compliance document changes when the documents are updated to interested personnel and affected parties.06283
- •Define the Information Assurance strategic roles and responsibilities.00608
- •Establish and maintain a compliance oversight committee.00765
- •Include recommendations for changes or updates to the information security program in the Board Report.13180
- •Provide critical project reports to the compliance oversight committee in a timely manner.01183
- •Assign the corporate governance of Information Technology to the compliance oversight committee.01178
- •Involve the Board of Directors or senior management in Information Governance.00609
- •Address Information Security during the business planning processes.06495
- •Document the requirements of stakeholders during the business planning process regarding Information Security.06498
- •Establish, implement, and maintain a strategic plan.12784
- •Determine progress toward the objectives of the strategic plan.12944
- •Include acting with integrity in the strategic plan.12870
- •Include the outsource partners in the strategic plan, as necessary.13960
- •Align the cybersecurity program strategy with the organization's strategic plan.14322
- •Establish, implement, and maintain a decision management strategy.06913
- •Include an economic impact analysis in the decision management strategy.14015
- •Include cost benefit analysis in the decision management strategy.14014
- •Include criteria for risk tolerance in the decision-making criteria.12950
- •Align organizational objectives with performance targets in the decision-making criteria.12843
- •Align organizational objectives with the acceptable residual risk in the decision-making criteria.12841
- •Create additional decision-making criteria to achieve organizational objectives, as necessary.12948
- •Involve knowledgeable and experienced individuals in the decision-making process.06915
- •Take actions in accordance with the decision-making criteria.12909
- •Document and evaluate the decision outcomes from the decision-making process.06918
- •Establish, implement, and maintain an information technology process framework.13648
- •Include maturity models in the Information Technology process framework.13652
- •Include relationships between Information Technology process structures in the Information Technology process framework.13651
- •Include Information Technology process structures in the Information Technology process framework.13650
- •Establish, implement, and maintain a Strategic Information Technology Plan.00628
- •Include business continuity objectives in the Strategic Information Technology Plan.06496
- •Align business continuity objectives with the business continuity policy.12408
- •Use a risk-based approach to adapt the Strategic Information Technology Plan to the business's needs.00631
- •Mirror the organization's business strategy during Information Technology planning in the Strategic Information Technology Plan.00630
- •Incorporate protecting restricted information from unauthorized information flow or unauthorized disclosure into the Strategic Information Technology Plan.06491
- •Establish, implement, and maintain tactical Information Technology plans in support of the Strategic Information Technology Plan.00632
- •Establish, implement, and maintain tactical Information Technology plans derived from the Strategic Information Technology Plan.01609
- •Document how each Information Technology project plan directly or indirectly supports the Strategic Information Technology Plan.06497
- •Document the business case and return on investment in each Information Technology project plan.06846
- •Document all desired outcomes for a proposed project in the Information Technology project plan.06916
- •Assign senior management to approve business cases.13068
- •Include milestones for each project phase in the Information Technology project plan.12621
- •Document lessons learned at the conclusion of each Information Technology project.13654
- •Establish, implement, and maintain Information Technology projects in support of the Strategic Information Technology Plan.13673
- •Disseminate and communicate the Information Technology Plans to all interested personnel and affected parties.00633
- •Monitor and evaluate the implementation and effectiveness of Information Technology Plans.00634
- •Establish and maintain an Information Technology plan status report that covers both Strategic Information Technology Plans and tactical Information Technology plans.06839
- •Include significant security risks in the Information Technology Plan status reports.06939
- •Include significant risk mitigations in the Information Technology Plan status reports.06841
- •Review and approve the Strategic Information Technology Plan at the level of senior management or the Board of Directors.13094
- •Establish, implement, and maintain a Governance, Risk, and Compliance awareness and training program.06492
- •Establish and maintain a rapport with business and technical communities throughout the organization to promote the value and importance of Information Security.06493
- •Establish, implement, and maintain a financial management program.13228
- •Establish, implement, and maintain financial reports.14770
- •Monitoring and measurement00636
- •Monitor the usage and capacity of critical assets.14825
- •Monitor the usage and capacity of Information Technology assets.00668
- •Monitor systems for errors and faults.04544
- •Compare system performance metrics to organizational standards and industry benchmarks.00667
- •Establish, implement, and maintain Security Control System monitoring and reporting procedures.12506
- •Include detecting and reporting the failure of a change detection mechanism in the Security Control System monitoring and reporting procedures.12525
- •Include detecting and reporting the failure of audit logging in the Security Control System monitoring and reporting procedures.12513
- •Include detecting and reporting the failure of an anti-malware solution in the Security Control System monitoring and reporting procedures.12512
- •Include detecting and reporting the failure of a segmentation control in the Security Control System monitoring and reporting procedures.12511
- •Include detecting and reporting the failure of a physical access control in the Security Control System monitoring and reporting procedures.12510
- •Include detecting and reporting the failure of a logical access control in the Security Control System monitoring and reporting procedures.12509
- •Include detecting and reporting the failure of an Intrusion Detection and Prevention System in the Security Control System monitoring and reporting procedures.12508
- •Include detecting and reporting the failure of a firewall in the Security Control System monitoring and reporting procedures.12507
- •Establish, implement, and maintain Responding to Failures in Security Controls procedures.12514
- •Include resuming security system monitoring and logging operations in the Responding to Failures in Security Controls procedure.12521
- •Include implementing mitigating controls to prevent the root cause of the failure of a security control in the Responding to Failures in Security Controls procedure.12520
- •Include correcting security issues caused by the failure of a security control in the Responding to Failures in Security Controls procedure.12518
- •Include documenting the duration of the failure of a security control in the Responding to Failures in Security Controls procedure.12517
- •Include restoring security functions in the Responding to Failures in Security Controls procedure.12515
- •Establish, implement, and maintain logging and monitoring operations.00637
- •Enable monitoring and logging operations on all assets that meet the organizational criteria to maintain event logs.06312
- •Review and approve the use of continuous security management systems.13181
- •Protect continuous security management systems from unauthorized use.13097
- •Establish, implement, and maintain intrusion management operations.00580
- •Install and maintain an Intrusion Detection System and/or Intrusion Prevention System.00581
- •Monitor systems for inappropriate usage and other security violations.00585
- •Monitor systems for access to restricted data or restricted information.04721
- •Assign roles and responsibilities for overseeing access to restricted data or restricted information.11950
- •Detect unauthorized access to systems.06798
- •Alert interested personnel when suspicious activity is detected by an Intrusion Detection System or Intrusion Prevention System.06430
- •Update the intrusion detection capabilities and the incident response capabilities regularly.04653
- •Document and communicate the log locations to the owning entity.12047
- •Make logs available for review by the owning entity.12046
- •Operationalize key monitoring and logging concepts to ensure the audit trails capture sufficient information.00638
- •Establish, implement, and maintain event logging procedures.01335
- •Include a standard to collect and interpret event logs in the event logging procedures.00643
- •Compile the event logs of multiple components into a system-wide time-correlated audit trail.01424
- •Review and update event logs and audit logs, as necessary.00596
- •Eliminate false positives in event logs and audit logs.07047
- •Correlate log entries to security controls to verify the security control's effectiveness.13207
- •Identify cybersecurity events in event logs and audit logs.13206
- •Follow up exceptions and anomalies identified when reviewing logs.11925
- •Enable logging for all systems that meet a traceability criteria.00640
- •Synchronize system clocks to an accurate and universal time source on all devices.01340
- •Centralize network time servers to as few as practical.06308
- •Include logging frequencies in the event logging procedures.00642
- •Monitor and evaluate system performance.00651
- •Monitor for and react to when suspicious activities are detected.00586
- •Assess customer satisfaction.00652
- •Establish, implement, and maintain a continuous monitoring program for configuration management.06757
- •Establish, implement, and maintain an automated configuration monitoring system.07058
- •Monitor for and report when a software configuration is updated.06746
- •Implement file integrity monitoring.01205
- •Identify unauthorized modifications during file integrity monitoring.12096
- •Alert interested personnel and affected parties when an unauthorized modification to critical files is detected.12045
- •Monitor and evaluate user account activity.07066
- •Develop and maintain a usage profile for each user account.07067
- •Log account usage to determine dormant accounts.12118
- •Log account usage durations.12117
- •Establish, implement, and maintain a risk monitoring program.00658
- •Monitor the organization's exposure to threats, as necessary.06494
- •Implement a fraud detection system.13081
- •Monitor for new vulnerabilities.06843
- •Establish, implement, and maintain a compliance testing strategy.00659
- •Establish, implement, and maintain a self-assessment approach as part of the compliance testing strategy.12833
- •Establish, implement, and maintain a system security plan.01922
- •Create specific test plans to test each system component.00661
- •Validate all testing assumptions in the test plans.00663
- •Include error details, identifying the root causes, and mitigation actions in the testing procedures.11827
- •Determine the appropriate assessment method for each testing process in the test plan.00665
- •Implement automated audit tools.04882
- •Assign senior management to approve test plans.13071
- •Analyze system audit reports and determine the need to perform more tests.00666
- •Establish, implement, and maintain a testing program.00654
- •Conduct Red Team exercises, as necessary.12131
- •Test security systems and associated security procedures, as necessary.11901
- •Employ third parties to carry out testing programs, as necessary.13178
- •Define the test requirements for each testing program.13177
- •Scan organizational networks for rogue devices.00536
- •Scan the network for wireless access points.00370
- •Document the business need justification for authorized wireless access points.12044
- •Scan wireless networks for rogue devices.11623
- •Implement incident response procedures when rogue devices are discovered.11880
- •Disseminate and communicate the testing program to all interested personnel and affected parties.11871
- •Establish, implement, and maintain a penetration test program.01105
- •Align the penetration test program with industry standards.12469
- •Assign penetration testing to a qualified internal resource or external third party.06429
- •Establish, implement, and maintain a penetration testing methodology that validates scope-reduction controls through network segmentation.11958
- •Retain penetration test results according to internal policy.10049
- •Retain penetration test remediation action records according to internal policy.11629
- •Perform penetration tests, as necessary.00655
- •Perform internal penetration tests, as necessary.12471
- •Perform external penetration tests, as necessary.12470
- •Include coverage of all in scope systems during penetration testing.11957
- •Test the system for broken access controls.01319
- •Test the system for insecure configuration management.01327
- •Perform network-layer penetration testing on all systems, as necessary.01277
- •Perform application-layer penetration testing on all systems, as necessary.11630
- •Perform penetration testing on segmentation controls, as necessary.12498
- •Verify segmentation controls are operational and effective.12545
- •Repeat penetration testing, as necessary.06860
- •Establish, implement, and maintain a vulnerability management program.15721
- •Establish, implement, and maintain a vulnerability assessment program.11636
- •Perform vulnerability scans, as necessary.11637
- •Repeat vulnerability scanning, as necessary.11646
- •Identify and document security vulnerabilities.11857
- •Rank discovered vulnerabilities.11940
- •Assign vulnerability scanning to qualified personnel or external third parties.11638
- •Correlate vulnerability scan reports from the various systems.10636
- •Perform internal vulnerability scans, as necessary.00656
- •Repeat vulnerability scanning after an approved change occurs.12468
- •Perform external vulnerability scans, as necessary.11624
- •Employ an approved third party to perform external vulnerability scans on the organization's systems.12467
- •Meet the requirements for a passing score during an external vulnerability scan or rescan.12039
- •Perform vulnerability assessments, as necessary.11828
- •Review applications for security vulnerabilities after the application is updated.11938
- •Recommend mitigation techniques based on vulnerability scan reports.11639
- •Recommend mitigation techniques based on penetration test results.04881
- •Correct or mitigate vulnerabilities.12497
- •Establish, implement, and maintain an exception management process for vulnerabilities that cannot be remediated.13859
- •Establish, implement, and maintain a service management monitoring and metrics program.13916
- •Monitor service availability when implementing the service management monitoring and metrics program.13921
- •Establish, implement, and maintain a compliance monitoring policy.00671
- •Establish, implement, and maintain a metrics policy.01654
- •Establish, implement, and maintain an approach for compliance monitoring.01653
- •Establish, implement, and maintain risk management metrics.01656
- •Identify information being used to support the performance of the governance, risk, and compliance capability.12866
- •Monitor personnel and third parties for compliance to the organizational compliance framework.04726
- •Identify and document instances of non-compliance with the compliance framework.06499
- •Align enforcement reviews for non-compliance with organizational risk tolerance.13063
- •Determine the causes of compliance violations.12401
- •Identify and document events surrounding non-compliance with the organizational compliance framework.12935
- •Determine if multiple compliance violations of the same type could occur.12402
- •Correct compliance violations.13515
- •Review the effectiveness of disciplinary actions carried out for compliance violations.12403
- •Carry out disciplinary actions when a compliance violation is detected.06675
- •Align disciplinary actions with the level of compliance violation.12404
- •Establish, implement, and maintain compliance program metrics.11625
- •Establish, implement, and maintain a Business Continuity metrics program.01663
- •Establish, implement, and maintain a metrics standard and template.02157
- •Monitor compliance with the Quality Control system.01023
- •Establish, implement, and maintain a policies and controls metrics program.01666
- •Establish, implement, and maintain a security roles and responsibilities metrics program.01667
- •Establish, implement, and maintain an information risk threshold metrics program.01694
- •Establish, implement, and maintain an Information Systems architecture metrics program.02059
- •Establish, implement, and maintain a technical measurement metrics policy.01655
- •Establish, implement, and maintain a software change management metrics program.02081
- •Establish, implement, and maintain a network management and firewall management metrics program.02082
- •Establish, implement, and maintain an incident management and vulnerability management metrics program.02085
- •Report on the percentage of systems affected by security incidents that exploited existing security vulnerabilities with known solutions, patches, or workarounds.02126
- •Establish, implement, and maintain a log management program.00673
- •Restrict access to logs to authorized individuals.01342
- •Restrict access to audit trails to a need to know basis.11641
- •Back up audit trails according to backup procedures.11642
- •Copy logs from all predefined hosts onto a log management infrastructure.01346
- •Protect logs from unauthorized activity.01345
- •Perform testing and validating activities on all logs.06322
- •Archive the audit trail in accordance with compliance requirements.00674
- •Monitor the performance of the governance, risk, and compliance capability.12857
- •Establish, implement, and maintain a corrective action plan.00675
- •Include monitoring in the corrective action plan.11645
- •Report compliance monitoring statistics to the Board of Directors and other critical stakeholders, as necessary.00676
- •Report actions taken on known security issues to the Board of Directors or Senior Executive Committee on a regular basis.12330
- •Report known security issues to interested personnel and affected parties on a regular basis.12329
- •Protect against misusing automated audit tools.04547
- •Evaluate the measurement process used for metrics.06920
- •Provide intelligence support to the organization, as necessary.14020
- •Submit or respond to deconfliction requests regarding cyberspace operations, as necessary.14269
- •Perform intelligence operations on target systems and networks, as necessary.14039
- •Establish, implement, and maintain a Technical Surveillance Countermeasures program.11401
- •Determine the need for Technical Surveillance Countermeasures.11402
- •Determine the need for recurring Technical Surveillance Countermeasures.11409
- •Conduct recurring Technical Surveillance Countermeasures based on implemented security measures.11411
- •Conduct recurring Technical Surveillance Countermeasures based on information received from counterintelligence operations.11413
- •Provide targeting support for the intelligence collection strategy.14268
- •Provide targeting products to support the intelligence collection strategy.14267
- •Establish, implement, and maintain an intelligence collection strategy.14017
- •Include managing intelligence requirements in the intelligence collection strategy.14321
- •Establish and maintain target lists, as necessary.14266
- •Collect threat intelligence, as necessary.14064
- •Identify and document intelligence collection shortfalls.14078
- •Establish, implement, and maintain Technical Surveillance Countermeasures support request procedures.11414
- •Establish, implement, and maintain Technical Surveillance Countermeasure support request submission procedures.11435
- •Supply documented evidence of a technical penetration when requesting Technical Surveillance Countermeasure support.11415
- •Establish, implement, and maintain cyber threat intelligence tools.12696
- •Leverage cyber threat intelligence when employing Technical Surveillance Countermeasures.12697
- •Evaluate cyber threat intelligence.12747
- •Conduct Technical Surveillance Countermeasures.11442
- •Create a Technical Surveillance Countermeasure survey report after completion of a Technical Surveillance Countermeasure survey.11445
- •Include the geographic location in the Technical Surveillance Countermeasure survey report.11456
- •Conduct joint Technical Surveillance Countermeasure exercises.11448
- •Develop and maintain guidance on gathering intelligence on technical penetrations and Technical Surveillance Countermeasures.11477
- •Communicate threat intelligence to interested personnel and affected parties.14016
- •Audits and risk management00677
- •Establish, implement, and maintain a Statement of Compliance.12499
- •Include a commitment to comply with recommendations from applicable statutory bodies in the Statement of Compliance.12371
- •Include a commitment to cooperate with applicable statutory bodies in the Statement of Compliance.12370
- •Include a Statement of Compliance in the tactical Information Technology plan.06842
- •Define the roles and responsibilities for personnel assigned to tasks in the Audit function.00678
- •Manage supply chain audits.01203
- •Define and assign the external auditor's roles and responsibilities.00683
- •Retain copies of external auditor outsourcing contracts and engagement letters.01188
- •Include the scope and work to be performed in external auditor outsourcing contracts.01190
- •Conduct a performance review of the external auditor's performance during the audit process.01198
- •Establish, implement, and maintain an audit program.00684
- •Assign the audit to impartial auditors.07118
- •Exercise due professional care during the planning and performance of the audit.07119
- •Include provisions for legislative plurality and legislative domain in the audit program.06959
- •Include agreement to the audit scope and audit terms in the audit program.06965
- •Include audit subject matter in the audit program.07103
- •Establish and maintain audit assertions, as necessary.14871
- •Include the in scope risk assessment processes in the audit assertion.06975
- •Include how access to in scope systems, personnel and in scope records are provided to the auditor in the audit terms.06988
- •Accept the attestation engagement when all preconditions are met.13933
- •Audit in scope audit items and compliance documents.06730
- •Audit policies, standards, and procedures.12927
- •Audit cybersecurity risk management within the policies, standards, and procedures of the organization.13011
- •Audit information systems, as necessary.13010
- •Audit the potential costs of compromise to information systems.13012
- •Determine if the audit assertion's in scope controls are reasonable.06980
- •Document test plans for auditing in scope controls.06985
- •Determine the effectiveness of in scope controls.06984
- •Review incident management audit logs to determine the effectiveness of in scope controls.12157
- •Audit the in scope system according to the test plan using relevant evidence.07112
- •Investigate the nature and causes of identified in scope control deviations.06986
- •Supervise interested personnel and affected parties participating in the audit.07150
- •Respond to questions or clarification requests regarding the audit.08902
- •Track and measure the implementation of the organizational compliance framework.06445
- •Establish and maintain organizational audit reports.06731
- •Include the scope and work performed in the audit report.11621
- •Review the adequacy of the internal auditor's audit reports.11620
- •Review past audit reports.01155
- •Disseminate and communicate the audit report to all interested personnel and affected parties identified in the distribution list.07117
- •Disseminate and communicate the reviews of audit reports to organizational management.00653
- •Review the issues of non-compliance from past audit reports.01148
- •Submit an audit report that is complete.01145
- •Implement a corrective action plan in response to the audit report.06777
- •Assign responsibility for remediation actions.13622
- •Review management's response to issues raised in past audit reports.01149
- •Define penalties for uncorrected audit findings or remaining non-compliant with the audit report.08963
- •Assess the quality of the audit program in regards to the staff and their qualifications.01150
- •Review the audit program scope as it relates to the organization's profile.01159
- •Assess the quality of the audit program in regards to its documentation.11622
- •Establish, implement, and maintain the audit plan.01156
- •Establish, implement, and maintain an audit schedule for the audit program.13158
- •Establish, implement, and maintain a risk management program.12051
- •Integrate the risk management program with the organization's business activities.13661
- •Integrate the risk management program into daily business decision-making.13659
- •Establish, implement, and maintain risk management strategies.13209
- •Include the use of alternate service providers in the risk management strategies.13217
- •Establish, implement, and maintain the risk assessment framework.00685
- •Define and assign the roles and responsibilities for the risk assessment framework, as necessary.06456
- •Establish, implement, and maintain a risk assessment program.00687
- •Address past incidents in the risk assessment program.12743
- •Establish and maintain the factors and context for risk to the organization.12230
- •Establish, implement, and maintain a financial plan to support the risk management strategy.12786
- •Address cybersecurity risks in the risk assessment program.13193
- •Establish, implement, and maintain risk assessment procedures.06446
- •Employ risk assessment procedures that follow legal requirements and contractual obligations when risk profiling.06472
- •Employ risk assessment procedures that align with strategic objectives.06474
- •Include compliance with disposition requirements in the risk assessment procedures.12342
- •Establish, implement, and maintain a threat and risk classification scheme.07183
- •Employ risk assessment procedures that include appropriate risk treatment options for each identified risk.06484
- •Include security threats and vulnerabilities in the threat and risk classification scheme.00699
- •Categorize the systems, information, and data by risk profile in the threat and risk classification scheme.01443
- •Include risks to critical personnel and assets in the threat and risk classification scheme.00698
- •Include the environments that call for risk assessments in the risk assessment program.06448
- •Include the process for defining the scope of each risk assessment in the risk assessment program.06462
- •Include the roles and responsibilities involved in risk assessments in the risk assessment program.06450
- •Perform risk assessments for all target environments, as necessary.06452
- •Include the results of the risk assessment in the risk assessment report.06481
- •Update the risk assessment upon discovery of a new threat.00708
- •Update the risk assessment upon changes to the risk profile.11627
- •Disseminate and communicate the approved risk assessment report to interested personnel and affected parties.10633
- •Establish, implement, and maintain a risk assessment awareness and training program.06453
- •Disseminate and communicate information about risks to all interested personnel and affected parties.06718
- •Correlate the business impact of identified risks in the risk assessment report.00686
- •Conduct a Business Impact Analysis, as necessary.01147
- •Include tolerance to downtime in the Business Impact Analysis report.01172
- •Establish, implement, and maintain a risk register.14828
- •Document organizational risk tolerance in a risk register.09961
- •Review the Business Impact Analysis, as necessary.12774
- •Analyze and quantify the risks to in scope systems and information.00701
- •Establish and maintain a Risk Scoping and Measurement Definitions Document.00703
- •Assess the potential level of business impact risk associated with each business process.06463
- •Assess the potential level of business impact risk associated with the business environment.06464
- •Assess the potential level of business impact risk associated with business information of in scope systems.06465
- •Assess the potential level of business impact risk associated with external entities.06469
- •Establish a risk acceptance level that is appropriate to the organization's risk appetite.00706
- •Select the appropriate risk treatment option for each identified risk in the risk register.06483
- •Disseminate and communicate the risk acceptance level in the risk treatment plan to all interested personnel and affected parties.06849
- •Perform a gap analysis to review in scope controls for identified risks and implement new controls, as necessary.00704
- •Prioritize and select controls based on the risk assessment findings.00707
- •Determine the effectiveness of risk control measures.06601
- •Establish, implement, and maintain a risk treatment plan.11983
- •Include the risk treatment strategy in the risk treatment plan.12159
- •Approve the risk treatment plan.13495
- •Integrate the corrective action plan based on the risk assessment findings with other risk management activities.06457
- •Document and communicate a corrective action plan based on the risk assessment findings.00705
- •Review and approve the risk assessment findings.06485
- •Include risk responses in the risk management program.13195
- •Document residual risk in a residual risk report.13664
- •Establish, implement, and maintain a cybersecurity risk management strategy.11991
- •Include a risk prioritization approach in the Cybersecurity Risk Management Strategy.12276
- •Disseminate and communicate the risk management policy to interested personnel and affected parties.13792
- •Technical security00508
- •Establish, implement, and maintain an access classification scheme.00509
- •Include restricting access to confidential data or restricted information to a need to know basis in the access classification scheme.00510
- •Include business security requirements in the access classification scheme.00002
- •Interpret and apply security requirements based upon the information classification of the system.00003
- •Include third party access in the access classification scheme.11786
- •Establish, implement, and maintain security classifications for organizational assets.00005
- •Limit the use of resources by priority.01448
- •Establish, implement, and maintain a digital identity management program.13713
- •Establish, implement, and maintain digital identification procedures.13714
- •Implement digital identification processes.13731
- •Implement identity proofing processes.13719
- •Validate proof of identity during the identity proofing process.13756
- •Verify proof of identity records.13761
- •Establish, implement, and maintain federated identity systems.13837
- •Authenticate all systems in a federated identity system.13835
- •Send and receive authentication assertions, as necessary.13839
- •Validate each element within the authentication assertion.13853
- •Validate the digital signature in the authentication assertion.13869
- •Establish, implement, and maintain an access control program.11702
- •Include instructions to change authenticators as often as necessary in the access control program.11931
- •Include guidance for how users should protect their authentication credentials in the access control program.11929
- •Include guidance on selecting authentication credentials in the access control program.11928
- •Establish, implement, and maintain access control policies.00512
- •Disseminate and communicate the access control policies to all interested personnel and affected parties.10061
- •Establish, implement, and maintain an access rights management plan.00513
- •Identify information system users.12081
- •Review user accounts.00525
- •Control access rights to organizational assets.00004
- •Configure access control lists in accordance with organizational standards.16465
- •Add all devices requiring access control to the Access Control List.06264
- •Disallow application IDs from running as privileged users.10050
- •Define roles for information systems.12454
- •Define access needs for each role assigned to an information system.12455
- •Define access needs for each system component of an information system.12456
- •Define the level of privilege required for each system component of an information system.12457
- •Establish access rights based on least privilege.01411
- •Assign user permissions based on job responsibilities.00538
- •Assign user privileges after they have management sign off.00542
- •Separate processing domains to segregate user privileges and enhance information flow control.06767
- •Establish, implement, and maintain lockout procedures or lockout mechanisms to be triggered after a predetermined number of consecutive logon attempts.01412
- •Establish, implement, and maintain session lock capabilities.01417
- •Limit concurrent sessions according to account type.01416
- •Enable access control for objects and users on each system.04553
- •Include all system components in the access control system.11939
- •Set access control for objects and users to "deny all" unless explicitly authorized.06301
- •Enable role-based access control for objects and users on information systems.12458
- •Assign Information System access authorizations if implementing segregation of duties.06323
- •Enforce access restrictions for change control.01428
- •Enforce access restrictions for restricted data.01921
- •Perform a risk assessment prior to activating third party access to the organization's critical systems.06455
- •Activate third party maintenance accounts and user identifiers, as necessary.04262
- •Control user privileges.11665
- •Review all user privileges, as necessary.06784
- •Revoke asset access when a personnel status change occurs or an individual is terminated.00516
- •Review and update accounts and access rights when notified of personnel status changes.00788
- •Establish, implement, and maintain User Access Management procedures.00514
- •Establish, implement, and maintain an authority for access authorization list.06782
- •Review and approve logical access to all assets based upon organizational policies.06641
- •Control the addition and modification of user identifiers, user credentials, or other authenticators.00515
- •Assign roles and responsibilities for administering user account management.11900
- •Automate access control methods, as necessary.11838
- •Refrain from allowing user access to identifiers and authenticators used by applications.10048
- •Remove inactive user accounts, as necessary.00517
- •Establish, implement, and maintain user accounts in accordance with the organizational Governance, Risk, and Compliance framework.00526
- •Document the business need justification for authentication data storage.06325
- •Establish, implement, and maintain access control procedures.11663
- •Grant access to authorized personnel or systems.12186
- •Document approving and granting access in the access control log.06786
- •Include digital identification procedures in the access control program.11841
- •Employ unique identifiers.01273
- •Disseminate and communicate user identifiers and authenticators using secure communication protocols.06791
- •Include instructions to refrain from using previously used authenticators in the access control program.11930
- •Authenticate user identities before manually resetting an authenticator.04567
- •Require proper authentication for user identifiers.11785
- •Assign authenticators to user accounts.06855
- •Assign authentication mechanisms for user account authentication.06856
- •Refrain from allowing individuals to share authentication mechanisms.11932
- •Limit account credential reuse as a part of digital identification procedures.12357
- •Use biometric authentication for identification and authentication, as necessary.06857
- •Identify and control all network access controls.00529
- •Establish, implement, and maintain a network configuration standard.00530
- •Establish, implement, and maintain a network security policy.06440
- •Maintain up-to-date network diagrams.00531
- •Maintain up-to-date data flow diagrams.10059
- •Use an active asset inventory discovery tool to identify sensitive information for data flow diagrams.13737
- •Manage all internal network connections.06329
- •Secure the Domain Name System.00540
- •Implement segregation of duties.11843
- •Establish, implement, and maintain a Boundary Defense program.00544
- •Refrain from disclosing private Internet Protocol addresses and routing information, unless necessary.11891
- •Authorize the disclosure of private Internet Protocol addresses and routing information to external entities.12034
- •Segregate systems in accordance with organizational standards.12546
- •Segregate servers that contain restricted data or restricted information from direct public access.00533
- •Restrict inbound network traffic into the Demilitarized Zone.01285
- •Segregate applications and databases that contain restricted data or restricted information in an internal network zone.01289
- •Establish, implement, and maintain a network access control standard.00546
- •Include assigned roles and responsibilities in the network access control standard.06410
- •Employ firewalls to secure network connections between trusted networks and untrusted networks, as necessary.11821
- •Place firewalls between all security domains and between any Demilitarized Zone and internal network zones.01274
- •Place firewalls between wireless networks and applications or databases that contain restricted data or restricted information.01293
- •Establish, implement, and maintain a firewall and router configuration standard.00541
- •Include testing and approving all network connections through the firewall in the firewall and router configuration standard.01270
- •Include compensating controls implemented for insecure protocols in the firewall and router configuration standard.11948
- •Include reviewing the rulesets for firewalls and routers in the firewall and router configuration standard, as necessary.11903
- •Include restricting inbound network traffic in the firewall and router configuration standard.11960
- •Include restricting outbound network traffic in the firewall and router configuration standard.11961
- •Include requirements for a firewall at each Internet connection and between any demilitarized zone and the internal network zone in the firewall and router configuration standard.12435
- •Include network diagrams that identify connections between all subnets and wireless networks in the firewall and router configuration standard.12434
- •Include network diagrams that identify storage or processing locations of all restricted data in the firewall and router configuration standard.12426
- •Include a protocols, ports, applications, and services list in the firewall and router configuration standard.00537
- •Include approval of the protocols, ports, applications, and services list in the firewall and router configuration standard.12547
- •Include justifying the use of risky protocols in the protocols, ports, applications, and services list in the firewall and router configuration standard.01280
- •Document and implement security features for each identified insecure service, protocol, and port in the protocols, ports, applications, and services list.12033
- •Identify the insecure services, protocols, and ports in the protocols, ports, applications, and services list in the firewall and router configuration.12032
- •Install and configure firewalls to be enabled on all mobile devices, if possible.00550
- •Lock personal firewall configurations to prevent them from being disabled or changed by end users.06420
- •Configure network access and control points to protect restricted data or restricted information.01284
- •Configure firewalls to deny all traffic by default, except explicitly designated traffic.00547
- •Configure firewalls to perform dynamic packet filtering.01288
- •Configure firewall filtering to only permit established connections into the network.12482
- •Restrict outbound network traffic from systems that contain restricted data or restricted information.01295
- •Synchronize and secure all router configuration files.01291
- •Configure firewalls to generate an audit log.12038
- •Configure network access and control points to organizational standards.12442
- •Install and configure application layer firewalls for all key web-facing applications.01450
- •Update application layer firewalls to the most current version.12037
- •Establish, implement, and maintain a Wireless Local Area Network Configuration Management program.01646
- •Configure Intrusion Detection Systems and Intrusion Prevention Systems to continuously check and send alerts for rogue devices connected to Wireless Local Area Networks.04830
- •Enforce information flow control.11781
- •Establish, implement, and maintain information flow control configuration standards.01924
- •Require the system to identify and authenticate approved devices before establishing a connection.01429
- •Perform content filtering scans on network traffic.06761
- •Use content filtering scans to identify information flows by data type usage.11818
- •Document information flow anomalies that do not fit normal traffic patterns.12163
- •Constrain the information flow of restricted data or restricted information.06763
- •Restrict access to restricted data and restricted information on a need to know basis.12453
- •Establish, implement, and maintain information flow control policies inside the system and between interconnected systems.01410
- •Establish, implement, and maintain a document printing policy.14384
- •Include printing to personal printers during a continuity event in the document printing policy.14396
- •Establish, implement, and maintain information flow procedures.04542
- •Establish, implement, and maintain information exchange procedures.11782
- •Protect data from modification or loss while transmitting between separate parts of the system.04554
- •Review and approve information exchange system connections.07143
- •Establish, implement, and maintain measures to detect and prevent the use of unsafe internet services.13104
- •Establish, implement, and maintain whitelists and blacklists of domain names.07097
- •Block uncategorized sites using URL filtering.12140
- •Establish, implement, and maintain whitelists and blacklists of software.11780
- •Implement information flow control policies when making decisions about information sharing or collaboration.10094
- •Secure access to each system component operating system.00551
- •Separate user functionality from system management functionality.11858
- •Control all methods of remote access and teleworking.00559
- •Establish, implement, and maintain a remote access and teleworking program.04545
- •Control remote access through a network access control.01421
- •Employ multifactor authentication for remote access to the organization's network.12505
- •Implement multifactor authentication techniques.00561
- •Monitor and evaluate all remote access usage.00563
- •Manage the use of encryption controls and cryptographic controls.00570
- •Employ cryptographic controls that comply with applicable requirements.12491
- •Establish, implement, and maintain digital signatures.13828
- •Establish, implement, and maintain an encryption management and cryptographic controls policy.04546
- •Encrypt in scope data or in scope information, as necessary.04824
- •Provide guidance to customers on how to securely transmit, store, and update cryptographic keys.12040
- •Establish, implement, and maintain cryptographic key management procedures.00571
- •Generate strong cryptographic keys.01299
- •Generate unique cryptographic keys for each user.12169
- •Include the establishment of cryptographic keys in the cryptographic key management procedures.06540
- •Disseminate and communicate cryptographic keys securely.01300
- •Store cryptographic keys securely.01298
- •Restrict access to cryptographic keys.01297
- •Store cryptographic keys in encrypted format.06084
- •Store key-encrypting keys and data-encrypting keys in different locations.06085
- •Change cryptographic keys in accordance with organizational standards.01302
- •Control cryptographic keys with split knowledge and dual control.01304
- •Prevent the unauthorized substitution of cryptographic keys.01305
- •Manage outdated cryptographic keys, compromised cryptographic keys, or revoked cryptographic keys.06852
- •Replace known or suspected compromised cryptographic keys immediately.01306
- •Require key custodians to sign the key custodian's roles and responsibilities.11820
- •Establish, implement, and maintain requirements for Personal Identity Verification authentication certificates.06587
- •Establish a Root Certification Authority to support the Public Key Infrastructure.07084
- •Establish, implement, and maintain Public Key certificate procedures.07085
- •Use strong data encryption to transmit in scope data or in scope information, as necessary.00564
- •Ensure restricted data or restricted information are encrypted prior to or at the time of transmission.01749
- •Configure the encryption strength to be appropriate for the encryption methodology of the cryptographic controls.12492
- •Encrypt traffic over networks with trusted cryptographic keys.12490
- •Establish trusted paths to transmit restricted data or restricted information over public networks or wireless networks.00568
- •Protect application services information transmitted over a public network from unauthorized modification.12021
- •Establish, implement, and maintain a malicious code protection program.00574
- •Install security and protection software, as necessary.00575
- •Scan for malicious code, as necessary.11941
- •Remove malware when malicious code is discovered.13691
- •Log and react to all malicious code activity.07072
- •Analyze the behavior and characteristics of the malicious code.10672
- •Lock antivirus configurations.10047
- •Establish, implement, and maintain an application security policy.06438
- •Conduct application security reviews, as necessary.06298
- •Include all vulnerabilities in the application security review.12036
- •Assign application security reviews for web-facing applications to an organization that specializes in application security.12035
- •Correct all found deficiencies according to organizational standards after a web application policy compliance review.06299
- •Re-evaluate the web application after deficiencies have been corrected.06300
- •Establish, implement, and maintain a virtual environment and shared resources security program.06551
- •Establish, implement, and maintain a shared resources management program.07096
- •Physical and environmental protection00709
- •Establish, implement, and maintain a physical security program.11757
- •Establish, implement, and maintain physical security procedures.13076
- •Establish, implement, and maintain an anti-tamper protection program.10638
- •Monitor for evidence of when tampering indicators are being identified.11905
- •Inspect device surfaces to detect tampering.11868
- •Inspect device surfaces to detect unauthorized substitution.11869
- •Protect assets from tampering or unapproved substitution.11902
- •Establish, implement, and maintain a facility physical security program.00711
- •Maintain all physical security systems.02206
- •Identify and document physical access controls for all physical entry points.01637
- •Control physical access to (and within) the facility.01329
- •Establish, implement, and maintain physical access procedures.13629
- •Secure physical entry points with physical access controls or security guards.01640
- •Establish, implement, and maintain a visitor access permission policy.06699
- •Escort visitors within the facility, as necessary.06417
- •Authorize visitors before granting entry to physical areas containing restricted data or restricted information.01330
- •Maintain and review facility access lists of personnel who have been granted authorized entry to (and within) facilities that contain restricted data or restricted information.01436
- •Change access requirements to organizational assets for personnel and visitors, as necessary.12463
- •Authorize physical access to sensitive areas based on job functions.12462
- •Establish, implement, and maintain physical identification procedures.00713
- •Manage visitor identification inside the facility.11670
- •Issue visitor identification badges to all non-employees.00543
- •Retrieve visitor identification badges prior to the exit of a visitor from the facility.01331
- •Establish, implement, and maintain identification issuance procedures for identification cards or badges.06598
- •Restrict access to the badge system to authorized personnel.12043
- •Establish, implement, and maintain identification mechanism termination procedures.06306
- •Use locks to protect against unauthorized physical access.06342
- •Use locks with electronic authentication systems or cipher locks, as necessary.06650
- •Establish, implement, and maintain a lock and access mechanism inventory (keys, lock combinations, or key cards) for all physical access control systems.00748
- •Implement physical security standards for mainframe rooms or data centers.00749
- •Establish, implement, and maintain a guideline for working in a secure area.04538
- •Monitor for unauthorized physical access at physical entry points and physical exit points.01638
- •Establish and maintain a visitor log.00715
- •Record the visitor's name in the visitor log.00557
- •Record the visitor's organization in the visitor log.12121
- •Record the onsite personnel authorizing physical access for the visitor in the visitor log.12466
- •Retain all records in the visitor log as prescribed by law.00572
- •Establish, implement, and maintain a physical access log.12080
- •Observe restricted areas with motion detectors or closed-circuit television systems.01328
- •Review and correlate all data collected from video cameras and/or access control mechanisms with other entries.11609
- •Retain video events according to Records Management procedures.06304
- •Monitor physical entry point alarms.01639
- •Establish, implement, and maintain physical security controls for distributed assets.00718
- •Control the transiting and internal distribution or external distribution of assets.00963
- •Obtain management authorization for restricted storage media transit or distribution from a controlled access area.00964
- •Transport restricted media using a delivery method that can be tracked.11777
- •Restrict physical access to distributed assets.11865
- •Protect electronic storage media with physical access controls.00720
- •Establish, implement, and maintain removable storage media controls.06680
- •Control access to restricted storage media.04889
- •Physically secure all electronic storage media that store restricted data or restricted information.11664
- •Log the transfer of removable storage media.12322
- •Establish, implement, and maintain storage media access control procedures.00959
- •Require removable storage media be in the custody of an authorized individual.12319
- •Control the storage of restricted storage media.00965
- •Store removable storage media containing restricted data or restricted information using electronic media storage cabinets or electronic media storage vaults.00717
- •Protect distributed assets against theft.06799
- •Control the delivery of assets through physical entry points and physical exit points.01441
- •Establish, implement, and maintain off-site physical controls for all distributed assets.04539
- •Establish, implement, and maintain mobile device security guidelines.04723
- •Include prohibiting the usage of unapproved application stores in the mobile device security guidelines.12290
- •Encrypt information stored on mobile devices.01422
- •Separate systems that transmit, process, or store restricted data from those that do not by deploying physical access controls.00722
- •Establish, implement, and maintain asset return procedures.04537
- •Require the return of all assets upon notification an individual is terminated.06679
- •Install and maintain network jacks and outlet boxes.08635
- •Implement physical controls to restrict access to publicly accessible network jacks.11989
- •Enable network jacks at the patch panel, as necessary.06305
- •Implement logical controls to enable network jacks, as necessary.11934
- •Establish, implement, and maintain an environmental control program.00724
- •Establish, implement, and maintain environmental control procedures.12246
- •Protect power equipment and power cabling from damage or destruction.01438
- •Establish, implement, and maintain facility maintenance procedures.00710
- •Design the Information Technology facility with consideration given to natural disasters and man-made disasters.00712
- •Design the Information Technology facility with a low profile.16140
- •Build critical facilities according to applicable building codes.06366
- •Build critical facilities with fire resistant materials.06365
- •Define selection criteria for facility locations.06351
- •Establish, implement, and maintain a fire prevention and fire suppression standard.06695
- •Install and maintain fire protection equipment.00728
- •Install and maintain fire suppression systems.00729
- •Conduct periodic fire marshal inspections for all organizational facilities.04888
- •Install and maintain fire-retarding divisions such as fire doors in accordance with applicable building codes.06362
- •Conduct fire drills, as necessary.13985
- •Employ environmental protections.12570
- •Monitor and review environmental protections.12571
- •Establish, implement, and maintain a Heating Ventilation and Air Conditioning system.00727
- •Install and maintain a moisture control system as a part of the climate control system.06694
- •Operational and Systems Continuity00731
- •Establish, implement, and maintain a business continuity program.13210
- •Involve auditors in reviewing and testing the business continuity program.13211
- •Establish, implement, and maintain a business continuity policy.12405
- •Establish, implement, and maintain a business continuity testing policy.13235
- •Address all documentation requirements of the Business Continuity Plan testing program in the business continuity testing strategy.13257
- •Establish, implement, and maintain a continuity framework.00732
- •Establish and maintain the scope of the continuity framework.11908
- •Identify all stakeholders critical to the continuity of operations.12741
- •Explain any exclusions to the scope of the continuity framework.12236
- •Include the organization's business products and services in the scope of the continuity framework.12235
- •Include business units in the scope of the continuity framework.11898
- •Include information security continuity in the scope of the continuity framework.12009
- •Establish and maintain a list of interested personnel and affected parties with whom to disseminate and communicate the continuity framework.12242
- •Take into account applicable requirements when establishing, implementing, and maintaining the continuity framework.11907
- •Include Quality Management in the continuity framework.12239
- •Establish and maintain a system continuity plan philosophy.00734
- •Define the executive vision of the continuity planning process.01243
- •Include a pandemic plan in the continuity plan.06800
- •Establish, implement, and maintain continuity roles and responsibilities.00733
- •Coordinate continuity planning with other business units responsible for related plans.01386
- •Include continuity wrap-up procedures and continuity normalization procedures during continuity planning.00761
- •Establish, implement, and maintain a continuity plan.00752
- •Activate the continuity plan if the damage assessment report indicates the activation criterion has been met.01373
- •Report changes in the continuity plan to senior management.12757
- •Execute fail-safe procedures when an emergency occurs.07108
- •Lead or manage business continuity and system continuity, as necessary.12240
- •Allocate financial resources to implement the continuity plan, as necessary.12993
- •Include the continuity strategy in the continuity plan.13189
- •Restore systems and environments to be operational.13476
- •Include roles and responsibilities in the continuity plan, as necessary.13254
- •Document and use the lessons learned to update the continuity plan.10037
- •Monitor and evaluate business continuity management system performance.12410
- •Record business continuity management system performance for posterity.12411
- •Coordinate continuity planning with community organizations, as necessary.13259
- •Include incident management procedures in the continuity plan.13244
- •Include the use of virtual meeting tools in the continuity plan.14390
- •Include the annual statement based on the continuity plan review in the continuity plan.12775
- •Document the uninterrupted power requirements for all in scope systems.06707
- •Install an Uninterruptible Power Supply sized to support all critical systems.00725
- •Document all supporting information in the continuity plan, such as purpose, scope, and requirements.01371
- •Approve the continuity plan requirements before documenting the continuity plan.12778
- •Establish, implement, and maintain the organization's call tree.01167
- •Establish, implement, and maintain damage assessment procedures.01267
- •Establish, implement, and maintain a recovery plan.13288
- •Notify interested personnel and affected parties of updates to the recovery plan.13302
- •Test the recovery plan, as necessary.13290
- •Test the backup information, as necessary.13303
- •Document lessons learned from testing the recovery plan or an actual event.13301
- •Include restoration procedures in the continuity plan.01169
- •Include risk prioritized recovery procedures for each business unit in the recovery plan.01166
- •Include the recovery plan in the continuity plan.01377
- •Disseminate and communicate the recovery status of the contingency plan to interested personnel and affected parties.12758
- •Establish, implement, and maintain organizational facility continuity plans.02224
- •Install and maintain redundant power supplies for critical facilities.06355
- •Install and maintain Emergency Power Supply shutdown devices or Emergency Power Supply shutdown switches.01439
- •Establish, implement, and maintain system continuity plan strategies.00735
- •Include emergency operating procedures in the continuity plan.11694
- •Include a system acquisition process for critical systems in the emergency mode operation plan.01369
- •Define and prioritize critical business functions.00736
- •Review and prioritize the importance of each business unit.01165
- •Review and prioritize the importance of each business process.11689
- •Document the mean time to failure for system components.10684
- •Conduct a risk assessment on reciprocal agreements that provide for recovery capabilities.12759
- •Establish, implement, and maintain Recovery Time Objectives for all in scope services.12241
- •Establish, implement, and maintain Recovery Time Objectives for all in scope systems.11688
- •Define and prioritize critical business records.11687
- •Identify all critical business records.00737
- •Include the protection of personnel in the continuity plan.06378
- •Establish, implement, and maintain a critical personnel list.00739
- •Identify alternate personnel for each person on the critical personnel list.12771
- •Define the triggering events for when to activate the pandemic plan.06801
- •Establish, implement, and maintain a critical third party list.06815
- •Disseminate and communicate critical third party dependencies to interested personnel and affected parties.06816
- •Establish, implement, and maintain a critical resource list.00740
- •Define and maintain continuity Service Level Agreements for all critical resources.00741
- •Establish and maintain a core supply inventory required to support critical business functions.04890
- •Include server continuity procedures in the continuity plan.01379
- •Include telecommunications continuity procedures in the continuity plan.11691
- •Include system continuity procedures in the continuity plan.01268
- •Include Internet Service Provider continuity procedures in the continuity plan.00743
- •Include Wide Area Network continuity procedures in the continuity plan.01294
- •Refrain from sharing a single point of failure between the alternate telecommunications service providers and the primary telecommunications service providers.01397
- •Separate the alternate telecommunications service providers from the primary telecommunications service providers through geographic separation, so as to not be susceptible to the same hazards.01399
- •Include emergency power continuity procedures in the continuity plan.01254
- •Include evacuation procedures in the continuity plan.12773
- •Include damaged site continuity procedures that cover continuing operations in a partially functional primary facility in the continuity plan.01374
- •Establish, implement, and maintain physical hazard segregation or removal procedures.01248
- •Designate an alternate facility in the continuity plan.00742
- •Separate the alternate facility from the primary facility through geographic separation.01394
- •Outline explicit mitigation actions for facility accessibility issues that might take place when an area-wide disruption occurs or an area-wide disaster occurs.01391
- •Include technical preparation considerations for backup operations in the continuity plan.01250
- •Establish, implement, and maintain backup procedures for in scope systems.01258
- •Determine which data elements to back up.13483
- •Establish and maintain off-site electronic media storage facilities.00957
- •Separate the off-site electronic media storage facilities from the primary facility through geographic separation.01390
- •Outline explicit mitigation actions for potential off-site electronic media storage facilities accessibility issues for when area-wide disruptions occur or area-wide disasters occur.01393
- •Review the security of the off-site electronic media storage facilities, as necessary.00573
- •Store backup media at an off-site electronic media storage facility.01332
- •Transport backup media in lockable electronic media storage containers.01264
- •Identify the access methods for backup media at both the primary facility and the off-site electronic media storage facility.01257
- •Store backup vital records in a manner that is accessible for emergency retrieval.12765
- •Perform backup procedures for in scope systems.11692
- •Encrypt backup data.00958
- •Log the execution of each backup.00956
- •Test backup media for media integrity and information integrity, as necessary.01401
- •Test each restored system for media integrity and information integrity.01920
- •Include emergency communications procedures in the continuity plan.00750
- •Include managing multiple responding organizations in the emergency communications procedure.01249
- •Maintain contact information for key third parties in a readily accessible manner.12764
- •Log important conversations conducted during emergencies with third parties.12763
- •Identify the appropriate staff to route external communications to in the emergency communications procedures.12762
- •Identify who can speak to the media in the emergency communications procedures.12761
- •Use available financial resources for the efficaciousness of the service continuity strategy.01370
- •Include the ability to obtain additional liquidity in the continuity plan.12770
- •Include purchasing insurance in the continuity plan.00762
- •Obtain an insurance policy that covers business interruptions applicable to organizational needs and geography.06682
- •Review the insurance coverage of the insurance policy, as necessary.12688
- •Disseminate and communicate the continuity plan to interested personnel and affected parties.00760
- •Store an up-to-date copy of the continuity plan at the alternate facility.01171
- •Establish, implement, and maintain a pandemic plan.13214
- •Match emergency policies to the level of disruption anticipated in the pandemic plan.14375
- •Identify employees who have family members who are first responders or medical personnel.14389
- •Identify tasks that can be accomplished at alternate work sites.14393
- •Include work that will be suspended during the pandemic in the pandemic plan.14380
- •Include alternate work locations in the pandemic plan.14376
- •Assign pandemic planning roles and responsibilities, as necessary.13230
- •Include a compensation plan in the pandemic plan.13231
- •Revalidate exceptions to the pandemic plan, as necessary.14395
- •Approve exceptions to the pandemic plan, as necessary.14392
- •Include a list of which emergency policies will preempt organizational policies during a pandemic in the pandemic plan.14374
- •Prepare the alternate facility for an emergency offsite relocation.00744
- •Establish, implement, and maintain Service Level Agreements for all alternate facilities.00745
- •Include that the shared service provider will not oversubscribe their services in the Service Level Agreement.04892
- •Include emergency scalability for services, capacity, and capability in the shared service provider's Service Level Agreement.04893
- •Configure the alternate facility to meet the least needed operational capabilities.01395
- •Protect backup systems and restoration systems at the alternate facility.04883
- •Train personnel on the continuity plan.00759
- •Include stay at home order training in the continuity plan training.14382
- •Include avoiding unnecessary travel in the stay at home order training.14388
- •Include personal protection in continuity plan training.14394
- •Establish, implement, and maintain a business continuity plan testing program.14829
- •Establish, implement, and maintain a continuity test plan.04896
- •Include test scenarios in the continuity test plan.13506
- •Test the continuity plan, as necessary.00755
- •Include coverage of all major components in the scope of testing the continuity plan.12767
- •Include third party recovery services in the scope of testing the continuity plan.12766
- •Validate the emergency communications procedures during continuity plan tests.12777
- •Include the coordination and interfaces among third parties in the coverage of the scope of testing the continuity plan.12769
- •Test the continuity plan under conditions that simulate a disaster or disruption.00757
- •Validate the evacuation plans during continuity plan tests.12760
- •Test the continuity plan at the alternate facility.01174
- •Coordinate testing the continuity plan with all applicable business units and critical business functions.01388
- •Review all third party's continuity plan test results.01365
- •Document the continuity plan test results and provide them to interested personnel and affected parties.06548
- •Human Resources management00763
- •Establish, implement, and maintain high level operational roles and responsibilities.00806
- •Assign the roles and responsibilities of management in establishing, implementing, and maintaining the information security program.13112
- •Define and assign the Board of Directors roles and responsibilities and senior management roles and responsibilities, including signing off on key policies and procedures.00807
- •Define and assign the Chief Information Officer's roles and responsibilities.00808
- •Define and assign the Information Technology staff's roles and responsibilities.00809
- •Define and assign the technology security leader's roles and responsibilities.01897
- •Define and assign the Chief Security Officer's roles and responsibilities.06431
- •Establish and maintain an Information Technology steering committee.12706
- •Convene the Information Technology steering committee, as necessary.12730
- •Assign reviewing investments to the Information Technology steering committee, as necessary.13625
- •Define and assign workforce roles and responsibilities.13267
- •Establish, implement, and maintain cybersecurity roles and responsibilities.13201
- •Assign roles and responsibilities for physical security, as necessary.13113
- •Define and assign roles and responsibilities for those involved in risk management.13660
- •Assign the roles and responsibilities for the change control program.13118
- •Identify and define all critical roles.00777
- •Assign responsibility for cyber threat intelligence.12746
- •Define and assign the data controller's roles and responsibilities.00471
- •Assign the role of data controller to applicable controls.00354
- •Assign the role of the Quality Management committee to applicable controls.00769
- •Assign interested personnel to the Quality Management committee.07193
- •Assign the role of fire protection management to applicable controls.04891
- •Define and assign roles and responsibilities for dispute resolution.13626
- •Analyze workforce management.12844
- •Identify root causes of staffing shortages, if any exist.13276
- •Establish, implement, and maintain a personnel management program.14018
- •Establish, implement, and maintain a succession plan for organizational leaders and support personnel.11822
- •Establish, implement, and maintain onboarding procedures for new hires.11760
- •Train all new hires, as necessary.06673
- •Establish, implement, and maintain a personnel security program.10628
- •Establish, implement, and maintain security clearance level criteria.00780
- •Employ individuals who have the appropriate staff qualifications, staff clearances, and staff competencies.00782
- •Establish, implement, and maintain personnel screening procedures.11700
- •Perform a background check during personnel screening.11758
- •Perform a criminal records check during personnel screening.06643
- •Perform an academic records check during personnel screening.06647
- •Perform a curriculum vitae check during personnel screening.06660
- •Document the personnel risk assessment results.11764
- •Establish, implement, and maintain security clearance procedures.00783
- •Perform periodic background checks on designated roles, as necessary.11759
- •Establish, implement, and maintain personnel status change and termination procedures.06549
- •Notify terminated individuals of applicable, legally binding post-employment requirements.10630
- •Enforce the information security responsibilities and duties that remain valid after termination or change of employment.11992
- •Update contact information of any individual undergoing a personnel status change, as necessary.12692
- •Establish and maintain the staff structure in line with the strategic plan.00764
- •Document and communicate role descriptions to all applicable personnel.00776
- •Assign and staff all roles appropriately.00784
- •Delegate authority for specific processes, as necessary.06780
- •Implement a staff rotation plan.12772
- •Place Information Technology operations in a position to support the business model.00766
- •Implement personnel supervisory practices.00773
- •Implement segregation of duties in roles and responsibilities.00774
- •Establish, implement, and maintain segregation of duties compensating controls if segregation of duties is not practical.06960
- •Evaluate the staffing requirements regularly.00775
- •Establish and maintain relationships with critical stakeholders, business functions, and leadership outside the in scope staff.00779
- •Establish job categorization criteria, job recruitment criteria, and promotion criteria.00781
- •Establish, implement, and maintain a compensation, reward, and recognition program.12806
- •Use rewards and career development to motivate personnel.06906
- •Train all personnel and third parties, as necessary.00785
- •Establish, implement, and maintain an education methodology.06671
- •Support certification programs as viable training programs.13268
- •Retrain all personnel, as necessary.01362
- •Tailor training to meet published guidance on the subject being taught.02217
- •Tailor training to be taught at each person's level of responsibility.06674
- •Conduct cross-training or staff backup training to minimize dependency on critical individuals.00786
- •Document all training in a training record.01423
- •Conduct tests and evaluate training.06672
- •Review the current published guidance and awareness and training programs.01245
- •Establish, implement, and maintain training plans.00828
- •Train personnel to recognize conditions of diseases or sicknesses, as necessary.14383
- •Include prevention techniques in training regarding diseases or sicknesses.14387
- •Include the concept of disease clusters when training to recognize conditions of diseases or sicknesses.14386
- •Train personnel to identify and communicate symptoms of exposure to disease or sickness.14385
- •Develop or acquire content to update the training plans.12867
- •Include ethical culture in the training plan, as necessary.12801
- •Include duties and responsibilities in the training plan, as necessary.12800
- •Conduct bespoke roles and responsibilities training, as necessary.13192
- •Conduct personal data processing training.13757
- •Establish, implement, and maintain a security awareness program.11746
- •Include configuration management procedures in the security awareness program.13967
- •Document security awareness requirements.12146
- •Include updates on emerging issues in the security awareness program.13184
- •Include cybersecurity in the security awareness program.13183
- •Include training based on the participants' level of responsibility and access level in the security awareness program.11802
- •Document the goals of the security awareness program.12145
- •Disseminate and communicate the security awareness program to all interested personnel and affected parties.00823
- •Train all personnel and third parties on how to recognize and report security incidents.01211
- •Require personnel to acknowledge, through writing their signature, that they have read and understand the organization's security policies.01363
- •Conduct secure coding and development training for developers.06822
- •Conduct tampering prevention training.11875
- •Include the mandate to refrain from installing, refrain from replacing, and refrain from returning any asset absent verification in the tampering prevention training.11877
- •Include how to identify and authenticate third parties claiming to be maintenance personnel in the tampering prevention training.11876
- •Include how to report tampering and unauthorized substitution in the tampering prevention training.11879
- •Include how to prevent physical tampering in the tampering prevention training.11878
- •Train interested personnel and affected parties to collect digital forensic evidence.08658
- •Analyze and evaluate training records to improve the training program.06380
- •Establish, implement, and maintain an occupational health and safety management system.16201
- •Establish, implement, and maintain an occupational health and safety policy.00716
- •Establish, implement, and maintain health and safety personnel disinfecting procedures.06802
- •Provide protective face masks for critical personnel, as necessary.06803
- •Establish, implement, and maintain food handling procedures.11765
- •Vaccinate critical employees, as necessary.06805
- •Establish, implement, and maintain a travel program for all personnel.10597
- •Establish, implement, and maintain a process to identify any potential health hazards, environmental hazards, or safety hazards, that could affect personnel while traveling internationally.06076
- •Establish, implement, and maintain a Code of Conduct.04897
- •Include the information security responsibilities of the organization and the individual in the Terms and Conditions of employment.12029
- •Take disciplinary actions against individuals who violate the Code of Conduct.06435
- •Require personnel to sign the Code of Conduct as a part of the Terms and Conditions of employment.06664
- •Establish, implement, and maintain performance reviews.14777
- •Conduct staff performance reviews, as necessary.07205
- •Establish, implement, and maintain an ethics program.11496
- •Establish, implement, and maintain an ethical culture.12781
- •Establish mechanisms for whistleblowers to report compliance violations.06806
- •Refrain from assigning roles and responsibilities that breach segregation of duties.12055
- •Operational management00805
- •Establish, implement, and maintain a capacity management plan.11751
- •Establish, implement, and maintain a capacity planning baseline.13492
- •Establish, implement, and maintain future system capacity forecasting methods.01617
- •Align critical Information Technology resource availability planning with capacity planning.01618
- •Forecast system workloads.00938
- •Utilize resource capacity management controls.00939
- •Manage cloud services.13144
- •Protect clients' hosted environments.11862
- •Notify cloud customers of the geographic locations of the cloud service organization and its assets.13037
- •Establish, implement, and maintain cloud service agreements.13157
- •Establish, implement, and maintain cloud management procedures.13149
- •Establish, implement, and maintain a cloud service usage standard.13143
- •Include the roles and responsibilities of cloud service users in the cloud service usage standard.13984
- •Monitor managing cloud services.13150
- •Disseminate and communicate documentation of pertinent monitoring capabilities to interested personnel and affected parties.13159
- •Disseminate and communicate the legal jurisdiction of cloud services to interested personnel and affected parties.13147
- •Document the organization's business processes.13035
- •Establish, implement, and maintain a Governance, Risk, and Compliance framework.01406
- •Include enterprise architecture in the Governance, Risk, and Compliance framework.13266
- •Acquire resources necessary to support Governance, Risk, and Compliance.12861
- •Evaluate the use of technology in supporting Governance, Risk, and Compliance capabilities.12895
- •Analyze the effect of the Governance, Risk, and Compliance capability to achieve organizational objectives.12809
- •Assign accountability for maintaining the Governance, Risk, and Compliance framework.12523
- •Assign defining the program for disseminating and communicating the Governance, Risk, and Compliance framework.12524
- •Establish, implement, and maintain a positive information control environment.00813
- •Establish, implement, and maintain an internal control framework.00820
- •Measure policy compliance when reviewing the internal control framework.06442
- •Assign resources to implement the internal control framework.00816
- •Establish, implement, and maintain a baseline of internal controls.12415
- •Include procedures for continuous quality improvement in the internal control framework.00819
- •Include threat assessment in the internal control framework.01347
- •Include vulnerability management and risk assessment in the internal control framework.13102
- •Automate vulnerability management, as necessary.11730
- •Include continuous security warning monitoring procedures in the internal control framework.01358
- •Include security information sharing procedures in the internal control framework.06489
- •Share security information with interested personnel and affected parties.11732
- •Include incident response escalation procedures in the internal control framework.11745
- •Include continuous user account management procedures in the internal control framework.01360
- •Authorize and document all exceptions to the internal control framework.06781
- •Disseminate and communicate the internal control framework to all interested personnel and affected parties.15229
- •Establish, implement, and maintain an information security program.00812
- •Include technical safeguards in the information security program.12374
- •Include system development in the information security program.12389
- •Include system acquisition in the information security program.12387
- •Include communication management in the information security program.12384
- •Include a continuous monitoring program in the information security program.14323
- •Include risk management in the information security program.12378
- •Provide management direction and support for the information security program.11999
- •Monitor and review the effectiveness of the information security program.12744
- •Establish, implement, and maintain an information security policy.11740
- •Align the information security policy with the organization's risk acceptance level.13042
- •Include a commitment to the information security requirements in the information security policy.13496
- •Include information security objectives in the information security policy.13493
- •Approve the information security policy at the organization's management level or higher.11737
- •Establish, implement, and maintain information security procedures.12006
- •Document the roles and responsibilities for all activities that protect restricted data in the information security procedures.12304
- •Assign ownership of the information security program to the appropriate role.00814
- •Assign the responsibility for establishing, implementing, and maintaining the information security program to the appropriate role.11884
- •Assign information security responsibilities to interested personnel and affected parties in the information security program.11885
- •Assign the responsibility for distributing the information security program to the appropriate role.11883
- •Disseminate and communicate the information security policy to interested personnel and affected parties.11739
- •Establish, implement, and maintain operational control procedures.00831
- •Establish, implement, and maintain a Standard Operating Procedures Manual.00826
- •Include information sharing procedures in standard operating procedures.12974
- •Disseminate and communicate the Standard Operating Procedures Manual to all interested personnel and affected parties.12026
- •Establish, implement, and maintain a job scheduling methodology.00834
- •Establish, implement, and maintain a data processing continuity plan.00836
- •Establish, implement, and maintain the Acceptable Use Policy.01350
- •Include that explicit management authorization must be given for the use of all technologies and their documentation in the Acceptable Use Policy.01351
- •Include requiring users to protect restricted data in accordance with the Governance, Risk, and Compliance framework in the Acceptable Use Policy.11894
- •Include Bring Your Own Device usage in the Acceptable Use Policy.12293
- •Include Bring Your Own Device security guidelines in the Acceptable Use Policy.01352
- •Include asset tags in the Acceptable Use Policy.01354
- •Include asset use policies in the Acceptable Use Policy.01355
- •Include authority for access authorization lists for assets in all relevant Acceptable Use Policies.11872
- •Include access control mechanisms in the Acceptable Use Policy.01353
- •Include temporary activation of remote access technologies for third parties in the Acceptable Use Policy.11892
- •Include prohibiting the copying or moving of restricted data from its original source onto local hard drives or removable storage media in the Acceptable Use Policy.11893
- •Correlate the Acceptable Use Policy with the network security policy.01356
- •Include appropriate network locations for each technology in the Acceptable Use Policy.11881
- •Correlate the Acceptable Use Policy with the approved product list.01357
- •Include disciplinary actions in the Acceptable Use Policy.00296
- •Include a software installation policy in the Acceptable Use Policy.06749
- •Document idle session termination and logout for remote access technologies in the Acceptable Use Policy.12472
- •Disseminate and communicate the Acceptable Use Policy to all interested personnel and affected parties.12431
- •Establish, implement, and maintain an e-mail policy.06439
- •Include business use of personal e-mail in the e-mail policy.14381
- •Protect policies, standards, and procedures from unauthorized modification or disclosure.10603
- •Establish, implement, and maintain nondisclosure agreements.04536
- •Require interested personnel and affected parties to sign nondisclosure agreements.06667
- •Require interested personnel and affected parties to re-sign nondisclosure agreements, as necessary.06669
- •Implement and comply with the Governance, Risk, and Compliance framework.00818
- •Analyze the organizational culture.12899
- •Include individual commitment to the organization's Governance, Risk, and Compliance framework in the analysis of the organizational culture.12922
- •Establish, implement, and maintain consequences for non-compliance with the organizational compliance framework.11747
- •Comply with all implemented policies in the organization's compliance framework.06384
- •Review systems for compliance with organizational information security policies.12004
- •Disseminate and communicate the Governance, Risk, and Compliance framework to all interested personnel and affected parties.00815
- •Establish, implement, and maintain a Service Management System.13889
- •Establish, implement, and maintain a service management program.11388
- •Include the service management objectives in the service management program.11389
- •Include the service requirements in the service management program.11390
- •Include known limitations in the service management program.11391
- •Include all resources needed to achieve the objectives in the service management program.11394
- •Include all technologies used to support service management in the service management program.11398
- •Establish, implement, and maintain a network management program.13123
- •Document the network design in the network management program.13135
- •Establish, implement, and maintain an Asset Management program.06630
- •Assign an information owner to organizational assets, as necessary.12729
- •Establish, implement, and maintain classification schemes for all systems and assets.01902
- •Apply security controls to each level of the information classification standard.01903
- •Define confidentiality controls.01908
- •Establish, implement, and maintain the systems' availability level.01905
- •Establish, implement, and maintain the systems' integrity level.01906
- •Define availability controls.01911
- •Classify assets according to the Asset Classification Policy.07186
- •Apply asset protection mechanisms for all assets according to their assigned Asset Classification Policy.07184
- •Establish, implement, and maintain an asset inventory.06631
- •Establish, implement, and maintain an Information Technology inventory with asset discovery audit trails.00689
- •Include each Information System's system boundaries in the Information Technology inventory.00695
- •Establish, implement, and maintain a hardware asset inventory.00691
- •Include network equipment in the Information Technology inventory.00693
- •Include mobile devices that store restricted data or restricted information in the Information Technology inventory.04719
- •Include software in the Information Technology inventory.00692
- •Establish and maintain a list of authorized software and versions required for each system.12093
- •Establish, implement, and maintain a storage media inventory.00694
- •Include all electronic storage media containing restricted data or restricted information in the storage media inventory.00962
- •Establish, implement, and maintain a records inventory and database inventory.01260
- •Record the make, model of device for applicable assets in the asset inventory.12465
- •Record the physical location for applicable assets in the asset inventory.06634
- •Record the manufacturer's serial number for applicable assets in the asset inventory.06635
- •Record the owner for applicable assets in the asset inventory.06640
- •Record all changes to assets in the asset inventory.12190
- •Establish, implement, and maintain a software accountability policy.00868
- •Establish, implement, and maintain software asset management procedures.00895
- •Establish, implement, and maintain a system redeployment program.06276
- •Wipe all data on systems prior to when the system is redeployed or the system is disposed.06401
- •Establish, implement, and maintain a system disposal program.14431
- •Establish, implement, and maintain a system preventive maintenance program.00885
- •Establish and maintain maintenance reports.11749
- •Conduct maintenance with authorized personnel.01434
- •Acquire spare parts prior to when maintenance requests are scheduled.11833
- •Perform periodic maintenance according to organizational standards.01435
- •Calibrate assets according to the calibration procedures for the asset.06203
- •Post calibration limits or calibration tolerances on or near assets requiring calibration.06204
- •Dispose of hardware and software at their life cycle end.06278
- •Establish, implement, and maintain a customer service program.00846
- •Establish, implement, and maintain an Incident Management program.00853
- •Define and assign the roles and responsibilities for Incident Management program.13055
- •Include incident escalation procedures in the Incident Management program.00856
- •Define the characteristics of the Incident Management program.00855
- •Include the criteria for an incident in the Incident Management program.12173
- •Include detection procedures in the Incident Management program.00588
- •Categorize the incident following an incident response.13208
- •Define and document impact thresholds to be used in categorizing incidents.10033
- •Determine the incident severity level when assessing the security incidents.01650
- •Identify root causes of incidents that force system changes.13482
- •Respond to and triage when an incident is detected.06942
- •Document the incident and any relevant evidence in the incident report.08659
- •Respond to all alerts from security systems in a timely manner.06434
- •Coordinate incident response activities with interested personnel and affected parties.13196
- •Contain the incident to prevent further loss.01751
- •Assess all incidents to determine what information was accessed.01226
- •Check the precursors and indicators when assessing the security incidents.01761
- •Share incident information with interested personnel and affected parties.01212
- •Share data loss event information with the media.01759
- •Include data loss event notifications in the Incident Response program.00364
- •Include legal requirements for data loss event notifications in the Incident Response program.11954
- •Notify interested personnel and affected parties of the privacy breach that affects their personal data.00365
- •Establish, implement, and maintain incident response notifications.12975
- •Include information required by law in incident response notifications.00802
- •Include a "What We Are Doing" heading in the breach notification.12982
- •Include what the organization has done to enhance data protection controls in incident response notifications.04736
- •Include incident recovery procedures in the Incident Management program.01758
- •Establish, implement, and maintain a restoration log.12745
- •Analyze security violations in Suspicious Activity Reports.00591
- •Update the incident response procedures using the lessons learned.01233
- •Include incident monitoring procedures in the Incident Management program.01207
- •Include incident response procedures in the Incident Management program.01218
- •Integrate configuration management procedures into the incident management program.13647
- •Include incident management procedures in the Incident Management program.12689
- •Establish, implement, and maintain temporary and emergency access authorization procedures.00858
- •Include after-action analysis procedures in the Incident Management program.01219
- •Conduct incident investigations, as necessary.13826
- •Analyze the behaviors of individuals involved in the incident during incident investigations.14042
- •Interview suspects during incident investigations, as necessary.14041
- •Interview victims and witnesses during incident investigations, as necessary.14038
- •Establish, implement, and maintain incident management audit logs.13514
- •Log incidents in the Incident Management audit log.00857
- •Include the organizational functions affected by disruption in the Incident Management audit log.12238
- •Include the organization's business products and services affected by disruptions in the Incident Management audit log.12234
- •Include incident record closure procedures in the Incident Management program.01620
- •Include incident reporting procedures in the Incident Management program.11772
- •Establish, implement, and maintain a customer service business function.00847
- •Confirm the customer agrees with the resolution process associated with the complaint.13630
- •Document the resolution of issues reported to customer service.12918
- •Investigate and take action regarding help desk queries.06324
- •Log help desk queries.00848
- •Establish, implement, and maintain help desk query escalation procedures.00849
- •Establish, implement, and maintain help desk query clearance procedures.00850
- •Establish, implement, and maintain help desk query trend analysis procedures.00851
- •Provide customer security advice, as necessary.13674
- •Establish, implement, and maintain an Incident Response program.00579
- •Create an incident response report following an incident response.12700
- •Include the number of customers that were affected by the incident in the incident response report.12727
- •Include the scope of the incident in the incident response report.12717
- •Include the reasons the incident occurred in the incident response report.12711
- •Include lessons learned from the incident in the incident response report.12713
- •Include corrective action taken to eradicate the incident in the incident response report.12708
- •Include a description of the impact the incident had on operations in the incident response report.12703
- •Include a root cause analysis of the incident in the incident response report.12701
- •Define target resolution times for incident response in the Incident Response program.13072
- •Analyze and respond to security alerts.12504
- •Mitigate reported incidents.12973
- •Establish, implement, and maintain an incident response plan.12056
- •Establish, implement, and maintain a cyber incident response plan.13286
- •Include incident response team structures in the Incident Response program.01237
- •Include the incident response team member's roles and responsibilities in the Incident Response program.01652
- •Include the incident response point of contact's roles and responsibilities in the Incident Response program.01877
- •Notify interested personnel and affected parties that a security breach was detected.11788
- •Include the organizational incident response public relations point of contact's roles and responsibilities in the Incident Response program.01885
- •Assign the distribution of security alerts to the appropriate role in the incident response program.11887
- •Assign monitoring and analyzing the security alert when a security alert is received to the appropriate role in the incident response program.11886
- •Assign establishing, implementing, and maintaining incident response procedures to the appropriate role in the incident response program.12473
- •Assign the distribution of incident response procedures to the appropriate role in the incident response program.12474
- •Include personnel contact information in the event of an incident in the Incident Response program.06385
- •Include what information interested personnel and affected parties need in the event of an incident in the Incident Response program.11789
- •Include procedures for providing updated status information to the crisis management team in the incident response plan.12776
- •Include coverage of all system components in the Incident Response program.11955
- •Include incident response team services in the Incident Response program.11766
- •Include the incident response training program in the Incident Response program.06750
- •Incorporate realistic exercises that are tested into the incident response training program.06753
- •Conduct incident response training.11889
- •Establish, implement, and maintain incident response procedures.01206
- •Include references to industry best practices in the incident response procedures.11956
- •Include responding to alerts from security monitoring systems in the incident response procedures.11949
- •Include business continuity procedures in the Incident Response program.06433
- •Coordinate backup procedures as defined in the system continuity plan with backup procedures necessary for incident response procedures.06432
- •Establish trust between the incident response team and the end user community during an incident.01217
- •Include business recovery procedures in the Incident Response program.11774
- •Establish, implement, and maintain a digital forensic evidence framework.08652
- •Retain collected evidence for potential future legal actions.01235
- •Establish, implement, and maintain a chain of custody for all devices containing digital forensic evidence.08686
- •Define the business scenarios that require digital forensic evidence.08653
- •Define the circumstances for collecting digital forensic evidence.08657
- •Conduct forensic investigations in the event of a security compromise.11951
- •Contact affected parties to participate in forensic investigations, as necessary.12343
- •Identify potential sources of digital forensic evidence.08651
- •Document the legal requirements for evidence collection.08654
- •Establish, implement, and maintain a digital forensic evidence collection program.08655
- •Establish, implement, and maintain secure storage and handling of evidence procedures.08656
- •Prepare digital forensic equipment.08688
- •Use digital forensic equipment suitable to the circumstances.08690
- •Test the operation of the digital forensic equipment prior to use.08694
- •Collect evidence from the incident scene.02236
- •Include documentation of the system containing and surrounding digital forensic evidence in the forensic investigation report.08679
- •Secure devices containing digital forensic evidence.08681
- •Use a write blocker to prevent digital forensic evidence from being modified.08692
- •Create a system image of the device before collecting digital forensic evidence.08673
- •Disseminate and communicate the incident response procedures to all interested personnel and affected parties.01215
- •Disseminate and communicate the final incident report, which includes the investigation results and any remediation activity results.12306
- •Test the incident response procedures.01216
- •Establish, implement, and maintain a performance management standard.01615
- •Establish, implement, and maintain future system performance forecasting methods.11775
- •Utilize resource availability management controls.00940
- •Establish, implement, and maintain rate limiting filters.06883
- •Establish, implement, and maintain system capacity monitoring procedures.01619
- •Establish, implement, and maintain system performance monitoring procedures.11752
- •Establish, implement, and maintain a collection management program.14013
- •Receive and follow up on information collection requests.14075
- •Track status of information collection requests.14265
- •Validate the link between critical information requirements and intelligence requirements in information collection requests.14090
- •Develop information requirements for following up on information collection requests.14077
- •Submit information collection requests for processing.14259
- •Solicit feedback on the follow up quality of information requests.14254
- •Disseminate information collected using collection resources to all interested personnel and affected parties.14089
- •Establish, implement, and maintain a collection plan.14021
- •Document changes to the collection plan that affect collection assets.14079
- •Include collection requirements in the collection plan.14036
- •Review collection requirements in the collection plan, as necessary.14088
- •Modify collection requirements, as necessary.14076
- •Include collection plans in other governance documents, as necessary.14261
- •Request discipline-specific exploitation for information collected using collection resources.14087
- •Request discipline-specific processing for information collected using collection resources.14085
- •Allocate collection assets as defined in the collection plan.14083
- •Monitor collection activities.14046
- •Evaluate the effectiveness of collection assets against the collection plan.14082
- •Evaluate the effectiveness of collection operations against the collection plan.14043
- •Compile lessons learned from collection management activity's execution of the collection plan.14264
- •Optimize collection resources, as necessary.14086
- •Adjust collection operations or the collection plan itself, as necessary.14080
- •Communicate the collection management program to all interested personnel and affected parties.14263
- •Link collection requirements to assets and resources in the collection plan.14040
- •Establish and maintain electronic target folders, as necessary.14320
- •Provide feedback regarding the collection management program to all interested personnel and affected parties.14262
- •Provide language analysis support, as necessary.14084
- •Transcribe voice materials, as necessary.14260
- •Establish, implement, and maintain a Service Level Agreement framework.00839
- •Include exceptions in the Service Level Agreements, as necessary.13912
- •Include the appropriate aspects of the Quality Management program in the Service Level Agreement.00845
- •Include the organizational structure for service level management in the Service Level Agreement framework.13633
- •Include capacity planning in Service Level Agreements.13096
- •Include Operational Level Agreements within Service Level Agreements, as necessary.13631
- •Include funding sources in Service Level Agreements, as necessary.13632
- •Include business requirements of delivered services in the Service Level Agreement.00840
- •Include performance requirements in the Service Level Agreement.00841
- •Include the service levels for network services in the Service Level Agreement.12024
- •Include availability requirements in Service Level Agreements.13095
- •Establish, implement, and maintain a cost management program.13638
- •Establish, implement, and maintain cost management procedures.00873
- •Update the business cases for cost management procedures, as necessary.13642
- •Perform an impact assessment of any deviations found in the cost management procedures.13641
- •Identify deviations in cost management procedures.13640
- •Identify and allocate departmental costs.00871
- •Establish, implement, and maintain an Information Technology financial management framework.01610
- •Prepare an Information Technology budget, as necessary.00872
- •Review and approve the Information Technology budget.13644
- •Update the Information Technology budget, as necessary.13643
- •Justify the system's cost and benefit.00874
- •Compare actual Information Technology costs to forecasted Information Technology budgets.11753
- •Establish, implement, and maintain a change control program.00886
- •Include potential consequences of unintended changes in the change control program.12243
- •Include version control in the change control program.13119
- •Separate the production environment from development environment or test environment for the change control process.11864
- •Integrate configuration management procedures into the change control program.13646
- •Establish, implement, and maintain a back-out plan.13623
- •Establish, implement, and maintain back-out procedures for each proposed change in a change request.00373
- •Approve back-out plans, as necessary.13627
- •Manage change requests.00887
- •Include documentation of the impact level of proposed changes in the change request.11942
- •Document all change requests in change request forms.06794
- •Examine all changes to ensure they correspond with the change request.12345
- •Approve tested change requests.11783
- •Disseminate and communicate proposed changes to all interested personnel and affected parties.06807
- •Establish, implement, and maintain emergency change procedures.00890
- •Perform emergency changes, as necessary.12707
- •Log emergency changes after they have been performed.12733
- •Perform risk assessments prior to approving change requests.00888
- •Implement changes according to the change control program.11776
- •Provide audit trails for all approved changes.13120
- •Establish, implement, and maintain a patch management program.00896
- •Implement patch management software, as necessary.12094
- •Establish, implement, and maintain a patch log.01642
- •Deploy software patches in accordance with organizational standards.07032
- •Patch software.11825
- •Update computer firmware, as necessary.11755
- •Implement cryptographic mechanisms to authenticate software and computer firmware before installation.10682
- •Mitigate the adverse effects of unauthorized changes.12244
- •Establish, implement, and maintain approved change acceptance testing procedures.06391
- •Test the system's operational functionality after implementing approved changes.06294
- •Perform and pass acceptance testing before moving a system back into operation after an approved change has occurred.04541
- •Update associated documentation after the system configuration has been changed.00891
- •Establish, implement, and maintain production process control procedures.06209
- •Establish, implement, and maintain a service delivery and production process Quality Management program.07194
- •Assign interested personnel and affected parties to service delivery and production process quality improvement projects, as necessary.07197
- •Document the organization's local environments.06726
- •Establish, implement, and maintain local environment security profiles.07037
- •Include the technology used in the local environment in the local environment security profile.07040
- •Manage the creation of products and services, as necessary.13497
- •Define the processing activities to meet products and services creation requirements.13499
- •Establish and maintain a service catalog.13634
- •Include a service description in the service catalog.13917
- •Include Service Level Agreements in the service catalog, as necessary.13636
- •Include Information Technology services in the service catalog, as necessary.13635
- •Base definitions of Information Technology services on their service characteristics.13655
- •Conduct official proceedings, as necessary.13836
- •Support legal counsel during the judicial process.14019
- •System hardening through configuration management00860
- •Establish, implement, and maintain a Configuration Management program.00867
- •Establish, implement, and maintain a configuration management plan.01901
- •Employ the Configuration Management program.11904
- •Record Configuration Management items in the Configuration Management database.00861
- •Disseminate and communicate the configuration management program to all interested personnel and affected parties.11946
- •Establish, implement, and maintain a configuration baseline based on the least functionality principle.00862
- •Identify and document the system's Configurable Items.02133
- •Define the relationships and dependencies between Configurable Items.02134
- •Establish, implement, and maintain a system hardening standard.00876
- •Establish, implement, and maintain configuration standards for all systems based upon industry best practices.11953
- •Include common security parameter settings in the configuration standards for all systems.12544
- •Apply configuration standards to all systems, as necessary.12503
- •Configure security parameter settings on all system components appropriately.12041
- •Establish, implement, and maintain system hardening procedures.12001
- •Configure session timeout and reauthentication settings according to organizational standards.12460
- •Use the latest approved version of all software.00897
- •Install critical security updates and important security updates in a timely manner.01696
- •Change default configurations, as necessary.00877
- •Reconfigure the encryption keys from their default setting or previous setting.06079
- •Establish, implement, and maintain procedures to standardize operating system software installation.00869
- •Configure virtual networks in accordance with the information security policy.13165
- •Configure Simple Network Management Protocol (SNMP) to organizational standards.12423
- •Change the community string for Simple Network Management Protocol, as necessary.01872
- •Configure the system's storage media.10618
- •Configure the system's electronic storage media's encryption settings.11927
- •Implement only one application or primary function per network component or server.00879
- •Remove all unnecessary functionality.00882
- •Document that all enabled functions support secure configurations.11985
- •Disable all unnecessary applications unless otherwise noted in a policy exception.04827
- •Install and enable public Instant Messaging clients as necessary.02173
- •Disable all unnecessary services unless otherwise noted in a policy exception.00880
- •Disable telnet unless telnet use is absolutely necessary.01478
- •Configure the settings of the system registry and the systems objects (for Windows OS only).01781
- •Configure the system to protect against source-routing spoofing.01793
- •Establish, implement, and maintain authenticators.15305
- •Establish, implement, and maintain an authenticator standard.01702
- •Establish, implement, and maintain an authenticator management system.12031
- •Establish, implement, and maintain authenticator procedures.12002
- •Configure authenticators to comply with organizational standards.06412
- •Configure the system to require new users to change their authenticator on first use.05268
- •Configure the system to encrypt authenticators.06735
- •Configure the "minimum number of digits required for new passwords" setting to organizational standards.08717
- •Configure the "minimum number of upper case characters required for new passwords" setting to organizational standards.08718
- •Configure the "minimum number of lower case characters required for new passwords" setting to organizational standards.08719
- •Configure the "minimum number of special characters required for new passwords" setting to organizational standards.08720
- •Change all default authenticators.15309
- •Configure the system security parameters to prevent system misuse or information misappropriation.00881
- •Configure the system account settings and the permission settings in accordance with the organizational standards.01538
- •Configure user accounts.07036
- •Remove unnecessary default accounts.01539
- •Disable or delete shared User IDs.12478
- •Disable or delete generic user IDs.12479
- •Disable all unnecessary user identifiers.02185
- •Configure accounts with administrative privilege.07033
- •Employ multifactor authentication for accounts with administrative privilege.12496
- •Encrypt non-console administrative access.00883
- •Invoke a strong encryption method before requesting an authenticator.11986
- •Establish, implement, and maintain network parameter modification procedures.01517
- •Create an access control list on Network Access and Control Points to restrict access.04810
- •Configure the time server in accordance with organizational standards.06426
- •Configure the time server to synchronize with specifically designated hosts.06427
- •Restrict access to time server configuration to personnel with a business need.06858
- •Keep current the time synchronization technology.12548
- •Configure mobile device settings in accordance with organizational standards.04600
- •Configure mobile devices to enable remote wipe.12212
- •Certify the system before releasing it into a production environment.06419
- •Establish, implement, and maintain virtualization configuration settings.07110
- •Implement the security features of hypervisor to protect virtual machines.12176
- •Configure Services settings to organizational standards.07434
- •Configure the "Group Policy Client" to organizational standards.07522
- •Configure Account settings in accordance with organizational standards.07603
- •Configure the "Account lockout threshold" to organizational standards.07604
- •Configure the "Account lockout duration" to organizational standards.07771
- •Configure system integrity settings to organizational standards.07605
- •Configure the "Turn on script execution" to organizational standards.08411
- •Configure Logging settings in accordance with organizational standards.07611
- •Configure the security parameters for all logs.01712
- •Configure the log to capture audit log initialization, along with auditable event selection.00649
- •Configure the detailed data elements to be captured for all logs so that events are identified by type, location, subject, user, what data was accessed, etc.06331
- •Configure the log to capture creates, reads, updates, or deletes of records containing personal data.11890
- •Configure the log to capture the user's identification.01334
- •Configure the log to capture a date and time stamp.01336
- •Configure the log to capture each auditable event's origination.01338
- •Configure the log to uniquely identify each asset.01339
- •Configure the log to capture the type of each event.06423
- •Configure the log to capture each event's success or failure indication.06424
- •Configure all logs to capture auditable events or actionable events.06332
- •Configure the log to capture logons, logouts, logon attempts, and logout attempts.01915
- •Configure the log to capture access to restricted data or restricted information.00644
- •Configure the log to capture actions taken by individuals with root privileges or administrative privileges and add logging option to the root file system.00645
- •Configure the log to capture identification and authentication mechanism use.00648
- •Configure the log to capture all access to the audit trail.00646
- •Configure the log to capture Object access to key directories or key files.01697
- •Configure the log to capture system level object creation and deletion.00650
- •Configure the log to capture configuration changes.06881
- •Log, monitor, and review all changes to time settings on critical systems.11608
- •Configure the log to capture changes to User privileges, audit policies, and trust policies by enabling audit policy changes.01698
- •Configure the "Audit Policy: DS Access: Directory Service Replication" to organizational standards.07734
- •Configure Key, Certificate, Password, Authentication and Identity Management settings in accordance with organizational standards.07621
- •Configure the "Maximum password age" to organizational standards.07688
- •Configure the "Minimum password length" to organizational standards.07711
- •Configure the "Password must meet complexity requirements" to organizational standards.07743
- •Configure the "Enforce password history" to organizational standards.07877
- •Configure security and protection software according to Organizational Standards.11917
- •Configure security and protection software to automatically run at startup.12443
- •Configure security and protection software to check for up-to-date signature files.00576
- •Configure security and protection software to enable automatic updates.11945
- •Configure File Integrity Monitoring Software to Organizational Standards.11923
- •Configure the file integrity monitoring software to perform critical file comparisons, as necessary.11924
- •Configure network switches to organizational standards.12120
- •Audit the configuration of organizational assets, as necessary.13653
- •Audit assets after maintenance was performed.13657
- •Records management00902
- •Establish, implement, and maintain a translation management program.14316
- •Translate graphic materials, as necessary.14324
- •Establish, implement, and maintain an information management program.14315
- •Establish, implement, and maintain records management policies.00903
- •Establish, implement, and maintain a record classification scheme for forms.00911
- •Establish, implement, and maintain form creation, management, and distribution procedures.06393
- •Establish, implement, and maintain a record classification scheme.00914
- •Allocate record identifiers to reference the records as a part of document tracking.11662
- •Define each system's preservation requirements for records and logs.00904
- •Establish, implement, and maintain a data retention program.00906
- •Select the appropriate format for archived data and records.06320
- •Determine how long to keep records and logs before disposing them.11661
- •Retain records in accordance with applicable requirements.00968
- •Establish, implement, and maintain storage media disposition and destruction procedures.11657
- •Sanitize electronic storage media in accordance with organizational standards.16464
- •Destroy electronic storage media following the storage media disposition and destruction procedures.00970
- •Define each system's disposition requirements for records and logs.11651
- •Establish, implement, and maintain records disposition procedures.00971
- •Remove and/or destroy records according to the records' retention event and retention period schedule.06621
- •Place printed records awaiting destruction into secure containers.12464
- •Destroy printed records so they cannot be reconstructed.11779
- •Automate a programmatic process to remove stored data and records that exceed retention requirements.06082
- •Include methods to identify records that meet or exceed the record's retention event in the records disposition procedures.11962
- •Establish, implement, and maintain records management procedures.11619
- •Review the information that the organization collects, processes, and stores, as necessary.12988
- •Review the information classification of the information that the organization collects, processes, and stores, as necessary.13008
- •Review the electronic storage media for the information the organization collects and processes.13009
- •Establish, implement, and maintain source document error handling tracking.01263
- •Establish, implement, and maintain data accuracy controls.00921
- •Protect records from loss in accordance with applicable requirements.12007
- •Establish, implement, and maintain data completeness controls.11649
- •Capture the records required by organizational compliance requirements.00912
- •Assign the appropriate information classification to records imported into the Records Management system.04555
- •Include record integrity techniques in the records management procedures.06418
- •Control error handling when data is being inputted.00922
- •Establish, implement, and maintain data processing integrity controls.00923
- •Establish, implement, and maintain Automated Data Processing validation checks and editing checks.00924
- •Establish, implement, and maintain document security requirements for the output of records.11656
- •Establish, implement, and maintain electronic storage media management procedures.00931
- •Establish and maintain access controls for all records.00371
- •Establish, implement, and maintain a records lifecycle management program.00951
- •Establish, implement, and maintain information preservation procedures.06277
- •Implement and maintain backups and duplicate copies of organizational records.00953
- •Establish, implement, and maintain online storage controls.00942
- •Establish, implement, and maintain security controls appropriate to the record types and electronic storage media.00943
- •Store records on non-rewritable, non-erasable storage media formats, as necessary.00944
- •Provide encryption for different types of electronic storage media.00945
- •Establish, implement, and maintain a removable storage media log.12317
- •Include the date and time in the removable storage media log.12318
- •Include the number of physical media used for the data transfer in the removable storage media log.12754
- •Include the recipient's name for the data transfer in the removable storage media log.12753
- •Include the sender's name in the removable storage media log.12752
- •Include the type of physical media being used for the data transfer in the removable storage media log.12751
- •Establish, implement, and maintain output distribution procedures.00927
- •Establish, implement, and maintain document retention procedures.11660
- •Physically secure printed records.11778
- •Establish, implement, and maintain an e-discovery program.00976
- •Establish, implement, and maintain a document retrieval system to use during e-discovery.00985
- •Systems design, build, and implementation00989
- •Establish, implement, and maintain a System Development Life Cycle program.11823
- •Perform a feasibility study for product requests.06895
- •Assign senior management to approve the cost benefit analysis in the feasibility study.13069
- •Include information security throughout the system development life cycle.12042
- •Initiate the System Development Life Cycle planning phase.06266
- •Establish, implement, and maintain research and development plans.13649
- •Establish, implement, and maintain system design principles and system design guidelines.01057
- •Establish, implement, and maintain a security controls definition document.01080
- •Include identified risks and legal requirements in the security controls definition document.11743
- •Include naming conventions in system design guidelines.13656
- •Define and assign the system development project team roles and responsibilities.01061
- •Disseminate and communicate system development roles and responsibilities to interested personnel and affected parties.01062
- •Redesign business activities to support the system implementation.01067
- •Establish, implement, and maintain a source data collection design specification.01070
- •Establish, implement, and maintain a system use training plan.01089
- •Train the affected users during system development life cycle projects.01091
- •Establish and maintain System Development Life Cycle documentation.12079
- •Define and document organizational structures for the System Development Life Cycle program.12549
- •Include system maintenance responsibilities in the System Development Life Cycle documentation.12556
- •Include system and network monitoring responsibilities in the System Development Life Cycle documentation.12557
- •Define and document organizational structures for system and network monitoring.12554
- •Establish, implement, and maintain a full set of system procedures.01074
- •Establish, implement, and maintain a database management standard.01079
- •Establish, implement, and maintain system design requirements.06618
- •Identify all stakeholders who may influence the System Development Life Cycle.06922
- •Document stakeholder requirements and how they influence system design requirements.06925
- •Compare system design requirements against system design requests.06619
- •Resolve conflicting design and development inputs.13703
- •Design and develop built-in redundancies, as necessary.13064
- •Identify and document system design constraints.06923
- •Identify and document limitations that the implementation technology and the implementation strategy puts on the system design solution.06928
- •Include performance criteria in the system requirements specification.11540
- •Include product upgrade methodologies in the system requirements specification.11563
- •Establish, implement, and maintain a system design project management framework.00990
- •Conduct a preliminary investigation before new system development projects begin.01025
- •Define and document the nature and scope of all new system development projects.01026
- •Update infrastructure resources when system development project requirements change.06900
- •Establish, implement, and maintain a conceptual model of the organization's business activities prior to developing systems.01028
- •Obtain approval from appropriate parties for system design projects.01033
- •Analyze existing systems during preliminary investigations for system design projects.01043
- •Analyze the proposed effects of modifications or additions on the existing systems during the preliminary investigation of system design projects.01045
- •Assess the continuity requirements during the planning and development stage for new products and services.12779
- •Identify system design strategies.01046
- •Reassess staffing needs while identifying the system design strategies.01053
- •Adopt a system design strategy after examining the strategic options and tactical options.01054
- •Disseminate and communicate the adopted system design strategy to interested personnel and affected parties.01055
- •Establish, implement, and maintain a system requirements specification.01035
- •Include relevant resources needed for the system design project in the system requirements specification.01036
- •Include pertinent legal requirements in the system requirements specification.01037
- •Include privacy requirements in the system requirements specification.01040
- •Include file format standards in the system requirements specification.01041
- •Conduct a project feasibility study prior to designing a system.01613
- •Include the threats and risks associated with the system development project in the project feasibility study.11797
- •Establish, implement, and maintain project management standards.00992
- •Include participation by each affected user department in the implementation phase of the project plan.00993
- •Include budgeting for projects in the project management standard.13136
- •Formally approve the initiation of each project phase.00997
- •Establish, implement, and maintain integrated project plans.01056
- •Perform a risk assessment for each system development project.01000
- •Establish, implement, and maintain a project control program.01612
- •Establish, implement, and maintain a project test plan.01001
- •Establish, implement, and maintain a project team plan.06533
- •Identify accreditation tasks.00999
- •Conduct a post implementation review when the system design project ends.01003
- •Separate the design and development environment from the production environment.06088
- •Initiate the System Development Life Cycle development phase or System Development Life Cycle build phase.06267
- •Develop systems in accordance with the system design specifications and system design standards.01094
- •Develop new products based on best practices.01095
- •Establish, implement, and maintain a system design specification.04557
- •Document the system architecture in the system design specification.12287
- •Include communication links in the system design specification.08665
- •Include a description of each module and asset in the system design specification.11734
- •Include supporting software requirements in the system design specification.08664
- •Include threat models in the system design specification.06829
- •Include security requirements in the system design specification.06826
- •Establish, implement, and maintain coding guidelines.08661
- •Establish, implement, and maintain human interface guidelines.08662
- •Establish and maintain User Interface documentation.12204
- •Include measurable system performance requirements in the system design specification.08667
- •Include the data structure in the system design specification.08669
- •Assign appropriate parties to approve the system design specification.13070
- •Implement security controls when developing systems.06270
- •Implement a hardware security module, as necessary.12222
- •Establish, implement, and maintain an acceptable use policy for the hardware security module.12247
- •Include roles and responsibilities in the acceptable use policy for the hardware security module.12264
- •Include administrative responsibilities in the acceptable use policy for the hardware security module.12260
- •Establish and maintain a cryptographic architecture document.12476
- •Include the algorithms used in the cryptographic architecture document.12483
- •Include an inventory of all protected areas in the cryptographic architecture document.12486
- •Include a description of the key usage for each key in the cryptographic architecture document.12484
- •Include descriptions of all cryptographic keys in the cryptographic architecture document.12487
- •Include descriptions of the cryptographic key strength of all cryptographic keys in the cryptographic architecture document.12488
- •Include each cryptographic key's expiration date in the cryptographic architecture document.12489
- •Include the protocols used in the cryptographic architecture document.12485
- •Follow security design requirements when developing systems.06827
- •Establish, implement, and maintain a system implementation representation document.04558
- •Design the security architecture.06269
- •Implement software development version controls.01098
- •Follow the system development process when upgrading a system.01059
- •Conduct a design review at each milestone or quality gate.01087
- •Reassess the system design after the product has been tested.01088
- •Approve the design methodology before moving forward on the system design project.01060
- •Perform source code analysis at each milestone or quality gate.06832
- •Monitor the development environment for when malicious code is discovered.06396
- •Establish and maintain system security documentation.06271
- •Establish and maintain access rights to source code based upon least privilege.06962
- •Develop new products based on secure coding techniques.11733
- •Establish and maintain a coding manual for secure coding techniques.11863
- •Protect applications from improper access control through secure coding techniques in source code.11959
- •Protect applications from improper error handling through secure coding techniques in source code.11937
- •Protect applications from insecure communications through secure coding techniques in source code.11936
- •Protect applications from injection flaws through secure coding techniques in source code.11944
- •Control user account management through secure coding techniques in source code.11909
- •Restrict direct access of databases to the database administrator through secure coding techniques in source code.11933
- •Protect applications from buffer overflows through secure coding techniques in source code.11943
- •Protect applications from cross-site scripting through secure coding techniques in source code.11899
- •Protect against coding vulnerabilities through secure coding techniques in source code.11897
- •Protect applications from broken authentication and session management through secure coding techniques in source code.11896
- •Protect applications from insecure cryptographic storage through secure coding techniques in source code.11935
- •Protect applications from cross-site request forgery through secure coding techniques in source code.11895
- •Address known coding vulnerabilities as a part of secure coding techniques.12493
- •Include all confidentiality, integrity, and availability functions in the system design specification.04556
- •Establish and maintain the overall system development project management roles and responsibilities.00991
- •Disseminate and communicate continuously and routinely regarding system development project requirements.06899
- •Perform Quality Management on all newly developed or modified systems.01100
- •Evaluate system development projects for compliance with the system requirements specifications.06903
- •Establish, implement, and maintain a system testing policy.01102
- •Configure the test environment similar to the production environment.06837
- •Establish, implement, and maintain parallel testing criteria and pilot testing criteria.01107
- •Establish, implement, and maintain system testing procedures.11744
- •Restrict production data from being used in the test environment.01103
- •Control the test data used in the development environment.12013
- •Test all software changes before promoting the system to a production environment.01106
- •Test security functionality during the development process.12015
- •Include system performance in the scope of system testing.12624
- •Include security controls in the scope of system testing.12623
- •Review and test custom code to identify potential coding vulnerabilities.01316
- •Review and test source code.01086
- •Assign the review of custom code changes to individuals other than the code author.06291
- •Correct code anomalies and code deficiencies in custom code and retest before release.06292
- •Approve all custom code test results before code is released.06293
- •Perform Quality Management on all newly developed or modified software.11798
- •Establish, implement, and maintain a system testing program for all system development projects.01101
- •Develop the system in a timely manner and cost-effective way.06908
- •Identify new technologies and critical processes during system development projects.06907
- •Develop Natural Language Processing tools, as necessary.14063
- •Document requirements and feedback when developing language processing tools.14081
- •Initiate the System Development Life Cycle implementation phase.06268
- •Establish, implement, and maintain a system implementation standard.01111
- •Deploy applications based on best practices.12738
- •Select implementation strategies based on the system design requirements.01113
- •Establish, implement, and maintain an implementation plan.01114
- •Approve implementation plans, as necessary.13628
- •Plan and document the Certification and Accreditation process.11767
- •Install and integrate the system components according to the system implementation standard.06930
- •Document the system implementation integration process.06931
- •Perform a final system test prior to implementing a new system.01108
- •Involve all stakeholders in the final acceptance test.13168
- •Document the acceptance status for all products passing the System Development Life Cycle implementation phase.06211
- •Control products that do not conform to the system acceptance criteria.06212
- •Manage the system implementation process.01115
- •Establish, implement, and maintain system conversion procedures.01117
- •Establish, implement, and maintain a data conversion plan.01118
- •Establish, implement, and maintain promoting the system to a production environment procedures.01119
- •Remove test accounts prior to promoting the system to a production environment.12495
- •Remove test data prior to promoting the system to a production environment.12494
- •Evaluate and determine whether or not the newly developed system meets users' system design requirements.01120
- •Evaluate and determine whether or not the newly developed system meets security requirements.06273
- •Approve and authorize the newly implemented system.06274
- •Establish and maintain end user support communications.06615
- •Establish, implement, and maintain user documentation.12250
- •Include documentation for all systems in the user documentation.12285
- •Acquisition or sale of facilities, technology, and services01123
- •Establish, implement, and maintain a product upgrade program.12216
- •Plan for acquiring facilities, technology, or services.06892
- •Involve all stakeholders in the acquisition process.13169
- •Establish, implement, and maintain system acquisition contracts.14758
- •Include security requirements in system acquisition contracts.01124
- •Include required service levels in system acquisition contracts.11652
- •Require the Information System developer to create a Security Testing and Evaluation plan, implement the test, and provide the test results for all newly acquired assets.01447
- •Identify and include alternatives to meeting the security requirements when acquiring assets.01128
- •Conduct an acquisition feasibility study prior to acquiring assets.01129
- •Establish test environments separate from the production environment to support integration testing before product acquisition.11668
- •Establish, implement, and maintain a product and services acquisition strategy.01133
- •Establish, implement, and maintain a product and services acquisition program.01136
- •Establish, implement, and maintain acquisition approval requirements.13704
- •Include chain of custody procedures in the product and services acquisition program.10058
- •Establish, implement, and maintain a software product acquisition methodology.01138
- •Store source code documentation in escrow by an independent third party.01139
- •Review software licensing agreements to ensure compliance.01140
- •Acquire products or services.11450
- •Register new systems with the program office or other applicable stakeholder.13986
- •Establish, implement, and maintain facilities, assets, and services acceptance procedures.01144
- •Test new hardware or upgraded hardware and software against predefined performance requirements.06740
- •Test new hardware or upgraded hardware and software for implementation of security controls.06743
- •Test new software or upgraded software for security vulnerabilities.01898
- •Test new software or upgraded software for compatibility with the current system.11654
- •Test new hardware or upgraded hardware for compatibility with the current system.11655
- •Test new hardware or upgraded hardware for security vulnerabilities.01899
- •Privacy protection for information and data00008
- •Establish, implement, and maintain a privacy framework that protects restricted data.11850
- •Establish, implement, and maintain a personal data transparency program.00375
- •Establish and maintain privacy notices, as necessary.13443
- •Establish, implement, and maintain adequate openness procedures.00377
- •Register with public bodies and notify the Data Commissioner before processing personal data.00383
- •Provide the data subject with a copy of any brochures or other information that explain policies, standards, or codes.00398
- •Document the countries where restricted data may be stored.12750
- •Provide adequate structures, policies, procedures, and mechanisms to support direct access by the data subject to personal data that is provided upon request.00393
- •Provide the data subject with the means of gaining access to personal data held by the organization.00396
- •Provide the data subject with information about the right to erasure.12602
- •Provide the data subject with what personal data is made available to related organizations or subsidiaries.00399
- •Establish and maintain a disclosure accounting record.13022
- •Include what information was disclosed and to whom in the disclosure accounting record.04680
- •Include the disclosure date in the disclosure accounting record.07133
- •Include the disclosure recipient in the disclosure accounting record.07134
- •Establish, implement, and maintain a privacy policy.06281
- •Document privacy policies in clearly written and easily understood language.00376
- •Notify interested personnel and affected parties when changes are made to the privacy policy.06943
- •Document the notification of interested personnel and affected parties regarding privacy policy changes.06944
- •Disseminate and communicate the privacy policy to interested personnel and affected parties.13346
- •Establish, implement, and maintain personal data choice and consent program.12569
- •Establish and maintain disclosure authorization forms for authorization of consent to use personal data.13433
- •Establish, implement, and maintain a personal data accountability program.13432
- •Assign ownership of the privacy program to the appropriate organizational role.11848
- •Establish, implement, and maintain Binding Corporate Rules for the international transfers of restricted data.12584
- •Include privacy awareness and training in the Binding Corporate Rules.12626
- •Establish, implement, and maintain Data Processing Contracts.12650
- •Include data processor confidentiality requirements in the Data Processing Contract.12685
- •Include the stipulation that personal data will be disposed or returned to the data subject in the Data Processing Contract.12669
- •Establish, implement, and maintain a personal data use limitation program.13428
- •Establish, implement, and maintain a personal data use purpose specification.00093
- •Display or print the least amount of personal data necessary.04643
- •Notify the data subject of changes to personal data use.00105
- •Document the use of personal data as an acceptable secondary purpose when the data subject gives consent.00115
- •Establish, implement, and maintain data access procedures.00414
- •Respond to data access requests in a timely manner.00421
- •Establish, implement, and maintain procedures for individuals to be able to modify their personal data, as necessary.11811
- •Establish, implement, and maintain restricted data use limitation procedures.00128
- •Notify the data subject after personal data is used or disclosed.06247
- •Refrain from processing restricted data, as necessary.12551
- •Process restricted data lawfully and carefully.00086
- •Analyze requirements for processing personal data in contracts.12550
- •Process personal data after the data subject has granted explicit consent.00180
- •Define the exceptions to disclosure absent consent.00135
- •Disclose restricted data absent consent when it is needed by law.00163
- •Disclose personal data required by law absent consent for special cases involving security or law enforcement.04796
- •Establish, implement, and maintain personal data disposition procedures.13498
- •Remove personal data from records after receiving a personal data removal request.11972
- •Establish, implement, and maintain data disclosure procedures.00133
- •Review personal data disclosure requests.07129
- •Establish, implement, and maintain a personal data collection program.06487
- •Establish, implement, and maintain personal data collection limitation boundaries.00507
- •Establish, implement, and maintain a personal data collection policy.00029
- •Collect personal data directly from the data subject.00011
- •Collect and record restricted data for specific, explicit, and legitimate purposes.00027
- •Provide the data subject with information about the data controller during the collection process.00023
- •Provide the data subject with the third party processor's contact information when the data controller is not processing the restricted data.00026
- •Establish, implement, and maintain a data handling program.13427
- •Establish, implement, and maintain data handling policies.00353
- •Establish, implement, and maintain data and information confidentiality policies.00361
- •Prohibit personal data from being sent by e-mail or instant messaging.00565
- •Protect electronic messaging information.12022
- •Establish, implement, and maintain record structures to support information confidentiality.00360
- •Refrain from storing data elements containing payment card full magnetic stripe data.04757
- •Refrain from storing data elements containing sensitive authentication data after authorization is approved.04758
- •Render unrecoverable sensitive authentication data after authorization is approved.11952
- •Log the disclosure of personal data.06628
- •Encrypt, truncate, or tokenize data fields, as necessary.06850
- •Establish, implement, and maintain data handling procedures.11756
- •Establish, implement, and maintain a personal data transfer program.00307
- •Include procedures for transferring personal data to third parties in the personal data transfer program.00333
- •Establish, implement, and maintain a privacy impact assessment.13712
- •Review compliance with the organization's privacy objectives.13490
- •Develop remedies and sanctions for privacy policy violations.00474
- •Investigate privacy rights violation complaints.00480
- •Make appropriate inquiries and obtain appropriate information regarding privacy rights violation complaints.00493
- •Defer privacy rights violation complaint investigations under certain conditions.00487
- •Harmonization Methods and Manual of Style06095
- •Establish, implement, and maintain terminological resources.13317
- •Establish and maintain terminological entries and their definitions.13318
- •Third Party and supply chain oversight08807
- •Establish, implement, and maintain a supply chain management program.11742
- •Establish, implement, and maintain procedures for establishing, maintaining, and terminating third party contracts.00796
- •Review and update all contracts, as necessary.11612
- •Document and maintain supply chain processes.08816
- •Include contingency plans in the third party management plan.10030
- •Refrain from placing excessive reliance on third parties that provide support for service continuity.12768
- •Formalize client and third party relationships with contracts or nondisclosure agreements.00794
- •Include a nondisclosure agreement in third party contracts if a separate nondisclosure agreement does not exist.06505
- •Include a description of the product or service to be provided in third party contracts.06509
- •Establish, implement, and maintain information flow agreements with all third parties.04543
- •Include a description of the data or information to be covered in third party contracts.06510
- •Include text about access, use, disclosure, and transfer of data or information in third party contracts.11610
- •Include roles and responsibilities in third party contracts.13487
- •Include text that organizations must meet organizational compliance requirements in third party contracts.06506
- •Include compliance with the organization's access policy as a requirement in third party contracts.06507
- •Include compliance with the organization's monitoring policies as a requirement in third party contracts.06513
- •Include a reporting structure in third party contracts.06532
- •Include points of contact in third party contracts.12355
- •Include third party responsibilities for maintaining a Business Recovery and Resumption Plan in third party contracts.06516
- •Include incident management procedures and incident reporting procedures in third party contracts.01214
- •Include third party requirements for personnel security in third party contracts.00790
- •Establish, implement, and maintain third party transaction authentication procedures.00791
- •Include third party acknowledgment of their data protection responsibilities in third party contracts.01364
- •Include auditing third party security controls and compliance controls in third party contracts.01366
- •Establish the third party's service continuity.00797
- •Employ access controls that meet the organization's compliance requirements on third party systems with access to the organization's restricted data.04264
- •Maintain the third party's compliance framework to be equivalent to that of the organization's compliance requirements.06087
- •Document the organization's supply chain in the supply chain management program.09958
- •Establish and maintain a Third Party Service Provider list.12480
- •Include the services provided by each supplier in the Third Party Service Provider list.12481
- •Establish, implement, and maintain Operational Level Agreements.13637
- •Include technical processes in operational level agreements, as necessary.13639
- •Establish, implement, and maintain Service Level Agreements with the organization's supply chain.00838
- •Monitor and report on the efficacy of all Service Level Agreements using a Service Level Agreement Monitoring Chart or equivalent.00842
- •Approve all Service Level Agreements.00843
- •Enforce third party Service Level Agreements, as necessary.07098
- •Include risk management procedures in the supply chain management policy.08811
- •Perform risk assessments of third parties, as necessary.06454
- •Include a determination of the complexity of the third party relationships in the supply chain risk assessment.10024
- •Include a determination on the risks third parties pose to Information Security in the supply chain risk assessment report.10029
- •Establish, implement, and maintain a supply chain management policy.08808
- •Include the third party selection process in the supply chain management policy.13132
- •Select suppliers based on their qualifications.00795
- •Use third parties that are compliant with the applicable requirements.08818
- •Establish, implement, and maintain supply chain due diligence standards.08846
- •Commit to the supply chain due diligence process.08849
- •Schedule supply chain audits, as necessary.10015
- •Establish, implement, and maintain supply chain due diligence requirements.08853
- •Define ways a third party may be non-compliant with the organization's supply chain due diligence requirements.08870
- •Conduct all parts of the supply chain due diligence process.08854
- •Assess third parties' legal risks to the organization during due diligence.12078
- •Assess third parties' business continuity capabilities during due diligence.12077
- •Collect evidence of each supplier's supply chain due diligence processes.08855
- •Determine if suppliers can meet the organization's production requirements.11559
- •Require suppliers to meet the organization's manufacturing and integration requirements.11560
- •Include a provision in outsourcing contracts that requires supply chain members' security requirements comply with organizational security requirements.00359
- •Assess third parties' compliance environment during due diligence.13134
- •Establish and maintain a list of compliance requirements managed by the organization and correlated with those managed by supply chain members.11888
- •Request attestation of compliance from third parties.12067
- •Assess third parties' compliance with the organization's third party security policies during due diligence.12075
- •Document the third parties compliance with the organization's system hardening framework.04263
- •Validate the third parties' compliance to organizationally mandated compliance requirements.08819
- •Determine third party compliance with third party contracts.08866
- •Establish and maintain a supply chain due diligence report.08824
- •Submit the supply chain due diligence report.08828
- •Include supply chain risk assessment reports in the supply chain due diligence report.08835
- •Include the supply chain risk management process in the supply chain due diligence report.08836
- •Establish, implement, and maintain third party reporting requirements.13289
- •Assess the effectiveness of third party services provided to the organization.13142
- •Monitor third parties for performance and effectiveness, as necessary.00799
- •Review the supply chain's service delivery on a regular basis.12010
- •Establish, implement, and maintain outsourcing contracts.13124
- •Include a provision that third parties are responsible for their subcontractors in the outsourcing contract.13130
- •Establish, implement, and maintain a chain of custody or traceability system over the entire supply chain.08878
- •Establish, implement, and maintain a system of transparency and controls over the entire supply chain.08879
- •Provide products or services per customer requests.08893
- •Establish and maintain third party security forces to protect the supply chain, as necessary.08912
- •Build partnerships for third party security forces.08914
- •Establish, implement, and maintain information security controls for the supply chain.13109
Close
Starter Accounts cannot add duplicated lists to their account. Please upgrade your account to paid, then revisit the list page to copy the list to your account.
Close
Login Required
Additional details are only available to users of the Common Controls Hub.
Please log in or create an account.
Please log in or create an account.